IETF Logo Mail Archive

Re: Enough DMARC whinging

Miles Fidelman <mfidelman@meetinghouse.net> Fri, 02 May 2014 12:51 UTC

Return-Path: <mfidelman@meetinghouse.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 237A61A081E for <ietf@ietfa.amsl.com>; Fri, 2 May 2014 05:51:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fV2aRp1qYeAO for <ietf@ietfa.amsl.com>; Fri, 2 May 2014 05:51:20 -0700 (PDT)
Received: from server1.neighborhoods.net (server1.neighborhoods.net [207.154.13.48]) by ietfa.amsl.com (Postfix) with ESMTP id 44C2F1A0764 for <ietf@ietf.org>; Fri, 2 May 2014 05:51:20 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by server1.neighborhoods.net (Postfix) with ESMTP id C126BCC0B7 for <ietf@ietf.org>; Fri, 2 May 2014 08:51:17 -0400 (EDT)
X-Virus-Scanned: by amavisd-new-2.6.2 (20081215) (Debian) at neighborhoods.net
Received: from server1.neighborhoods.net ([127.0.0.1]) by localhost (server1.neighborhoods.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id A1FXUgVF5sRa for <ietf@ietf.org>; Fri, 2 May 2014 08:51:08 -0400 (EDT)
Received: from new-host.home (pool-173-76-155-14.bstnma.fios.verizon.net [173.76.155.14]) by server1.neighborhoods.net (Postfix) with ESMTPSA id 2527BCC097 for <ietf@ietf.org>; Fri, 2 May 2014 08:51:03 -0400 (EDT)
Message-ID: <536394B6.5030805@meetinghouse.net>
Date: Fri, 02 May 2014 08:51:02 -0400
From: Miles Fidelman <mfidelman@meetinghouse.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: Enough DMARC whinging
References: <CAMm+Lwh0Sc2wtvjEAjOMi4emDzyF4JWmmzYr5QEFcmyoKtkTAA@mail.gmail.com> <CAA=duU0i1Ppc-nMeWL-ipms4E4b0wpsSRZdLG+2YhujPgH-ZPQ@mail.gmail.com> <CAMm+LwikJhO5R6UqWx8qUswMptgTw_wF6E6_9Ok=SRYTBChYgA@mail.gmail.com> <CAA=duU3scwm=j2BJ6jq4k5zRQPkXOVOR1UscQqZZ8tG5HEZTwQ@mail.gmail.com> <536113B1.5070309@bbiw.net> <CAMm+LwiXoW3p5uCmML4kAWXnbrrAnSCK9x5U2qeHJdVgR2r_Gg@mail.gmail.com> <536265CE.6090508@dcrocker.net> <53638BBB.5010702@tana.it>
In-Reply-To: <53638BBB.5010702@tana.it>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/81ZomVNwaOpDSxNeDcio-nt9OsY
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 May 2014 12:51:22 -0000

Alessandro Vesely wrote:
> On Thu 01/May/2014 17:18:38 +0200 Dave Crocker wrote:
>> On 5/1/2014 8:22 AM, Phillip Hallam-Baker wrote:
>>> Spam filters should know about things as important as mailing list
>>> subscriptions.
> +1
>
>> We have about 20 years of spam filtering experience in the industry.
>> The quality of modern filters is astonishingly good; it's the only
>> reason email remains viable for users, in spite of open-Internet spam
>> traffic being far above 90%.
>>
>> I believe that little or none of that filtering includes awareness of
>> mailing list subscriptions.  So while the above is an interesting and
>> possibly useful line of pursuit, it's not clear how it can be elevated
>> to the status of 'should'.
> It is certainly useful to simplify spam filtering.  I think there
> would be consensus on 'should'; not on 'must' because of privacy
> considerations.
>
>> Note that historically, mailing list operators have been resistant to
>> the imposition of technical or operational changes.

Speaking for at least one mailing list operator, who knows a lot more:  
I've ALWAYS implemented quite a bit of controls over our lists - both 
authenticating users before allowing them to join lists, and 
implementing extensive spam filtering at both the MTA and list level.  
The list software we use (Sympa), likewise has multiple spam and virus 
filtering mechanisms, as well as hooks for linking with external 
mechanisms.  I haven't worked with Mailman extensively, but it also has 
spam filtering mechanisms.

Spam is as much, or more of a problem for list operators, as anyone 
else.  What I object to is when someone foists a new mechanism down our 
throats - without any care for breaking things.

Actually, you may have unintentionally phrased this accurately: I (and 
probably other list operators) are "resistant to the IMPOSITION of 
technical or operational changes." Working WITH us, might yield better 
effect.  And there are at least two forms that could have taken:

1. Contribute support (labor/dollars) to write patches to the major 
email list packages, BEFORE turning on restrictive DMARC policies. (We 
are talking about large, well funded corporate entities who have 
invested dollars in developing and implementing DMARC for business 
reasons that presumably have signficant payback).

2. Designing and implementing mechanisms that mitigate the impact on 
mailing lists - for example, whitelists.

3. Actually developing something that plays nice with whitelists - as 
there is now some discussion about (XOAR, whitelists, ....).

> I'm not clear what you mean.  Is there a standard that defines mailing
> lists?
>
There are some that approach it - like the SMTP extensions for 
list-related headers.  I personally think mailing list functionality is 
well enough understood that we could improve on this, and incorporate 
some standard authentication mechanisms in the process.

Personally, I think some kind of standard that allows for:
- separate identification and signing/authentication of author, 
originating MTA, list/forwarder would go a long way (I think this would 
require additional headers and/or standardizing the use of existing 
headers a bit more tightly)
- maybe an extra list header or two regarding reply-to (separate author, 
author-errors, list, list-errors)
- a mechanism that allows a list to modify messages that doesn't break 
incoming signatures, say:
--- separate "original-subject" "subject-with-tags""listname" headers
--- a well-specified way to add a header and/or footer to a message 
(e.g., headers to indicate header-line-count, and footer-line-count)
--- provisions for MIME
--- i.e., a recipient can verify the original message and author, verify 
changes that have been made by a listprocessor, run some checks on the 
diffs, then make a decision on what to do with the message
- maybe some best practices for mail client presentation of information 
to end users

Miles Fidelman



-- 
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra

v2.23.0 | Report a Bug | By Email