[dmarc-discuss] How does *this* mailing list interact with dmarc?
steven at pyro.eu.org
Sun Jun 24 06:03:33 PDT 2012
On 24/06/12 07:11, Murray Kucherawy wrote:
> If I own example.org, I can create arbitrary subdomains under it, and sign
> with them, at no cost to me.
Dynamic DNS services are often abused in this way, but we tend to know
who they are and attach a bad reputation to them.
>> They would also have to keep nameservers operational to serve DKIM keys
>> for their spam to verify against, and their IPs would also become known.
> A botnet solves the IP problem, and there are plenty of registrars (see
> recent news feeds) that are slow, inept, or disinterested in terms of
> taking down the domains of bad actors.
Agreed, but this infrastructure is something spammers wouldn't have to
provide at all if the only available alternative was p=none. They could
instead pretend to be a well-known, good-reputation domain with SPF ~all
and not ring any alarm bells.
Secondary effects of a successful DMARC effort would be that people can
safely set a strict policy, deploy DKIM and stricter SPF rules if they
haven't already, and forwarders/listservers make their mail verifiable.
> The reason DMARC focused on the From: field is because it's the one most
> commonly shown to users. That's a big part of what makes phishing
> effective. Switching to the return path or the Sender field or some other
> identifier that users don't see is a cheap way to get a DMARC "pass"
> without having to change what the user sees.
A 'full' DMARC pass (e.g. -1 spam score) need only apply when a big
brand with p=reject policy delivers mail that passes the existing
From-based alignment rules.
A 'neutral' acceptance (0) could happen if the sender published a
'p=reject, but please accept my mail if forwarded' policy and the mail
was indeed forwarded via reasonably verifiable means such as a DKIM
signature from what is hopefully a listserver/forwarder. The receiver
might still override this with a 'fail' after scrutinising the
forwarding domain and considering reputation for well-known lists.
A 'fail' (+5 spam score) could happen as before when p=reject mail fails
Setting an 'accept forwarded' policy is different from p=none because
the latter takes away the 'fail' category.
Setting such a policy need not prevent achieving a 'full pass' on the
good portion of their mail, which isn't forwarded and satisfies the
stronger From criteria.
> Still, the question remains: Why is trying to ensure list traffic passes
> DMARC something that should be in scope? Do big brands actually get
> phished via mailing lists?
Are facebook.com users able to send outgoing mail? The p=reject policy
means that anyone who mailed this list would be blocked by some
receiving mailservers (163.com didn't recognise the list last time I
checked), and you would receive false-positive reports.
Receivers may start to think DMARC verification has too many false
positives and relax the weight they give to a DMARC failure. Then it
erodes the effectiveness of DMARC at filtering out phishing mails from
facebook.com and for other big brands.
steven at pyro.eu.org
More information about the dmarc-discuss