[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Mark Sapiro mark at msapiro.net
Thu Jul 19 17:40:12 EDT 2018


On 07/19/2018 02:11 PM, John Levine wrote:
> In article <c5d1335d-0762-8a85-3257-239d5e2e46d6 at spamtrap.tnetconsulting.net> you write:
>> Yes.  Just about everything can be spoofed to some degree.  It really 
>> depends on what information the owner of the purported sending domain 
>> publishes and what filtering / consumption of said information the 
>> receiving server exercises.
> 
> Well, you know, this is what DMARC is intended to address.


Actually, DMARC is intended to address spoofing of domains and needs to
be configured by the domain owner publishing a DMARC policy.

DMARC checks won't help prevent posts that spoof a member address unless
every list member's domain publishes a DMARC policy of quarantine or
reject, and even then it only checks the From: domain and not the domain
of other addresses Mailman might use to determine list membership.

Further, a post with spoofed local part sent by someone in the same
domain might pass DMARC if sent via the domain's servers.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the Mailman-Users mailing list