Re: DMARC: perspectives from a listadmin of large open-source lists

Doug Barton <dougb@dougbarton.us> Mon, 14 April 2014 01:59 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADD6A1A02FB for <ietf@ietfa.amsl.com>; Sun, 13 Apr 2014 18:59:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.274
X-Spam-Level:
X-Spam-Status: No, score=-2.274 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5-b45PGhDFrs for <ietf@ietfa.amsl.com>; Sun, 13 Apr 2014 18:59:24 -0700 (PDT)
Received: from dougbarton.us (dougbarton.us [208.79.90.218]) by ietfa.amsl.com (Postfix) with ESMTP id 598C71A02F8 for <ietf@ietf.org>; Sun, 13 Apr 2014 18:59:24 -0700 (PDT)
Received: from [192.168.4.101] (unknown [67.159.169.102]) by dougbarton.us (Postfix) with ESMTPSA id 9A4C222B1A for <ietf@ietf.org>; Mon, 14 Apr 2014 01:59:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dougbarton.us; t=1397440761; bh=d4ldePIyszqgKaHvpSXSgWCIZt1wu5diibdhLCrC8OA=; h=Date:From:To:Subject:References:In-Reply-To; b=q4XiQFGiTHS4D2/hKX/QEW17SaeSp5HrHs1JbprCeY9X8xaNaXiVggNWYmUhi2+oA /9u53iqDcgIoAq28XGJ7bH5IjX1JT/GKRbsLM73lYJ77PfSQJ29wq/kfSHSNFJjDUl kLXNqDMgkiFIITcDZdCzm85ACyP626AqHluHieX4=
Message-ID: <534B40F8.1000808@dougbarton.us>
Date: Sun, 13 Apr 2014 18:59:20 -0700
From: Doug Barton <dougb@dougbarton.us>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: DMARC: perspectives from a listadmin of large open-source lists
References: <20140413211024.25200.qmail@joyce.lan>
In-Reply-To: <20140413211024.25200.qmail@joyce.lan>
X-Enigmail-Version: 1.6
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/QFk9s67YqRywpQc0tGuXxebAzyQ
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 01:59:25 -0000

On 04/13/2014 02:10 PM, John Levine wrote:
>> Building on the FROM_IS_LIST idea, rather than having the From be
>> rewritten to simply "list@example.com" why not establish a convention
>> (dare I say "standard?") to encode the real from address and list to the
>> left of the @ sign? The rub with DMARC/SPF/DKIM is the domain itself,
>> not the whole address.
>
> This is a minor tweak of the "authenticated phish via on-behalf-of" proposal.

It's not, actually. The defects in XOAR are obvious even to me.

> Spammers can send mail that looks a lot like mailing lists, you know.

What does that have to do with anything? If the message authenticates 
via DMARC/SPF/DKIM then that's a point in its favor in terms of it not 
being spam. If the message comes through with a From: that "looks like a 
mailing list" who cares? Even if that message passes all of the other 
spam filtering mechanisms between it and the user, the user is likely to 
know if they are signed up for a mailing list that the spam message is 
trying to fake, even if it isn't obvious on its face that it's spam to 
start with.

>   From: Paypal Security <security@paypal.com.lists.rbn.ru>

DMARC/SPF/DKIM will actually benefit that message if it has a valid 
signature. Nothing "mailing list" related about it.

> But wait, I have an even better idea, Nobody ever thought of this one!
>
>   From: Paypal Security <security%paypal.com@lists.rbn.ru>

Same here. And again, if the message comes through with a valid 
signature it's less likely to get caught as spam.

Meanwhile, I'm still not proposing that we train users, or even 
anti-spam software to "recognize" or "validate" mailing list addresses. 
What I'm proposing is a way to send mail from a list with From: 
@domain-of-list.tld so that it can pass DMARC/SPF/DKIM, and allow the 
left side of the @ sign to identify the actual sender of the message.

Doug