Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On 01/06/18 17:04, Alessandro Vesely via dmarc-discuss wrote: I see. As a small receiver, I didn't even think about comparing different forwarders of the same senders. In my case, such coincidences only cover a handful of trusted mailing lists. Your argument further confirms how ARC better

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On Fri 01/Jun/2018 07:40:07 +0200 Roland Turner via dmarc-discuss wrote: > On 31/05/18 23:13, Alessandro Vesely via dmarc-discuss wrote: > >> My filtering ability is visible to the people I forward to. Although targets >> don't see what I spare them, they can imagine. If you receive spam from

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On 31/05/18 23:13, Alessandro Vesely via dmarc-discuss wrote: 1: Granted, the list becomes a priority list for compromise attempts no spam indicator implies that the upstream ARC chain is faked.>>> You've lost me: difficulty of substantiating statements like "I trust these guys not to lie in

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On Thu 31/May/2018 02:27:35 +0200 Roland Turner via dmarc-discuss wrote: > On 31/05/18 02:31, Alessandro Vesely via dmarc-discuss wrote: > > I took it as self-evident that I was describing a transition from an > embedded list to a reputation data feed. Got it :-) > 1: Granted, the list

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On 31/05/18 02:31, Alessandro Vesely via dmarc-discuss wrote: On Wed 30/May/2018 16:13:12 +0200 Roland Turner via dmarc-discuss wrote: On 29/05/18 23:05, Alessandro Vesely via dmarc-discuss wrote: [...] which includes pretty much all mail sites. The latter is *not* a slow-moving data set.

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On Wed 30/May/2018 16:13:12 +0200 Roland Turner via dmarc-discuss wrote: > On 29/05/18 23:05, Alessandro Vesely via dmarc-discuss wrote: >> [...] which includes pretty much all mail sites. The latter is *not* a >> slow-moving data set. It grows steadily. > > Steady growth *is* slow movement.

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On 30/05/18 06:09, Brandon Long via dmarc-discuss wrote: On Tue, May 29, 2018 at 8:10 AM Alessandro Vesely via dmarc-discuss mailto:dmarc-discuss@dmarc.org>> wrote: I know ARC proponents don't want author's domains to sign ARC-0, but never understood why.  Anyway, ordinary

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On 29/05/18 23:05, Alessandro Vesely via dmarc-discuss wrote:  * A single public whitelist is not necessary for ARC to work, multiple    lists are certainly possible, but the mapping of well-behaved    whitelist operators is: o much easier than mapping abusers, as the latter are

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

In article you write: >No, ordinary forwarders which break DKIM need to ARC sign. If you're just >an ordinary forwarder, why break DKIM? Unfortunately, some people still authenticate with SPF, so an unmodified forward can break DMARC. R's, John ___

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On Tue, May 29, 2018 at 8:10 AM Alessandro Vesely via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > On Tue 29/May/2018 01:27:33 +0200 Roland Turner via dmarc-discuss wrote: > > On 28/05/18 19:26, Alessandro Vesely via dmarc-discuss wrote: > > > > For the implied question ("Why would small

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On Tue 29/May/2018 01:27:33 +0200 Roland Turner via dmarc-discuss wrote: > On 28/05/18 19:26, Alessandro Vesely via dmarc-discuss wrote: > > For the implied question ("Why would small guys be interested?"): > >  * ARC headers simply provide a view as to what happened upstream. >    Whatever

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On 28/05/18 19:26, Alessandro Vesely via dmarc-discuss wrote: Your points define ARC's scope very well. But what's big guys' role? Let me call /semantic mailbox providers/ those company or personal mail sites whose users have some kind of trust relationship with, e.g. because they work for

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On Sat 26/May/2018 06:55:55 +0200 Roland Turner via dmarc-discuss wrote: > On 25/05/18 19:00, Alessandro Vesely via dmarc-discuss wrote: > >> Wasn't this tried for SPF already? > > A whitelist of "I trust these guys to make exactly the same abuse-filtering > decisions that I'd make" and a

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On 25/05/18 19:00, Alessandro Vesely via dmarc-discuss wrote: Wasn't this tried for SPF already? A whitelist of "I trust these guys to make exactly the same abuse-filtering decisions that I'd make" and a whitelist of "I trust these guys not to lie in ARC signing/sealing" are two very

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On Fri, 25 May 2018, Rolf E. Sonneveld wrote: I may live in another world or the mailing lists to which I subscribe may be different from the ones you subscribe to, but it is my experience that most mailing lists didn't implement the From rewriting kludge, but instead implemented the 'reject

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On Thu 24/May/2018 20:58:30 +0200 John Levine via dmarc-discuss wrote: > In article <445884976.7940.1527153118...@appsuite.open-xchange.com> you write: >>This is actually an area of concern to us: how will small scale operations, >>like a server that only hosts a handful >>of mailing lists for

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

In article <445884976.7940.1527153118...@appsuite.open-xchange.com> you write: >This is actually an area of concern to us: how will small scale operations, >like a server that only hosts a handful >of mailing lists for local non profits / open source projects / amateur groups >etc, be able to be

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

Subject: Re: [dmarc-discuss] General DMARC weakness - personal forwarding ***Caution: External email*** On Thu, May 24, 2018 at 5:11 AM, Vittorio Bertola via dmarc-discuss <dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> wrote: >> Il 23 maggio 2018 alle 9.43 Alessandro Vesel

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On Thu, May 24, 2018 at 5:11 AM, Vittorio Bertola via dmarc-discuss wrote: >> Il 23 maggio 2018 alle 9.43 Alessandro Vesely via dmarc-discuss >> ha scritto: >> >> ARC will allow message modifications. However, it will require that >>

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

> Il 23 maggio 2018 alle 9.43 Alessandro Vesely via dmarc-discuss > ha scritto: > > ARC will allow message modifications. However, it will require that > Google/Apple/etc recognize SomeCo as a trusted forwarder, in order to believe > reported authentication results.

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

(adding to the comments already posted...) On 5/21/2018 8:29 AM, Pete Holzmann via dmarc-discuss wrote: * From 'R's perspective, they simply want those emails to show up in their "other inbox" Most of the anti-spam technical work has focused on transport-related mechanisms, without much

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

In article you write: >Until then, a simple forwarding —refraining to append any disclaimer or virus >scanning notice to the body of the message— would not break DKIM signatures and >hence leave DMARC authenticity intact. That is exactly the problem

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On Mon 21/May/2018 18:24:13 +0200 Ken O'Driscoll via dmarc-discuss wrote: > On Mon, 2018-05-21 at 09:29 -0600, Pete Holzmann via dmarc-discuss wrote: >> QUESTIONS: >> 1) Is anyone working to solve these issues? >> 2) Has there been consideration of a forwarding token that could validate >> all

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

On Mon, 2018-05-21 at 09:29 -0600, Pete Holzmann via dmarc-discuss wrote: > QUESTIONS: > 1) Is anyone working to solve these issues? > 2) Has there been consideration of a forwarding token that could validate > all such emails Take a look at the work being done on Authenticated Received Chain

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

1) Yes, via two methods - The first is mailbox aggregation (why setup forwarding when I can just read the mailbox for you?) which is currently supported by a number of email providers. The second is via Authenticated Received Chain (ARC - see http://arc-spec.org/). Also currently supported by a

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

There are many issues with DMARC. I’m trying it out now, but having looked at IETF documents (https://datatracker.ietf.org/wg/dmarc/documents/ ) especially RFC 7960 ("Interoperability Issues between

[dmarc-discuss] General DMARC weakness - personal forwarding

I'm seeing a growing number of bounce-back errors from major players who have DMARC fully implemented. I have some observations, questions and a suggestion. Blessings, Pete OBSERVATIONS There's a pattern here that I suspect is only going to grow: * User R with SomeCo creates an email