[Mailman-Developers] Two more DMARC mitigations
Stephen J. Turnbull
stephen at xemacs.org
Fri Jun 13 00:02:09 CEST 2014
Jim Popovitch writes:
> On Thu, Jun 12, 2014 at 10:18 AM, John Levine <johnl at taugh.com> wrote:
>
> > * Forwarding signature
>
> It seems to me that a non-DMARC subdomain, for users, would be easier and
> better for all..
No, the mailbox providers already can do that and it's not because
they were caught with their shorts down that they didn't. They really
really mean "p=reject" for users. A senior admin at Yahoo! was very
clear on damrc at ietf that they want their vanilla users covered by
"p=reject" because the threat model (which is not phishing, it's
"recommended by friend" spam) involves user mailboxes.
She also said that (as of a week ago) the attack based on stolen
contact lists was continuing to flood their incoming MXes, despite
over a month of "p=reject" (contrary to AOL's claims that "p=reject"
stopped the attack). No explanation has been given why the spammers
are continuing to spend their resources on the attack.
> > * Submit and sign
> >
>
> Oh god, NO!
Oh, c'mon, Jim. This is just the evil kind of thing we *want* to do
to AOL!
More information about the Mailman-Developers
mailing list