On 26/05/2014 01:31, Mark Sapiro wrote: > On 05/25/2014 11:31 AM, Mark Rousell wrote: >> >> Whilst mail client recognition of the X-Original-From header would >> alter what users see (which is in fact a key goal in this context, >> not a bug), DMARC would nevertheless still be effective in terms of >> its own design goals in that mail servers could still adhere to >> DMARC and reject or spamfilter non-compliant messages. > > > Until spammers figure out they can send mail > > From: spam...@evildomain.com > X-Original-From: whate...@yahoo.com > > DMARC doesn't stop it because evildomain.com doesn't publish a DMARC > policy, and the 'evolved' MUAs display the message as if it's from > whate...@yahoo.com, just what DMARC is intended to stop.
Yup, I understand that. However: a) It seems to me that this or something like it (i.e. new de facto standard headers to work around the problem) is surely an almost inevitable outcome anyway. b) The way things are going all domains will sooner or later publish a DMARC policy if they want their mail to be accepted anywhere. c) In fact, I rather assumed in my suggestion (but did not explicitly state it, apologies) that lack of a DMARC policy (or whatever comes after DMARC) will, in and of itself, sooner or later have the effect of massively increasing an email's chance of being rejected or quarantined. d) It seems very clear that the goal of the DMARC project is for *every* domain to publish a DMARC policy and they don't care about domains that don't publish a DMARC policy. Their market volume means that they have stolen the lead from IETF and others will follow. Something like X-Original-From is just, in effect, following their lead. e) It is not our problem. As I said, if "p=reject" DMARC users can effectively externalise some aspects of their spam problem, it seems only appropriate and pragmatic for the rest of us to similarly externalise the problems so created. In short, X-Original-From becoming a de facto standard would benefit the users of mail clients receiving mail from legitimate resenders such as mail lists (admittedly when taken together with a presumption that lack of DMARC would automatically cause a very high spam score either on receiving mail servers or in the mail client itself). I also envisage a UI that highlights the fact that a X-Original-From header is being used and that the sending domain does not publish a DMARC policy (in suitably end user-friendly language). A user might be able to whitelist mail from mail lists known to him/her with a single click/tap without having to understand the underlying issues. [I do note that none of this would not alleviate the issue of spam sent through a mail server that does issue a DMARC policy and correctly aligns its From field with the policy but that is a separate issue. Notably it seems to me that DMARC will only increase the attempts by spammers/scammers to hijack accounts on ESPs like Yahoo!] I admit that in taking this domineering attitude I am simply following the technique of social engineering demonstrated by the DMARC group: By pushing through a change they are forcing others to follow suit and/or adapt. It's not how I'd like things to be but we seem to be entering a world where Internet protocols are driven less by voluntary adherence to widely agreed standards and more by what some groups can push through. If one can't beat them, perhaps one should join them in their approach! -- Mark Rousell PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
