[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Sun Jul 22 18:25:23 EDT 2018

> On Jul 22, 2018, at 5:11 PM, Grant Taylor via Mailman-Users <mailman-users at python.org> wrote:
> 
>> On 07/22/2018 02:03 PM, John Levine wrote:
>> No, it was specified in full knowledge that it would break pretty much every mailing list on the planet if used on domains with human users, instead of its intended target of notices from robot domains like paypal.com.
> 
> I choose to believe the mailing lists were behaving improperly.
> 
> To me, DMARC (including SPF and DKIM) is a method to determine if a message is coming from the original source (or authorized delegate). Where email is a combination of the message data and SMTP transaction delivering said message.

What actions do you think mailing lists are doing improperly?

Note, the subject modification is a long standing feature of mailing list, which is one thing that breaks DMARC, though I might be willing to give that up.

The modification of the message body to add a header or footer is also common, and in some places effectively required by law.

>> That's why we have ARC, once AOL and Yahoo abused it to solve the problem they created when they let crooks steal their users' address books.
> 
> I assume you are referring to "DMARC" when you say "…abused /it/ to solve…".
> 
> I feel like AOL's and Yahoo's actions are just additional gas on the fire that has been burning for a long time.  The problem of bad actors spoofing message senders exists independently of AOL and Yahoo.  Did their (in)actions make the problem worse, probably.  Did they cause the problem?  No.  Did they exceed critical mass?  I don't think so.  Rather I think it was past the critical mass long before AOL and Yahoo fueled the fire.
> 
> -- 
> Grant. . . .

If AOL and Yahoo just used the quarantine option for DMARC, it wouldn’t have been quite as bad. But they ABUSED DMARC by their settings. By the design of DMARC, AOL and Yahoo should have informed their users that they were changing the Terms of Service of their email systems, and now all their users are effectively prohibited to use any form of re-mailing systems, including most forms of (external) mailing lists. Instead they just told the world, we aren’t going to follow the normal rules, you deal with it.

Yes, there is a fundamental issue with email that it is easy to spoof. Fixing it is going to be a significant issue, and possible a complete recreation of the system. The issue is that to create such a new system is a major job. Such a redesign would need to look at ALL current uses and either decide that such uses were no longer valid or to accommodate them. DMARC somewhat intentionally did not consider mailing list, because they didn’t have a good solution to handle them, and their intended usage, the protection of ‘valuable’ mail somewhat excluded the use of such services. It basically required that any service that wanted to use DMARC needed to separate valuable protected mail from less valuable mail with different domains. AOL and YAHOO just decided to ignore that in their use of it.