[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

Franck Martin fmartin at linkedin.com
Sat Jun 7 15:06:09 PDT 2014


On Jun 7, 2014, at 10:42 PM, Larry Finch via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:

> 
> On Jun 7, 2014, at 4:14 PM, Shal Farley <shal at roadrunner.com> wrote:
> 
>> Larry,
>> 
>>> Except, as I and others have discovered in the past few days, DMARC does 
>>> NOT make email "so much more secure,” as phishers and spammers have 
>>> already found workarounds to continue their assault.
>> 
>> It can't by itself, no. It needs to be used together with some means to knock out the look-alike domains. Such as an address-book filter, or a reputation-based filter. But that puts us back into the arguments about the value of anything that relies on user behavior, including the need to patrol a Spam folder for the inevitable false-positives.
>> 
>>> So all DMARC has accomplished is to inconvenience large, distributed 
>>> communities of legitimate mail forwarders such as mailing lists ...
>> 
>> And the email users that rely on them.
>> 
>>> ... with no long term benefit.
>> 
>> I'm not so pessimistic as to think that there will be no long term benefit. I just can't imagine any way to effectively obtain that benefit without involving the receiving MUA and its users.
>> 
> 
> I agree with that. But I’ve been around this for almost 20 years, and there have been many schemes to stop spam and phishing, from blocking open relays, SPF, DKIM, hundreds of RBLs and DBLs, and now DMARC. But no matter what defense gets erected the miscreants find ways around it. And each one takes a toll on legitimate users. This is essentially an arms race, and the bad guys are winning.  What is really needed is more savvy end users. It has been jokingly suggested that perhaps you should need a user’s license and have to pass tests before being allowed to use the Internet. Obviously not practical, but anything else is unlikely to work.
> 
May be postmasters should have a license, which would require them to set up SPF, DKIM, DMARC, rDNS, and other things correctly… wait….

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140607/beb0abe3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140607/beb0abe3/attachment.bin>


More information about the dmarc-discuss mailing list