[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Tue Jul 24 20:20:59 EDT 2018

On 07/24/2018 03:16 PM, John Levine wrote:
> Turning it on for aol.com, yahoo.com, and other domains with user 
> mailboxes,

So, are you stating that DMARC should NOT be used on domains that 
(predominantly) contain end user mailboxes?

> to outsource the pain of the spam they were getting

I'm not completely following you.  Are you referring to filtering of 
inbound email that AOL / Yahoo / etc. were having to do?  If so, I don't 
see how publishing DMARC effects that.  (I assume that they did not need 
to publish records to enhance filtering email from themselves.)  Or are 
you referring to "the pain" as being the push back / flack from the rest 
of the email industry for spoofed messages purporting to be from AOL / 
Yahoo / etc?

> due to letting user address books be stolen.

I don't know about AOL's security posture, but I do have a little idea 
about how bad Yahoo's was.  -  I still don't know that I would say that 
they allowed it, as in welcomed it.

IMHO it has been trivial to harvest email addresses for a LONG time.  As 
such, I think that address books are simply a convenient list and not 
strictly related.  Please correct me if I'm wrong.

> Right, thereby causing a great deal of entirely legitimate mail that 
> DMARC cannot describe to go missing, along with a certain amount of spam.

"legitimate mail that DMARC cannot describe"  That sounds distinctly 
like a problem with the DMARC specification, /not/ with use there of.

Aside:  The (relatively?) recent conversion from analog TV to digital TV 
broadcasting in the US comes to mind.

I feel like DMARC requires a paradigm shift in how email is forwarded 
and handled by mailing lists.  (I'm sure there are some other uses that 
I'm forgetting.)  Much like the aforementioned conversion from analog TV 
to digital TV.

Or similarly the requirement for reverse DNS for mail servers.  Personal 
opinions aside, it seems as if the email industry has decided that 
requiring reverse DNS is a mostly good thing.  Or that the good 
(slightly) outweighs the bad.

> We've been cleaning up their mess ever since.

I question if the mess is /really/ AOL's or Yahoo's doing, or if instead 
the problem was really related to (what I'm going to describe as) a 
questionable way of operating that we now must change to play well with 
DMARC.

> Yes, they explicitly decided that the costs they imposed on innocent 
> bystanders were Not Their Problem.

Please elaborate on what "the cost" is and entails.  Are you referring 
to anything more than the fallout of not being able to (easily) forward 
email in a DMARC compliant manner?

I suspect "imposed on innocent bystanders" and "not their problem" can 
also be used to describe requiring reverse DNS, SPF, and DKIM.

-- 
Grant. . . .
unix || die