[dmarc-discuss] How does *this* mailing list interact with dmarc?

Steven Chamberlain steven at pyro.eu.org
Sun Jun 24 06:03:33 PDT 2012


Hi!

On 24/06/12 07:11, Murray Kucherawy wrote:
> If I own example.org, I can create arbitrary subdomains under it, and sign
> with them, at no cost to me.

Dynamic DNS services are often abused in this way, but we tend to know
who they are and attach a bad reputation to them.

>> They would also have to keep nameservers operational to serve DKIM keys
>> for their spam to verify against, and their IPs would also become known.
> 
> A botnet solves the IP problem, and there are plenty of registrars (see
> recent news feeds) that are slow, inept, or disinterested in terms of
> taking down the domains of bad actors.

Agreed, but this infrastructure is something spammers wouldn't have to
provide at all if the only available alternative was p=none.  They could
instead pretend to be a well-known, good-reputation domain with SPF ~all
and not ring any alarm bells.

Secondary effects of a successful DMARC effort would be that people can
safely set a strict policy, deploy DKIM and stricter SPF rules if they
haven't already, and forwarders/listservers make their mail verifiable.


> The reason DMARC focused on the From: field is because it's the one most
> commonly shown to users.  That's a big part of what makes phishing
> effective.  Switching to the return path or the Sender field or some other
> identifier that users don't see is a cheap way to get a DMARC "pass"
> without having to change what the user sees.

A 'full' DMARC pass (e.g. -1 spam score) need only apply when a big
brand with p=reject policy delivers mail that passes the existing
From-based alignment rules.

A 'neutral' acceptance (0) could happen if the sender published a
'p=reject, but please accept my mail if forwarded' policy and the mail
was indeed forwarded via reasonably verifiable means such as a DKIM
signature from what is hopefully a listserver/forwarder.  The receiver
might still override this with a 'fail' after scrutinising the
forwarding domain and considering reputation for well-known lists.

A 'fail' (+5 spam score) could happen as before when p=reject mail fails
verification.


Setting an 'accept forwarded' policy is different from p=none because
the latter takes away the 'fail' category.

Setting such a policy need not prevent achieving a 'full pass' on the
good portion of their mail, which isn't forwarded and satisfies the
stronger From criteria.


> Still, the question remains: Why is trying to ensure list traffic passes
> DMARC something that should be in scope?  Do big brands actually get
> phished via mailing lists?

Are facebook.com users able to send outgoing mail?  The p=reject policy
means that anyone who mailed this list would be blocked by some
receiving mailservers (163.com didn't recognise the list last time I
checked), and you would receive false-positive reports.

Receivers may start to think DMARC verification has too many false
positives and relax the weight they give to a DMARC failure.  Then it
erodes the effectiveness of DMARC at filtering out phishing mails from
facebook.com and for other big brands.

Regards,
-- 
Steven Chamberlain
steven at pyro.eu.org


More information about the dmarc-discuss mailing list