Alessandro Vesely writes:

 > The tale goes that large mailbox providers want ARC as a tool to
 > filter mail streams from lists that don't do a good filtering
 > themselves.  ARC, they say, allows to attribute reputation
 > correctly.  However, I don't think they can tell who a message is
 > from, after it has been munged.

I don't see why they would care who the message is from.  They know
who added the ARC seal who claim to have validated the original From.
If any of them are highly trusted, or the whole chain is unbroken and
none is known untrustworthy, that should be good enough.

 > In that respect, From: munging hampers ARC.

Sure, a little, especially if the recipient doesn't understand the
theory.  On the other hand, there are only a few MLMs that munge, they
should be able to extract the original address in most cases.

 > A MLM would continue From: munging unless a receiver is able to tell it to 
 > not do it.

Sure, but as you say you need to trust the users, in this case, the
receivers.  If it's all I know about them, I wouldn't trust a user who
uses a "p=reject" provider to be clueful enough to make that decision

 > I see that archived messages are not munged.  How come?  Isn't the
 > archive a regular subscriber?

In general, no, they're not.  Messages are sent to archive services
before the munging process takes place.  There are services like where you interface with the archiver as a regular
subscriber, but Pipermail (Mailman 2) and HyperKitty (Mailman 3) both
short-circuit the pipeline.

 > At worst, one could set up two lists, fed by the same stream, one
 > with munging enabled and the other not, letting users subscribe to
 > the one they prefer.

To be honest, while I'm at best 50% willing to implement the user
option, I could easily be persuaded by a few experiments with the dual
list proposal.  This could be implemented almost transparently for the
subscriber (except at subscription time) by using an umbrella list.

 > A list can set the Author: header field by copying From:.

This isn't a problem.  I would be perfectly happy to accept a patch to
handle Author today as long as it's RFC-ly correct, which looks

 > MUAs won't notice Author: fields any time soon.

Then they're useless.
1.  They need to display them, or most users won't be able to use them
    in any way.
2.  It's important that they be included in automatically formatted
    replies, and the munged From ignored.
3.  You'd hope From would either not be displayed or the content of
    the Author field substituted into From.

 > > Translated into Scum-of-the-Earth-Spammer:
 > > 
 > >      You can use this header to send "referred by someone in victim's
 > >      contact list" (that you stole from Yahoo) spam and it will bypass
 > >      DMARC v1 because you can use an aligned From.  All-Hail-Author!
 > They're doing that with From:, and it works fine.  It is very hard
 > for MUAs to tell spoofed From:'s,

True, but DMARC should give essentially zero false negatives.  If it
says from is aligned, and the sending domain is reliable, it's not

 > Then, some people hold that even writing THIS IS PHISHING loud and
 > clear won't prevent users from opening and clicking that link.
 > Darwin will tell...

See the recent Twitter thread by @FatManTerra, who performed a very
cruel experiment where he advertised an obvious scam "for the purpose
of making people scammed by Terra whole" and amassed > $100,000 in
BitCoin in 24 hours.  (He returned it all, but it's unethical and must
make his victims feel like idiots.  I don't disagree with their
self-assessment, but it wasn't nice to rub their noses in it.)

 > Implementing and deploying ARC is not enough, you also need to
 > trust the ARC signer/ sealer.

I see it the other way around: once people have implemented ARC, you
have the opportunity to serve your users by trusting the ARC sealers.
We didn't really have that before, because of the ease of creating
fake mediators.

 > ARC won't be effective until it has been deployed at more than 60%
 > of SMTP servers and that's not a problem. :-)

I doubt 60% of servers will implement within the decade, but I guess a
lot more than 60% of legit mail is handled somewhere by an ARC-
conforming server.  Google has long been a powerful advocate of ARC.
I think there's hope.

Mailman-Developers mailing list --
To unsubscribe send an email to
Mailman FAQ:

Security Policy:

Reply via email to