> On Jul 22, 2018, at 5:11 PM, Grant Taylor via Mailman-Users 
> <mailman-users@python.org> wrote:
> 
>> On 07/22/2018 02:03 PM, John Levine wrote:
>> No, it was specified in full knowledge that it would break pretty much every 
>> mailing list on the planet if used on domains with human users, instead of 
>> its intended target of notices from robot domains like paypal.com.
> 
> I choose to believe the mailing lists were behaving improperly.
> 
> To me, DMARC (including SPF and DKIM) is a method to determine if a message 
> is coming from the original source (or authorized delegate). Where email is a 
> combination of the message data and SMTP transaction delivering said message.

What actions do you think mailing lists are doing improperly?

Note, the subject modification is a long standing feature of mailing list, 
which is one thing that breaks DMARC, though I might be willing to give that up.

The modification of the message body to add a header or footer is also common, 
and in some places effectively required by law.

>> That's why we have ARC, once AOL and Yahoo abused it to solve the problem 
>> they created when they let crooks steal their users' address books.
> 
> I assume you are referring to "DMARC" when you say "…abused /it/ to solve…".
> 
> I feel like AOL's and Yahoo's actions are just additional gas on the fire 
> that has been burning for a long time.  The problem of bad actors spoofing 
> message senders exists independently of AOL and Yahoo.  Did their (in)actions 
> make the problem worse, probably.  Did they cause the problem?  No.  Did they 
> exceed critical mass?  I don't think so.  Rather I think it was past the 
> critical mass long before AOL and Yahoo fueled the fire.
> 
> -- 
> Grant. . . .

If AOL and Yahoo just used the quarantine option for DMARC, it wouldn’t have 
been quite as bad. But they ABUSED DMARC by their settings. By the design of 
DMARC, AOL and Yahoo should have informed their users that they were changing 
the Terms of Service of their email systems, and now all their users are 
effectively prohibited to use any form of re-mailing systems, including most 
forms of (external) mailing lists. Instead they just told the world, we aren’t 
going to follow the normal rules, you deal with it.

Yes, there is a fundamental issue with email that it is easy to spoof. Fixing 
it is going to be a significant issue, and possible a complete recreation of 
the system. The issue is that to create such a new system is a major job. Such 
a redesign would need to look at ALL current uses and either decide that such 
uses were no longer valid or to accommodate them. DMARC somewhat intentionally 
did not consider mailing list, because they didn’t have a good solution to 
handle them, and their intended usage, the protection of ‘valuable’ mail 
somewhat excluded the use of such services. It basically required that any 
service that wanted to use DMARC needed to separate valuable protected mail 
from less valuable mail with different domains. AOL and YAHOO just decided to 
ignore that in their use of it.
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Reply via email to