> -----Original Message----- > From: dmarc [mailto:[email protected]] On Behalf Of Stephen J. > Turnbull > Sent: Wednesday, May 06, 2015 4:23 AM > To: Scott Kitterman > Cc: [email protected] > Subject: Re: [dmarc-ietf] OpenDKIM ADSP, DMARC and ATPS support > > Scott Kitterman writes: > > > Approximately as soon as list-id enables DMARC bypass, > > It never will. (BTW, it's List-Post that's relevant.) It's the subscriber's > action > of posting to the list that enables the bypass. > That means that a successful attack of the kind that triggered the April > Fiasco > requires an iterated phish: first you have to phish *me* to post to your list, > then you need to modify my post to phish *Murray*. > > If you have an alternative threat model in mind, please explain it. >
One that comes to mind immediately is compromise existing list(s) (MLM) used by target audience and then modify posts as desired. It may be that the modification would be for only one or a few recipients. I'm sure there are other mechanisms if a little thought is put into it. Mike _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
