Re: protecting the Internet from DMARC damage, was perspectives

"Murray S. Kucherawy" <> Tue, 15 April 2014 04:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C768D1A072D for <>; Mon, 14 Apr 2014 21:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id h550lCJxxt3e for <>; Mon, 14 Apr 2014 21:58:52 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c03::229]) by (Postfix) with ESMTP id 50E281A0743 for <>; Mon, 14 Apr 2014 21:58:52 -0700 (PDT)
Received: by with SMTP id w62so9052569wes.14 for <>; Mon, 14 Apr 2014 21:58:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PEk0UkJWzP09KEYwjXL99I6WiohX9u9FgFV4s3P1FdA=; b=ZsNzlWmpT93Mdg2s+kv8QRk/nAcN8H/v4HDlYDcyO6SbI1+6OoKJ6ihoydeT38OHjD r7Hq3Zgl7FanQ0EK/b5LPSfWzbY64GbwJJff9Qp3zOh1SllkZKZuIQvG+zWFnK4+NQVC kskesrrRaNkQCjoUgKF/M+15qJi8Rd9C5NAWEvXdzSPZRTaD4pUxBY+Uf4puriQHWbU9 8logF55FaudSCIn0KG8nrJqMWKaBdpW4/TpyhLIKcC+qsEIzsnCe4sg3JkJrregzirp9 U4kqdUEkVf3kkykkkCppqbfaWh8sOSP4JzoE8+QmHWc+A09JCHyAxf3mOyrrx9r+mXHO oJKQ==
MIME-Version: 1.0
X-Received: by with SMTP id nb20mr624891wic.5.1397537929051; Mon, 14 Apr 2014 21:58:49 -0700 (PDT)
Received: by with HTTP; Mon, 14 Apr 2014 21:58:48 -0700 (PDT)
In-Reply-To: <alpine.BSF.2.00.1404142150430.32657@joyce.lan>
References: <> <20140414214949.32126.qmail@joyce.lan> <> <alpine.BSF.2.00.1404142150430.32657@joyce.lan>
Date: Mon, 14 Apr 2014 21:58:48 -0700
Message-ID: <>
Subject: Re: protecting the Internet from DMARC damage, was perspectives
From: "Murray S. Kucherawy" <>
To: John R Levine <>
Content-Type: multipart/alternative; boundary=001a11c26ab4d2447604f70da7d7
Cc: "" <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Apr 2014 04:58:58 -0000

On Mon, Apr 14, 2014 at 6:59 PM, John R Levine <> wrote:

> I've never said that lists won't change, I've said that we're not going to
> screw them up to work around your FUSSP.

It would be great if it were more of a dialog rather than a repeated
exercise in intransigence.  I guess when you're a list, everything looks
like a FUSSP.

Having been involved in things like SPF, DKIM, ADSP, etc. over the years, I
can say that mailing lists always recur as a major obstacle.  "Lists have
been doing what they're doing for N years and they work fine.  You don't
get to mess with them."  That's the mantra.

In DKIM, we even did a whole separate RFC to talk about all the fun ways
lists are a special case.

The specifications of 30 years ago included some neat capabilities for
communication, some of which mailing list servers employ to do what they
do.  I mean, I get that being able to put whatever you want in the From:
field is a feature.  Honest, I do.  But meanwhile, increasingly, bad people
use the very same capabilities to do their hugely expensive harm.  Is it
really the case that the benefit mailing lists (as they are today anyway)
bring to the Internet outweighs the harm of leaving these capabilities wide

There are probably earlier examples, but remember the finger protocol?  In
80s and 90s, it was on, and it was harmless, maybe even useful.  Then it
started to get abused and exploited, so we collectively turned it off
because the damage outweighed the benefit.  That practice has been applied
countless times since, to any service that gets rolled out in any context
you can imagine that then gets discovered and exploited by bad actors: We
fix the vulnerability, or we kill the service.  We don't believe in
"substantial non-infringing use" as a reason to keep something bad online.
I can't think of an instance where that's not the case except email abuse,
because we protect mailing lists, which have enjoyed apparent immunity
despite ever-increasing pain to the victims of that abuse with no solution
in sight.

So why do lists get the privilege of being immutable?  Can't there be some
quid pro quo?  Do the people with the problem also have to come up with the
solution, preferably maintaining the status quo for lists, or could it
maybe be more of a cooperative brainstorming thing?  Is it really totally
inconceivable and unacceptable that there has to be some evolution here?

And before anyone tries to claim it, I'm not saying lists are second class
actors, nor am I making any kind of claim about traffic percentage.  I
would just like to understand when and why they were granted this protected
status in standards work that they appear to enjoy.