[Mailman-Users] non-subscribers getting through--email address in "Real Name"
gtaylor at tnetconsulting.net
Tue Jul 24 15:20:00 EDT 2018
On 07/22/2018 04:25 PM, Richard Damon wrote:
> What actions do you think mailing lists are doing improperly?
I personally believe that mailing lists are their own end entity, just
like our individual mailboxes. (Particularly discussion mailing lists.)
I also believe that SPF, DKIM, and DMARC are meant to protect between
said endpoints; message submitter and terminal mailbox.
Thus I think that DKIM and DMARC should be stripped from messages prior
to entering the mailing list. The mailing list does it's thing. Then
DKIM and DMARC are applied anew to the messages as they leave the server
hosting the mailing list.
> Note, the subject modification is a long standing feature of mailing
> list, which is one thing that breaks DMARC, though I might be willing
> to give that up.
Mailing lists, as I view them, are free to mung messages to their hearts
content in the paradigm that I use.
> The modification of the message body to add a header or footer is also
> common, and in some places effectively required by law.
Such is perfectly compatible with my paradigm.
> If AOL and Yahoo just used the quarantine option for DMARC, it wouldn’t
> have been quite as bad. But they ABUSED DMARC by their settings.
I still don't grok what you are considering "abuse" in this context?
Rather than speculating, please clarify what the abusive activity was.
> By the design of DMARC, AOL and Yahoo should have informed their users
> that they were changing the Terms of Service of their email systems,
> and now all their users are effectively prohibited to use any form
> of re-mailing systems, including most forms of (external) mailing
> lists. Instead they just told the world, we aren’t going to follow
> the normal rules, you deal with it.
I have a different interpretation.
My understanding is that AOL and Yahoo leveraged DMARC to expressly
identify messages that originated from AOL and Yahoo. Or said another
way, they leveraged DMARC to make it easy for receiving servers to
identify messages that are not being sent from AOL or Yahoo servers
/during/ that current SMTP transaction.
I feel the need to insert a nod towards the fact that postmasters are
free to run their infrastructure the way that they see fit.
I also do not feel like the terms of service between AOL or Yahoo and
their end users changed.
AOL and Yahoo simply published information to make it easier for the
world to identify if messages in the scope of an SMTP session are coming
from AOL or Yahoo servers. They also published their desire for
receiving servers to reject messages that don't pass said published
Did they do so knowing that there would likely be a problem with
traditional .forward(ing) and mailing lists? Quite likely. Was an
internal business decision made that publishing such information and
dealing with the ramifications of .forward(ing) and mailing lists more
important than allowing bad actors to continue pretending to be AOL or
Yahoo? Extremely likely.
IMHO AOL and Yahoo made a business decision. Would you make the same
business decision? Maybe, maybe not.
Note: Both AOL's and Yahoo's business decision works perfectly fine in
> Yes, there is a fundamental issue with email that it is easy to
> spoof. Fixing it is going to be a significant issue, and possible a
> complete recreation of the system.
I don't see a specific need to recreate the system.
> The issue is that to create such a new system is a major job. Such a
> redesign would need to look at ALL current uses and either decide that
> such uses were no longer valid or to accommodate them.
I am interested to see what others would propose that offers the same
good points of our existing system (SMTP) without any (or at least
fewer) bad points.
> DMARC somewhat intentionally did not consider mailing list, because they
> didn’t have a good solution to handle them, and their intended usage,
> the protection of ‘valuable’ mail somewhat excluded the use of such
I think you and I have a fundamentally different view of what is being
protected and not.
In my view, SPF, DKIM, and DMARC do a perfectly fine job of protecting
messages between the sender and the mail recipient that they specify.
In your view (as I understand it), SPF, DKIM, and DMARC do a
questionable job protecting messages between the sender and the ultimate
mail recipient through an unknown number of intermediaries that may
forward and / or expand to one or more other, different, recipients than
the sender stated.
IMHO, much like STARTTLS protects a segment of the over all
communications path between the sender and the ultimate recipient(s),
SPF, DKIM, and DMARC only protect one portion. And I happen to think
that they do it well.
> It basically required that any service that wanted to use DMARC needed to
> separate valuable protected mail from less valuable mail with different
> domains. AOL and YAHOO just decided to ignore that in their use of it.
I disagree with the idea of /needing/ to apply different levels of
security to different domains based on their (primary) use. I have no
objection if people /want/ to apply different levels of security to
different domains. IMHO they should not be required to do so.
I also object to the thought that individuals (humans) sending email
aren't eligible to the same level of protection as other services
(non-humans) because we as email administrators can't figure out how to
make things work in a way that supports both.
Grant. . . .
unix || die
More information about the Mailman-Users