[Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Stephen J. Turnbull
stephen at xemacs.org
Wed May 7 05:46:32 CEST 2014
Barry Warsaw writes:
> On May 06, 2014, at 02:15 PM, Stephen J. Turnbull wrote:
>
> >No, the point is that a phishing mail with
> >
> > From: Chase Bank Customer Service <service at chase.com.invalid>
> >
> >will sail right past DMARC, as currently set up.
>
> So too will service at chase.com.ru without Mailman ever getting
> involved, and I bet that will be just as effective at phishing as
> .invalid.
Et tu, FLUFL?
The point is that if Mailman provides this, it becomes a "standard"
way to get a DMARC p=reject address past DMARC p=reject, and people
*may* develop an "it may say .INVALID, but it's OK" reflex.
As I wrote to John Levine on mailman-developers, if operators want to
experiment with it, that's one thing. But does *Mailman* want to take
part in encouraging that "it's OK *because* it's .INVALID" meme? Do
we want to encourage phishers to use something that looks like a
Mailman feature, and have the DMARC WG come back with something that
involves "anything that looks like my domain"?
The DMARC WG advocates putting list-post in "From" in place of a DMARC
p=reject address. I advocate accepting their advice for stock Mailman,
and avoiding other non-conforming workarounds until the market demands
them. If it gets noisy, feel free to cave in faster than you did on
Reply-To munging.<wink />
Steve
More information about the Mailman-Users
mailing list