[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

Larry Finch finches at portadmiral.org
Sat Jun 7 13:42:07 PDT 2014


On Jun 7, 2014, at 4:14 PM, Shal Farley <shal at roadrunner.com> wrote:

> Larry,
> 
>> Except, as I and others have discovered in the past few days, DMARC does 
>> NOT make email "so much more secure,” as phishers and spammers have 
>> already found workarounds to continue their assault.
> 
> It can't by itself, no. It needs to be used together with some means to knock out the look-alike domains. Such as an address-book filter, or a reputation-based filter. But that puts us back into the arguments about the value of anything that relies on user behavior, including the need to patrol a Spam folder for the inevitable false-positives.
> 
>> So all DMARC has accomplished is to inconvenience large, distributed 
>> communities of legitimate mail forwarders such as mailing lists ...
> 
> And the email users that rely on them.
> 
>> ... with no long term benefit.
> 
> I'm not so pessimistic as to think that there will be no long term benefit. I just can't imagine any way to effectively obtain that benefit without involving the receiving MUA and its users.
> 

I agree with that. But I’ve been around this for almost 20 years, and there have been many schemes to stop spam and phishing, from blocking open relays, SPF, DKIM, hundreds of RBLs and DBLs, and now DMARC. But no matter what defense gets erected the miscreants find ways around it. And each one takes a toll on legitimate users. This is essentially an arms race, and the bad guys are winning.  What is really needed is more savvy end users. It has been jokingly suggested that perhaps you should need a user’s license and have to pass tests before being allowed to use the Internet. Obviously not practical, but anything else is unlikely to work.

DMARC really sounded good when it was first defined and spec’d. And it DOES prevent spoofing a Yahoo or AOL address, but does nothing to prevent spoofing a Yahoo or AOL user, (or Chase, Wells-Fargo, Bank of America, etc) as my inbox has proven over the past few days. 

best regards,
Larry

--
Larry Finch
finches at portadmiral.org






More information about the dmarc-discuss mailing list