Re: DMARC: perspectives from a listadmin of large open-source lists

[Doug Barton <dougb@dougbarton.us>]

On 04/13/2014 09:34 PM, John C Klensin wrote:
>
>
> --On Monday, April 14, 2014 00:10 -0400 John R Levine
> <johnl@taugh.com> wrote:
>
>>> Sadly, there are a non-trivial number of MTA installations
>>> whose implementers or operators, having discovered that they
>>> had not seen a legitimate use of the percent hack in years,
>>> decided that they were about as likely to appear in
>>> legitimate messages as source routing and dealt with them
>>> accordingly.  Put more simply, a "%" in a local-part may be
>>> least as likely to get a message rejected or dumped as a
>>> badly specified DMARC record, so the one is really not a very
>>> good cure for the other.
>>
>> Since the percent hack became a famous vector for open relay
>> abuse, so we all stopped honoring it.  A lot of MTAs still
>> reject anything with a % saying something like no more source
>> routing.  Mine does.
>
> Exactly.

Perhaps my suggestion to use the percent sign dragged in some baggage I 
wasn't intending. To be clear, I wasn't suggesting that receiving 
systems do anything special with the address, only that we establish a 
convention/standard for how to encode the real address of the sender for 
mail sent through mailing lists. It could at least by visually inspected 
by recipients, and in theory MUAs could learn to deal with it for 
display and/or reply purposes. If a ! works better than a % to separate 
the sender's address from the list address that's great.

For those that are skeptical of MUAs actually doing this, I agree. 
However in recent memory a non-trivial number of modern MUAs have picked 
up parsing of list headers sufficiently to make "reply to list" buttons 
a reality. So not all hope is lost here.

>> So this would require inventing something with the same
>> semantics as the percent hack, but a different syntax.
>> Perhaps we can use an exclamation point.
>
> I suppose the correct response is "bang, bang, bang,..."
>
> But this takes us back to Ned's point (or at least my
> interpretation of it): it is lots easier to fix a bad DMARC
> config, ignore restrictive DMARC specifications, or even to
> abandon DMARC entirely, than it is to believe that we can
> upgrade every MTA and MUA on the network to start accepting
> percent hacks, bang paths, or the syntax characters used to
> denote them, again.  Or any other strange local-part syntax
> anyone is likely to come up with, e.g., perhaps we could use
> plus signs, hyphens, or appropriately-escaped backslashes.  Or
> we could steal "/" and "=" back from X.400 gateways.  Right.

Well + is out, since that's used by various local filtering solutions.

But your point is well taken ... the "right" answer may be to fix or 
discard DMARC, I honestly don't know. But in a world where DMARC is here 
to stay, or if not DMARC then some other anti-spam solution that breaks 
mailing list forwarding; and in that same world where mailing list 
traffic is negligible (and therefore the cost of breaking mailing lists 
is in the noise compared to the benefits of deploying said anti-spam 
solution) it's incumbent on the mailing list software folks to solve 
this problem.

Doug