IETF Logo Mail Archive

Re: Options for temporary operational solution to DMARC problem

"John Levine" <johnl@taugh.com> Sat, 05 November 2016 05:54 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0454129851 for <ietf@ietfa.amsl.com>; Fri, 4 Nov 2016 22:54:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.561
X-Spam-Level:
X-Spam-Status: No, score=-0.561 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_24_48=1.34, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Y4x4ViADZwP for <ietf@ietfa.amsl.com>; Fri, 4 Nov 2016 22:54:12 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCCA51296EA for <ietf@ietf.org>; Fri, 4 Nov 2016 22:54:11 -0700 (PDT)
Received: (qmail 56772 invoked from network); 5 Nov 2016 05:54:11 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 5 Nov 2016 05:54:11 -0000
Date: Fri, 04 Nov 2016 02:48:22 -0000
Message-ID: <20161104024822.74577.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: ietf@ietf.org
Subject: Re: Options for temporary operational solution to DMARC problem
In-Reply-To: <1F305C1D-7228-4084-9F33-8834AAAC82CB@fugue.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/iaQtEh_nAgzRaBm7ZqY4NnWi-rg>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Nov 2016 05:54:14 -0000

In article <1F305C1D-7228-4084-9F33-8834AAAC82CB@fugue.com> you write:
>-=-=-=-=-=-
>My understanding is that there are really four possible approaches:
>
>Bounce messages from sites that have p=REJECT; users at those sites have to use some other email address for IETF business.
>Rewrite From: header on messages from sites that have p=REJECT to point at discard address
>Rewrite all From: headers to point at discard address
>Rewrite all From: headers to reply to addresses that forward to senders for senders with p=REJECT

You might want to look at the Mailman documentation since the second
and third of those are wrong, and they've implemented other stuff,
too.

(Here it is: https://wiki.list.org/DEV/DMARC )

Its anti-DMARC header munging puts the list's address in the From:
line, not a discard address.  This has the advantage that replies
don't get lost, with the disadvantage that the usual message display
in a mail program doesn't show who the mail is from, and reply to
author doesn't work.

I tried adding .INVALID to the addresses which worked really badly,
since a lot of spam filters (not unreasonably) dislike From: addresses
with domains that don't resolve.  I can see why one might rewrite a
dev/null address to punish people who use dmarc'ed addresses, but it
seems like a cruel joke.

If the IESG believes that even though we've had this problem for 2 1/2
years, we need to do something about it NOW NOW NOW rather than
waiting a few more months for ARC, I strongly recommend the per-sender
rewrite.  I did that over a year ago for the lists I run, and it works
well.  You can still see who the mail is from, and it doesn't change
the way lists work.  My users are mostly non-technical, and we have
a lot with Yahoo and AOL addresses that get rewritten, and Gmail
addresses where they get delivered.  Most of them don't even notice
the funky .dmarc.fail after the aol.com and yahoo.com addresses.

It does require some extra programming for the forwarding addresses,
but I wrote my version, the address rewriting shim and the daemon that
manages the forwarding addresses, in an afternoon.  It's not hard, and
if it works as well here as it does for me, we might not need to add
ARC headers.

R's,
John

v2.23.0 | Report a Bug | By Email