Elizabeth Zwicky writes: > So changes that maintain effective protection for users who are > being targeted by attackers with addressbook information, with less > disruption to email that people want, are of great interest to us.
How about trying "p=quarantine" with a real short TTL just in case? After a while you crank it back up to the current level (which is only 1800 in any case). The argument is that, seriously, since the attackers have addressbook information, you're done for anyway. They're already hard at work on Plan B, using "I'm writing this from my friend's account" with self in Sender: (should work well on Outlook users despite having on-behalf-of point the wrong direction), and ... Heck, I've already thought of a dozen of these dodges and my name isn't even Laurence Canter. I think it's worth a check to see if the miscreants will bother to come back at you with the previous style of spam shot even though they should expect that the vast majority of their spam will get rejected anyway (messages apparently from a "p=quarantine" domain should be given a rough time as encouraged by the DMARC protocol), and the rest will end up in spam folders. I would think trying to avoid DMARC entirely would now be the best use of their resources, so maintaining quarantine should be enough. There may be some directly relevant recent evidence on this, since GMail is evidently promoting mailing list traffic from "p=reject" domains to "quarantine". If the spammers know this, they could continue targeting GMail customers in their stolen addressbook database. Dunno if GMail will tell Yahoo!, but you could ask. BTW I hope you guys are basing "p=reject" (vs. "p=quarantine") on real data on how often fraudulent mail that ends up in spam folders actually succeeds in harming the targeted victim. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
