Hacker Newsnew | past | comments | ask | show | jobs | submit | meepmeep's commentslogin

We shouldn't have to keep this giant security hole in email (spoofing) just because mailing lists, which predate the spam and spoofing issues, don't want to update how they operate. Accommodating =reject DMARC policy is simple for the mailing lists. A policy of "Because that's the way we always did it" is dumb. We didn't use to recycle, now we do...because it is better. DMARC is better than allowing spoofing. Update your mailing list. Stop forging sender. Move on.


http://postmaster.yahoo.com


DMARC.org has very clear remedies.

Q: I operate a mailing list and I want to interoperate with DMARC, what should I do?

A: DMARC introduces the concept of aligned identifiers. It means the domain in the from header must match the d= in the DKIM signature and the domain in the mail from envelope. You have a few solutions:

- operate as a strict forwarder, where the message is not changed and the validity of the DKIM signature is preserved - introduce an "Original Authentication Results" header to indicate you have performed the authentication and you are validating it - take ownership of the email, by removing the DKIM signature and putting your own as well as changing the from header in the email to contain an email address within your mailing list domain.

Spoofing is a huge issue for all email customers. DMARC was started, in part, to deal with the coming problems that were foreseen here. Mailing Lists don't have to forge or spoof to work. They can adjust and everyone is better off.


(the post above has been largely copy-pasted from http://dmarc.org/faq.html#s_3)

Interesting point for the discussion on whether MLMs are allowed to modify the from header is in the section 3.6.2 of rfc 2822: http://tools.ietf.org/html/rfc2822#section-3.6.2. The intended meaning of the from field is to indicate the author of a message which is explicitly allowed to be different than the sender. Thus list-originated communication like digest messages should be sent with the from header of the list, but messages forwarded by the MLM should be sent with the from header indicating the original author. In the absence of the sender header it can be assumed to be the same as the from header. Thus, DMARC could use the sender header instead of the from header and fall back to the from header only when sender is absent. This way MLMs would have a way of avoiding the issue by supplying the sender header. Unfortunately, DMARC chose not to use the sender header citing abuse and bugs in some MUAs which don't display the sender header to the user correctly: http://www.ietf.org/mail-archive/web/dmarc/current/msg00064.....

As for the "Original Authentication Results" it doesn't solve the problem for most lists since it requires the destination domain to explicitly trust the list, see http://www.dmarc.org/pipermail/dmarc-discuss/2012-February/0... and http://tools.ietf.org/id/draft-kucherawy-original-authres-00.... Few list admins could afford getting a trust explicitly established with every domain where the members happen to have mailboxes.


> Mailing Lists don't have to forge or spoof to work.

Using email correctly per RFCs isn't "forging" or "spoofing".

That this doesn't work with DMARC because DMARC chose instead to break the world because it preferred to support the existing broken behavior over (rather than only as far as was consistent with also supporting) standardized, documented semantics of email headers is if not a fatal flaw in DMARC, at least something that greatly limits its utility.


Raymie Stata hasn't worked for Yahoo in a long time. You can go here, https://help.yahoo.com/kb/postmaster when you have issues. Was very easy to find. postmaster.yahoo.com


He was CTO there at the time I was contacting him. This has gone on for more than a few years.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: