[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Grant Taylor gtaylor at tnetconsulting.net
Tue Jul 24 15:20:00 EDT 2018 

On 07/22/2018 04:25 PM, Richard Damon wrote:
> What actions do you think mailing lists are doing improperly?

I personally believe that mailing lists are their own end entity, just 
like our individual mailboxes.  (Particularly discussion mailing lists.) 
  I also believe that SPF, DKIM, and DMARC are meant to protect between 
said endpoints; message submitter and terminal mailbox.

Thus I think that DKIM and DMARC should be stripped from messages prior 
to entering the mailing list.  The mailing list does it's thing.  Then 
DKIM and DMARC are applied anew to the messages as they leave the server 
hosting the mailing list.

> Note, the subject modification is a long standing feature of mailing 
> list, which is one thing that breaks DMARC, though I might be willing 
> to give that up.

Mailing lists, as I view them, are free to mung messages to their hearts 
content in the paradigm that I use.

> The modification of the message body to add a header or footer is also 
> common, and in some places effectively required by law.

Agreed.

Such is perfectly compatible with my paradigm.

> If AOL and Yahoo just used the quarantine option for DMARC, it wouldn’t 
> have been quite as bad. But they ABUSED DMARC by their settings.

I still don't grok what you are considering "abuse" in this context?

Rather than speculating, please clarify what the abusive activity was.

> By the design of DMARC, AOL and Yahoo should have informed their users 
> that they were changing the Terms of Service of their email systems, 
> and now all their users are effectively prohibited to use any form 
> of re-mailing systems, including most forms of (external) mailing 
> lists. Instead they just told the world, we aren’t going to follow 
> the normal rules, you deal with it.

I have a different interpretation.

My understanding is that AOL and Yahoo leveraged DMARC to expressly 
identify messages that originated from AOL and Yahoo.  Or said another 
way, they leveraged DMARC to make it easy for receiving servers to 
identify messages that are not being sent from AOL or Yahoo servers 
/during/ that current SMTP transaction.

I feel the need to insert a nod towards the fact that postmasters are 
free to run their infrastructure the way that they see fit.

I also do not feel like the terms of service between AOL or Yahoo and 
their end users changed.

AOL and Yahoo simply published information to make it easier for the 
world to identify if messages in the scope of an SMTP session are coming 
from AOL or Yahoo servers.  They also published their desire for 
receiving servers to reject messages that don't pass said published 
information.

Did they do so knowing that there would likely be a problem with 
traditional .forward(ing) and mailing lists?  Quite likely.  Was an 
internal business decision made that publishing such information and 
dealing with the ramifications of .forward(ing) and mailing lists more 
important than allowing bad actors to continue pretending to be AOL or 
Yahoo?  Extremely likely.

IMHO AOL and Yahoo made a business decision.  Would you make the same 
business decision?  Maybe, maybe not.

Note:  Both AOL's and Yahoo's business decision works perfectly fine in 
my paradigm.

> Yes, there is a fundamental issue with email that it is easy to 
> spoof. Fixing it is going to be a significant issue, and possible a 
> complete recreation of the system.

I don't see a specific need to recreate the system.

> The issue is that to create such a new system is a major job. Such a 
> redesign would need to look at ALL current uses and either decide that 
> such uses were no longer valid or to accommodate them.

I am interested to see what others would propose that offers the same 
good points of our existing system (SMTP) without any (or at least 
fewer) bad points.

> DMARC somewhat intentionally did not consider mailing list, because they 
> didn’t have a good solution to handle them, and their intended usage, 
> the protection of ‘valuable’ mail somewhat excluded the use of such 
> services.

I think you and I have a fundamentally different view of what is being 
protected and not.

In my view, SPF, DKIM, and DMARC do a perfectly fine job of protecting 
messages between the sender and the mail recipient that they specify.

In your view (as I understand it), SPF, DKIM, and DMARC do a 
questionable job protecting messages between the sender and the ultimate 
mail recipient through an unknown number of intermediaries that may 
forward and / or expand to one or more other, different, recipients than 
the sender stated.

IMHO, much like STARTTLS protects a segment of the over all 
communications path between the sender and the ultimate recipient(s), 
SPF, DKIM, and DMARC only protect one portion.  And I happen to think 
that they do it well.

> It basically required that any service that wanted to use DMARC needed to 
> separate valuable protected mail from less valuable mail with different 
> domains. AOL and YAHOO just decided to ignore that in their use of it.

I disagree with the idea of /needing/ to apply different levels of 
security to different domains based on their (primary) use.  I have no 
objection if people /want/ to apply different levels of security to 
different domains.  IMHO they should not be required to do so.

I also object to the thought that individuals (humans) sending email 
aren't eligible to the same level of protection as other services 
(non-humans) because we as email administrators can't figure out how to 
make things work in a way that supports both.



-- 
Grant. . . .
unix || die

More information about the Mailman-Users mailing list