[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Mark Sapiro mark at msapiro.net
Tue Jul 24 20:51:58 EDT 2018

On 07/24/2018 05:20 PM, Grant Taylor via Mailman-Users wrote:
> On 07/24/2018 03:16 PM, John Levine wrote:
>> Turning it on for aol.com, yahoo.com, and other domains with user
>> mailboxes,
> So, are you stating that DMARC should NOT be used on domains that
> (predominantly) contain end user mailboxes?

Many of us believe that DMARC was developed for domains such as
financial institutions and others in order to combat phishing attacks.
The developers of the DMARC standard never intended it to be used by
domains that provide email addresses for personal use.

>> to outsource the pain of the spam they were getting
> I'm not completely following you.  Are you referring to filtering of
> inbound email that AOL / Yahoo / etc. were having to do?  If so, I don't
> see how publishing DMARC effects that.  (I assume that they did not need
> to publish records to enhance filtering email from themselves.)  Or are
> you referring to "the pain" as being the push back / flack from the rest
> of the email industry for spoofed messages purporting to be from AOL /
> Yahoo / etc?

The stolen address books were used to send phishing emails purportedly
from the owner of the address book the the addresses in the book.

I.e., a message From: a_known_friend at yahoo.com saying things look at
this great thing I found and a URL to evilsite.com.

> IMHO it has been trivial to harvest email addresses for a LONG time.  As
> such, I think that address books are simply a convenient list and not
> strictly related.  Please correct me if I'm wrong.

Trivial to harvest addresses, but not trivial to know a known associate
to send the mail From:.

> Please elaborate on what "the cost" is and entails.  Are you referring
> to anything more than the fallout of not being able to (easily) forward
> email in a DMARC compliant manner?
> I suspect "imposed on innocent bystanders" and "not their problem" can
> also be used to describe requiring reverse DNS, SPF, and DKIM.

In this context, the innocents are subscribers to mailing lists who find
themselves unsubscribed by bounce processing because their ISPs reject
list posts From: other_users at yahoo.com and the operators of those
mailing lists.

Of course, you seem to feel that these lists were wrong from the
beginning for not claiming authorship of the posts by replacing the
From: header, but at the time, this wasn't even an option for most lists.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list