[Mailman-Developers] feature request: one-click setting to preserve DKIM
Monica Chew
mmc at googlers.com
Wed Dec 7 00:48:24 CET 2011
On Tue, Dec 6, 2011 at 1:30 PM, Mark Sapiro <mark at msapiro.net> wrote:
> On 12/5/2011 10:58 AM, Monica Chew wrote:
>
>> For context, I work at Google on Gmail spam, and one of the things we've
>> been doing as an anti-phishing measure is enforcing that mail from certain
>> highly-phished domains must be signed with the DKIM key of the purported
>> sender. We started this several years ago for just ebay and paypal (
>> http://gmailblog.blogspot.com/2008/07/fighting-phishing-with-ebay-and-paypal.html)
>> and for the last couple of years have been trying to do it for
>> google.comand a handful of other domains as well.
>>
>> A side effect of this has been that mailing-list mailing has been
>> particularly difficult to classify. We've mostly solved the problem for
>> groups that we host, but external mailing lists have been a continual
>> challenge. As a result, many Google employees who want to participate in
>> standards and open source communities have been unable to (see for example
>> http://lists.openid.net/pipermail/openid-general/2009-June/018364.html,
>> where both mail from Google and Facebook employees were not delivered to
>> openid gmail members) with their standard mailing address.
>
>
> It seems you could solve this particular problem by allowing gmail users
> an option (non-default) to receive such mail with a "phish" warning
> rather than not receiving it at all.
Ah, yes, the old trick of relying on users to correctly identify phish
:) Unfortunately this rarely works well in practice. If the email
looks good (e.g., the spammer just copies a legitimate message and
replaces the login link with a phishing site) then most people
typically don't notice that the URL is a phishing site. Some users
even dig these out of their spam folder, even though the message has a
big red banner at the top.
In any case, a non-default setting is not going to solve the problem
of senders from highly-phished domains to communicate with gmail and
yahoo users through mailman. How would the list members even know to
change this setting?
Thanks,
Monica
More information about the Mailman-Developers
mailing list