[Mailman-Users] Yahoo Groups' From munging and X-Original-From

Mark Rousell markr at signal100.com
Mon May 26 06:23:20 CEST 2014 

On 26/05/2014 01:31, Mark Sapiro wrote:
> On 05/25/2014 11:31 AM, Mark Rousell wrote:
>>
>> Whilst mail client recognition of the X-Original-From header would
>> alter what users see (which is in fact a key goal in this context,
>> not a bug), DMARC would nevertheless still be effective in terms of
>> its own design goals in that mail servers could still adhere to
>> DMARC and reject or spamfilter non-compliant messages.
>
>
> Until spammers figure out they can send mail
>
> From: spammer at evildomain.com
> X-Original-From: whatever at yahoo.com
>
> DMARC doesn't stop it because evildomain.com doesn't publish a DMARC
> policy, and the 'evolved' MUAs display the message as if it's from
> whatever at yahoo.com, just what DMARC is intended to stop.

Yup, I understand that. However:

a) It seems to me that this or something like it (i.e. new de facto
standard headers to work around the problem) is surely an almost
inevitable outcome anyway.

b) The way things are going all domains will sooner or later publish a
DMARC policy if they want their mail to be accepted anywhere.

c) In fact, I rather assumed in my suggestion (but did not explicitly
state it, apologies) that lack of a DMARC policy (or whatever comes
after DMARC) will, in and of itself, sooner or later have the effect of
massively increasing an email's chance of being rejected or quarantined.

d) It seems very clear that the goal of the DMARC project is for *every*
domain to publish a DMARC policy and they don't care about domains that
don't publish a DMARC policy. Their market volume means that they have
stolen the lead from IETF and others will follow. Something like
X-Original-From is just, in effect, following their lead.

e) It is not our problem. As I said, if "p=reject" DMARC users can
effectively externalise some aspects of their spam problem, it seems
only appropriate and pragmatic for the rest of us to similarly
externalise the problems so created.


In short, X-Original-From becoming a de facto standard would benefit the
users of mail clients receiving mail from legitimate resenders such as
mail lists (admittedly when taken together with a presumption that lack
of DMARC would automatically cause a very high spam score either on
receiving mail servers or in the mail client itself).

I also envisage a UI that highlights the fact that a X-Original-From
header is being used and that the sending domain does not publish a
DMARC policy (in suitably end user-friendly language). A user might be
able to whitelist mail from mail lists known to him/her with a single
click/tap without having to understand the underlying issues.

[I do note that none of this would not alleviate the issue of spam sent
through a mail server that does issue a DMARC policy and correctly
aligns its From field with the policy but that is a separate issue.
Notably it seems to me that DMARC will only increase the attempts by
spammers/scammers to hijack accounts on ESPs like Yahoo!]

I admit that in taking this domineering attitude I am simply following
the technique of social engineering demonstrated by the DMARC group: By
pushing through a change they are forcing others to follow suit and/or
adapt.

It's not how I'd like things to be but we seem to be entering a world
where Internet protocols are driven less by voluntary adherence to
widely agreed standards and more by what some groups can push through.
If one can't beat them, perhaps one should join them in their approach!



-- 
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162

More information about the Mailman-Users mailing list