[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Fri Jul 20 03:24:52 EDT 2018

Mark Sapiro writes:

 > The problem is downstream has to trust me. If I'm gmail.com, I'll
 > probably be trusted. If I'm msapiro.net, probably not. Python.org, who
 > knows.

The problem is the same butt-lazy admins that caused you to implement
DKIM-stripping.[1]  Google and (AFAIK) Yahoo! and Microsoft will trust
you by default.

In fact, I snafued a couple weeks back, exposed my Mailman server to
the joe-jobbing via web subscription backscatter, and was immediately
interdicted by Microsoft.  Fixed the problem, went to Microsoft, and
immediately mail started flowing again and has ever since.

So I think ARC is in practice going to be trusted by default, at least
until the first big spammer exploit taking advantage of that trust.

[1]  In many cases, Authentication-Results should be stripped by the
domain-edge MTA, and RFC 7601 discusses when that really must be done,
and the pros and cons of doing it in general.

More information about the Mailman-Users mailing list