[Mailman-Developers] Two more DMARC mitigations
Stephen J. Turnbull
stephen at xemacs.org
Fri Jun 13 09:04:07 CEST 2014
Jim Popovitch writes:
> > What changed that you object to?
>
> One of the original __High-Level Goals__ was:
>
> DMARC is intended to reduce the success of attackers sending
> mail pretending to be from a domain they do not control, with
> minimal changes to existing mail handling at both senders and
> receivers. It is particularly intended to protect transactional
> email, as opposed to mail between individuals.
Actually, that word wasn't present in Murray's original -00 draft, and
was added in two places (along with a definition in terms of "business
transactions") in the -01 draft at the same time Ms Zwicky was added
as editor, in July '13. :-P According to Chrome's search function,
all three uses are still present in the current (April '14) draft (in
section 1.2 "Anti-Phishing" and section 2.1 "High-Level Goals" (which
contains exactly the text quoted above).
Based on what I've seen on dmarc@, the word "transactional" has
controversial connotations besides ruling out Yahoo!'s use case. The
problem is that Yahoo!'s problem ("acquaintance-recommended spam") is
a genuine problem, and could be addressed by DMARC "p=reject" if only
Yahoo! users would stop posting to mailing lists. :-) It's not just
business uses.
Although Elizabeth and I aren't on good terms at the moment because of
difference of opinion about Yahoo!'s behavior, I haven't seen anything
from her that would indicate that she thinks "p=reject" is a *good*
idea ... except that at the moment it's their *only* idea. :-(
Steve
More information about the Mailman-Developers
mailing list