[Mailman-Developers] Two more DMARC mitigations
Stephen J. Turnbull
stephen at xemacs.org
Fri Jun 13 03:59:49 CEST 2014
Jim Popovitch writes:
> AND THEN, a (that very same senior admin?)
All are the same person I suppose, Elizabeth Zwicky.
> Yahoo! employee got involved in the DMARC spec and it became the
> bastardized DMARC spec.
Do you have specific complaints?
I like the DMARC spec as it stands. Yahoo! and AOL are abusing it, in
exactly the same way that spammers abuse specs like RFCs 5321 and
5322. And with the same rationale: "because you can't stop us".
But that doesn't make it useless, any more than spammers make the
fundamental standards for email useless. The informational parts of
the protocol are a minor privacy invasion, I guess, but produce very
useful data. Even the policy part is useful IMO. You just have to
interpret it properly. "p=quarantine" == "p=we-have-a-security-
problem-so-don't-trust-unauthenticated-mail-from-our-domain", and
"p=reject" == "p=we-have-a-very-serious-security-problem-so-
unauthenticated-mail-from-our-domain-is-almost-certainly-a-scam".
So tell your Yahoo! users that their mailbox provider has a very
serious security problem, and labelled their posts as "almost certain
scams."[1] :-)
Note that "security problem" here doesn't necessarily mean "security
breached". It can also mean "we are a prominent target", as banks and
other financial institutions are.
Footnotes:
[1] I wouldn't be surprised if for those users whose contact lists
were stolen 99% of the mail sent under their mailbox is from the
spammers. ;-)
More information about the Mailman-Developers
mailing list