[Mailman-Users] Authenticated Received Chain in Mailman?

Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Thu Jun 8 02:56:12 EDT 2017


Joseph Brennan writes:

 > Wonderful, another offering of "This document is not an Internet
 > Standards Track specification; it is published for informational
 > purposes" adding further complexity to email in a mad attempt to make
 > up for the "potential" (?) problems that the previous "informational"
 > one (DMARC) has done to mailing lists.

Have you actually participated in IETF decision-making?  It's complex
and political.

I am not pleased with Yahoo! and AOL, but at least they're honest
about what they've done.  On the other side, there are Certain Parties
who show up every time mail abuse gets discussed, arguing for
solutions that are as bad as the disease (not to mention scaling
poorly).  It could be worse (the IETF could be run by the Republican
Party), but it wouldn't be *much* worse.  There's also the problem
that it's not clear whether the 800-lb gorillas would be willing to go
along with some of the changes that the Reasonable People Among Us
seemed to favor.  This way, at least we have a standard.

Furthermore, IMHO, as Internet standards go (whether "Standards Track"
or "Informational") DMARC is a high quality standard, something that
people will be willing to conform to with little ambiguity.
Admittedly, it has been abused by at least two large providers, but
not to the extent nor the harm that RFCs 821 and 822 have. :-/

ARC is also looking to be a good standard, potentially useful for
mailing lists, and it's being pushed by the same large providers who
are problems (real and potential) for mailing lists.  If Yahoo! and
AOL come on board in a timely fashion, ARC will help a lot.  My
expectation is that Yahoo! will be there, although their financial
situation exudes the stench of reorganization.  AOL is more dubious.
Good intentions from their IETF delegates, but they've had severe
staffing problems in the not-so-distant past.

 > It would be too easy for email-reading software to show me the address
 > of the sender and the name of the system that handed the message to my
 > system, and let me use my own common sense to decide whether it's
 > spoofed.

Sure, but you *have* common sense.  There's good empirical support for
the phrase "more money than brains", you know.  And let's not forget
that a sadly large fraction of the vulnerable are elderly, with no
chance of recovering from a financial loss by earning more.  Finally,
although the high-profile political phishing was done by APTy
entities, who can probably suborn your DNS, that's not true of many of
the lesser, purely profit-oriented or malicious, threats.  But the
social engineering skill needed to craft such phishing messages is
widely distributed, including among garden-variety stalkers-in-the-
grass.

YMMV, but after talking to the people who have the data about the
average bloke, and watching relatively well-educated people fall like
dominos for phishing emails, I've come around to the idea that DMARC
is a very useful tool.  Shame about *my* ox, of course.

To sum up, I too wish that we could go back to the days of "friendly
networks", but DMARC + ARC is not all that bad a way to play the cards
that spammers and phishers deal us.

Regards,

Steve



More information about the Mailman-Users mailing list