On 26/05/2014 05:46, Stephen J. Turnbull wrote: > Richard Damon writes: > > On 5/25/14, 11:30 AM, Mark Rousell wrote: > > > > Whilst Yahoo and AOL are the ones who have chosen to > > > use/misuse/abuse DMARC in this way, it could also be said that > > > DMARC (and all its backers on its current form) are to blame > > > precisely because DMARC *allows* Yahoo's/AOL's behaviour. > > The "p=reject" policy option is useful, perhaps necessary, to prevent > phishing at financial institutions. My bank (Tokyo-Mitsubishi-UFJ) is > in a total panic to the point where they are running a major > television campaign (multiple channels, hitting all the major > demographics) displaying a typical MUA (Outlook, of course) showing a > typical phishing message and putting a big red X over the password > input field. > > > > If the standard has been properly finished and properly thought > > > through from all angles then ways could surely have been found to > > > allow it to be used without harming existing, standards-compliant > > > behaviour. > > DMARC's purely informational protocols have been in use successfully > for years, and nobody ever noticed. Some banks have been using > "p=reject" for quite a long time (more than a year), and nobody ever > noticed.
Of course (in fact I recently said words to the same effect as what you say here on the mozilla.support.thunderbird group when the problem was raised there) but the issue at hand is not appropriate usage of "p=reject": The issue at hand is *inappropriate* usage of "p=reject" and the way that the protocol in effect almost encourages this (or at least naturally tends in that direction for a business who is desperate enough). It seems to me that if a protocol so easily allows (or even effectively encourages) usage that craps on existing legitimate Internet usage then the protocol (and its designers) must be in part to blame. > I don't think the evidence supports that belief. The design of the > protocol has been very careful, with multiple ways to mitigate the > kind of effects we saw in April. Oh yes, the protocol has been well designed but it has been well designed by its backers who were naturally looking at it *from a certain perspective*. The protocol has been well designed to achieve certain aims and it is likely to be successful at achieving them (including via Yahoo's and AOL's particular implementation, inappropriate though it is). If a perhaps wider range of perspectives had been involved, i.e. if it had been developed through IETF, then perhaps misuse/abuse of the sort that Yahoo and AOL have demonstrated would have been less easy or less tempting for them. > Yahoo! and AOL simply don't care who > gets hurt as long as they can present it to their own users as a > necessary measure to combat spam (and other mail abuse). Exactly. But they have gone ahead and done it, and they have gone ahead and done it because they can and because the protocol as it stands almost encourages (and certainly does not discourage) such behaviour. Yes, they don't care but it seems to me that a protocol that does nothing to prevent or discourage such behaviour must be to blame too. > According to one of the editors of the Internet Draft (message to a > closed list), use by ESPs of "p=reject" was never envisioned by the > working group, and he believed (until it actually happened) that > Yahoo! and AOL knew that because they have active representatives in > the group. I'm not sure I really believe that, since one of the DMARC > proponents on Mailman channels clearly believes that any problems are > the fault of misconfigured lists, and one of the editors of the DMARC > Internet Draft has a Yahoo! affiliation listed. Interesting. If it is true that the designers never foresaw Yahoo's and AOL's style of misuse then this seems to me to confirm my point: That a wider range of perspectives, which the IETF would hopefully have brought to it, might have helped make possible misuses/abuses clear. > *I* can and do play hardball, and (as mentioned in a previous post) > the fiasco at yahoo.com triggered a reaction in the Japanese research > and education communities (including an official advisory from the > Ministry of Education, Culture, Science and Technology), so that > students and to some extent faculty and researcher have switched to > GMail en masse -- entirely unnecessary since yahoo.co.jp doesn't seem > to publish a DMARC policy at all! That's good to hear. Perhaps Yahoo will notice this since I understand that their shareholding in the Japanese company is profitable for them. -- Mark Rousell PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
