Re: DMARC: perspectives from a listadmin of large open-source lists

Miles Fidelman <mfidelman@meetinghouse.net> Mon, 14 April 2014 02:57 UTC

Return-Path: <mfidelman@meetinghouse.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C15941A0319 for <ietf@ietfa.amsl.com>; Sun, 13 Apr 2014 19:57:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xlh1u1uVbFXq for <ietf@ietfa.amsl.com>; Sun, 13 Apr 2014 19:57:39 -0700 (PDT)
Received: from server1.neighborhoods.net (server1.neighborhoods.net [207.154.13.48]) by ietfa.amsl.com (Postfix) with ESMTP id 6B8711A0315 for <ietf@ietf.org>; Sun, 13 Apr 2014 19:57:39 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by server1.neighborhoods.net (Postfix) with ESMTP id D2EC2CC0A4 for <ietf@ietf.org>; Sun, 13 Apr 2014 22:57:36 -0400 (EDT)
X-Virus-Scanned: by amavisd-new-2.6.2 (20081215) (Debian) at neighborhoods.net
Received: from server1.neighborhoods.net ([127.0.0.1]) by localhost (server1.neighborhoods.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 6iJmfJU3lK9Q for <ietf@ietf.org>; Sun, 13 Apr 2014 22:57:28 -0400 (EDT)
Received: from new-host.home (pool-173-76-155-14.bstnma.fios.verizon.net [173.76.155.14]) by server1.neighborhoods.net (Postfix) with ESMTPSA id 2E6E9CC0A1 for <ietf@ietf.org>; Sun, 13 Apr 2014 22:57:28 -0400 (EDT)
Message-ID: <534B4E97.2050000@meetinghouse.net>
Date: Sun, 13 Apr 2014 22:57:27 -0400
From: Miles Fidelman <mfidelman@meetinghouse.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: DMARC: perspectives from a listadmin of large open-source lists
References: <20140414024956.26078.qmail@joyce.lan>
In-Reply-To: <20140414024956.26078.qmail@joyce.lan>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/mvi_tXh3P2yBnSGtesGkwfOupAQ
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 02:57:41 -0000

John Levine wrote:
>> Meanwhile, I'm still not proposing that we train users, or even
>> anti-spam software to "recognize" or "validate" mailing list addresses.
>> What I'm proposing is a way to send mail from a list with From:
>> @domain-of-list.tld so that it can pass DMARC/SPF/DKIM, and allow the
>> left side of the @ sign to identify the actual sender of the message.
> Yes, that's the 1980s percent hack.  Do you really think it's a good
> idea to reinvent it to get around the defects of the FUSSP du jour?
>
> I agree that it's not plausible to train people to recognize mailing
> list addresses.  But what you're proposing is to train people to be
> phished, by telling them that a rewritten address from something that
> looks sort of like a mailing list is equivalent to whatever the
> original address was.  Given that DMARC is supposed to be an
> anti-phishing tool, this completely defeats the point.
>
> R's,
> John

It strikes me that the real way to address some of these issues is to 
add a few new headers to SMTP - to get rid of the overloading of the 
From: and Reply-to: headers associated with mailing lists.  An SMTP 
extension that would absorb some of the well-known and well-understood 
functions of list software.

I have to think a bit about what the full list of headers might be, but 
I'd start with:
From: <original author>
List-From: <mailing list>
Reply-To-Original:
Reply-To-List: <set by list manager>
List-Name:
DKIM signature stuff applied to original message
DKIM signature applied by list server

That might be a start toward a real solution that solves both sets of 
problems.

Then again - it's late, I'm in the middle doing my taxes - this might 
not make any sense at all.

Miles Fidelman

-- 
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra