[Mailman-Developers] MM3 DMARC mitigations

Mark Sapiro mark at msapiro.net
Sat Nov 5 12:06:37 EDT 2016 

On 10/31/2016 03:08 PM, Eric Searcy wrote:
> 
> That reminds me.  I have a proposed idea for another nice-to-have, that
> I'm mentioning now in case it has any impact on the architecture you are
> describing.  Some email systems (e.g. Exchange) do not accept any
> inbound email crossing their edge that uses their own From domain.  It's
> like a tiny microcosm of DMARC but only for their domain, and there is
> no way for the outside world to know about their policy.  However, when
> a member of the community says they get all list messages *except those
> from their colleagues*, it's clear they have this kind of setup.  It
> would be great to have a customizable-by-sender-domain munge-or-wrap
> filter that let me add other domains to get the same treatment as
> domains that don't publish DMARC -- even if not needed for general
> receipt of their messages, so that emails to others at the same domain
> on the list can be received.  (This functionality doesn't exist in mm2
> either.)


Adding Mailman-Developers to the recipients.

As I noted in the original thread, this would not be difficult to add,
but it won't be in the initial implementation of DMARC mitigations for
MM 3 (see <https://gitlab.com/mailman/mailman/merge_requests/215> for
more on that).

However, I've just become aware that Microsoft has implemented another
"feature". So far, the info I have is this is limited to their "hosted
mail services", but it may well spread. What they are doing is looking
at incoming mail for signs of spoofing/phishing and if found, they place
a prominent notice

This sender failed our fraud detection checks and may not be who they
appear to be. Learn about spoofing<http://aka.ms/LearnAboutSpoofing>

in the message. The issue for us is that one of the tests is the To: and
From: addresses are the same. That means that any message To: a list
with DMARC mitigations applied will be sent From: the list and any
recipients using these Microsoft services will see that warning in the
list message[1].

How long will it be before this spreads to all Microsoft email services
<sigh>?


[1] I first became aware of this via the thread at
<http://lists.mailscanner.info/pipermail/mailscanner/2016-November/104001.html>.
There it was the poster who saw the warning in his copy of the list
message and mistakenly thought it was a rejection of his post to the
list. The reply at
<http://lists.mailscanner.info/pipermail/mailscanner/2016-November/104017.html>
has interesting info.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20161105/ed82b615/attachment.sig>

More information about the Mailman-Developers mailing list