On Mon, Apr 10, 2023 at 9:30 AM John R Levine <[email protected]> wrote:
> On Mon, 10 Apr 2023, Alessandro Vesely wrote: > > On Sat 08/Apr/2023 15:59:30 +0200 John Levine wrote: > >> It appears that Eric D. Williams <[email protected]> said: > >>> -=-=-=-=-=- > >>> > >>> I think the reliance upon list operators is properly placed on that > role. > >>> It's not a DMARC problem, it's a DKIM problem, I think. > >> > >> No, it's a DMARC problem. DKIM didn't cause any problems for mailing > lists > >> (ignoring ill-advised and never used ADSP) until DMARC was layered on > top > >> of it, and AOL and Yahoo abused it to foist the support costs on the > rest > >> of the world after they let crooks steal their users' address books. > > > I disagree. Despite the failure of adoption of ADSP, which is not a new thing by any stretch - we've seen that before, if we are talking about mailing lists the real answer is ARC not DMARC, that's what I'm saying. It's a failure with DKIM signature invalidation as a result of relaying via mailing lists. > > That's how it happened. Can we now accept their push? After so many > email > > addresses became public, how about accepting that email addresses being > > public doesn't have to imply that anyone can impersonate them? > > No, that's not what happened. People had been faking AOL and Yahoo > addresses forever and the providers dealt with it. The problem was that > spammers used the stolen address books to send spam from the addresses of > people the recipients knew, and they were flooded with complaints "why are > my friends spamming me." It's entirely the fault of those providers' > poor security. > > Re impersonating, until DMARC can tell the difference between > impersonation and the kinds of ordinary forwarding we've been doing since > the 1980s, nope. > Now, perhaps I misunderstood the original thread, so I'll cop to that, but I will assert that although DMARC can certainly provide some legitimacy assurances it certainly does have a gap with impersonation, particularly manifested with maillist relaying in many common configurations. > > R's, > John > /r/ -e -- Eric D. Williams <[email protected]> PGP Public Key http://new.infobro.com/KeyServ/EricDWilliams.asc Finger Print: 1055 8AED 9783 2378 73EF 7B19 0544 A590 FF65 B789
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
