[Mailman-Users] non-subscribers getting through--email address in "Real Name"
Stephen J. Turnbull
turnbull.stephen.fw at u.tsukuba.ac.jp
Fri Jul 20 03:24:52 EDT 2018
Mark Sapiro writes:
> The problem is downstream has to trust me. If I'm gmail.com, I'll
> probably be trusted. If I'm msapiro.net, probably not. Python.org, who
> knows.
The problem is the same butt-lazy admins that caused you to implement
DKIM-stripping.[1] Google and (AFAIK) Yahoo! and Microsoft will trust
you by default.
In fact, I snafued a couple weeks back, exposed my Mailman server to
the joe-jobbing via web subscription backscatter, and was immediately
interdicted by Microsoft. Fixed the problem, went to Microsoft, and
immediately mail started flowing again and has ever since.
So I think ARC is in practice going to be trusted by default, at least
until the first big spammer exploit taking advantage of that trust.
Footnotes:
[1] In many cases, Authentication-Results should be stripped by the
domain-edge MTA, and RFC 7601 discusses when that really must be done,
and the pros and cons of doing it in general.
More information about the Mailman-Users
mailing list