On 7/10/12 3:07 AM, "[email protected]" <[email protected]> wrote: >>How would a receiver distinguish between an established list versus >> one that is new versus one that is unlisted? >> > >AFAIK, the mechanics of identifying and whitelisting mailing lists is up >to each ADMD. One could simply aggregate the list in a local CSV file, >or a more preferable option is that a RBL -like DNS server issue TXT >records for each domain, letting us know if it is a mailing list. > >This mailinglist RBL could be an extension to an existing SPAMHAUS, or >may be dedicated to this purpose. > >The TXT response could also list information such as "date added" so that >clients can assign an appropriate amount of trust to that assertion. >(e.g. Trust the assertion that a given IP is a mailing list or a >potential new spammer) > >I think it would be beneficial to cross check the information in this >mailing list IP database against what is in the whitelist DB. The >outliers of each repository will enhance or diminish the trust given to >an IP.
I think this is a pretty enormous effort for little gain. For one thing, different mailing lists operate in different ways, which means there isn't a single mechanism that can positively identify a message as having arrived through a list. That means identifying such traffic falls to the realm of heuristics, and I don't believe an authentication protocol (or a policy protocol based om authentication) should be predicated even in part on a heuristic. Moreover, once the heuristics are either published or determined subversively, they can be exploited. And I don't believe this is an interesting use case. Phishing via lists simply doesn't happen today. Certainly it could, but a phish sent to a list is far more likely to be detected than one that's more targeted. Wouldn't you agree that a BofA or PayPal phish sent to a list would draw some attention? "I got this email from PayPal, but it has the dmarc-discuss footer on itŠ weirdŠ" for example. Since this topic is especially persistent, however, perhaps someone needs to construct an experiment to show that it's viable and doesn't weaken the proposed mechanism. That is, if you were to build such an experiment and stand it up to scrutiny, I shouldn't be able to successfully attack it unless the effort I expend makes doing so not worth my while. >> What would a spammer posing as a list gain him or her? > >If a spammer were to become trusted via the whitelisting process >previously mentioned (or any alternative), then that would be a risk to >the goal that DMARC is trying to solve. In other words it would permit >spoofing of the FROM address via the exemption process. > >Therefore, DMARC is only as robust as the exception process created for >handling mailing lists. Šor the absence of such a process. -MSK _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
