[Mailman-Users] non-subscribers getting through--email address in "Real Name"

[John Levine]

In article <1ca714d0-da89-aa23-d247-4faa2133b591 at msapiro.net> you write:
>DMARC checks won't help prevent posts that spoof a member address unless
>every list member's domain publishes a DMARC policy of quarantine or
>reject, and even then it only checks the From: domain and not the domain
>of other addresses Mailman might use to determine list membership.
>
>Further, a post with spoofed local part sent by someone in the same
>domain might pass DMARC if sent via the domain's servers.

That's all true, and if you want bullet proof spoof resistance, you'd
have to register PGP or S/MIME keys for the subscriber and require
that she sign all her mail.

On the other hand, a lot of domains do DKIM signing or publish SPF,
and the vast majority of fake From: headers I see are from botnets,
not malicious users down the hall from the victim.  So if someone is
experiencing a lot of botnet spoofage, a setting to say that a user's
mail will be authenticated by SPF or DKIM from domain X would get you
about 90% of the effect of S/MIME signing everything with 10% of the
grief.

R's,
John