Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
On Tuesday, February 16, 2016 06:17:27 AM Roland Turner via dmarc-discuss wrote: > Scott Kitterman wrote: > > To > > the extent ARC is useful to mitigate the DMARC mailing list issue, it's > > only useful with additional data inputs that are not public and are not > > feasible for small providers to generate on their own. > > I meant to ask earlier: would you level the same criticism at SMTP, given > that running a useful mail-receiving-server without a solid DNSBL is now > more-or-less infeasible? Does the fact that Spamhaus is already available > free of charge to all of the small guys change this analysis? The fact that there are high quality services available free/reasonable for a little guy to pay does alter my perspective. At the time DNSBLs were becoming popular/necessary there wasn't the same level of concentration in the market and even going back to open relay lists there's ~always been something anyone on a modest budget could use. > Perhaps the fact that SMTP was developed at a time that abuse was not > widespread gives it a free pass on this front? Presumably you don't argue > that, *because* we're already in a high-abuse environment we should > therefore cease collaboration on any class of solution which happens to > require more data than is either: (a) feasible for small guys to process > usefully, or > (b) available to small guys at all? SMTP has always been, with a little study, been something any competent admin could do. It takes a lot more study and more resources than a decade or two ago, but we haven't, in my opinion, crossed a tipping point where that's not longer possible. So SMTP gets a pass because it's ~always been accessible (I know in the dim reaches of history that wasn't quite always so). I think solutions feasible for one segment of the market (large, small, purple, blue, don't care) are fine to collaborate on as long as people are clear it's a partial solution. > Would the public availability from a trustworthy source of data that makes > it possible to use ARC to decide when to override DMARC policies[1] change > your position? > > - Roland > > 1: I *don't* believe that this would take the form of a whitelist. It's more > like the ability to recognise changes in baseline behaviour by forwarders > who may or may not be ARC signing. I suspect that John Levine's concerns > about whitelists have some strength. It would as that data is the barrier to entry I'm worried about. I think it's actually two lists: 1. Domains good enough you ought to trust to believe what they say in ARC. 2. Domains bad enough you ought to reject their mail if they show up in ARC. I do wonder though if I have the data to toss the message why they didn't in the first place (and if they didn't why I should trust them). So generically, yes, but I'm not certain what the characteristics of such a data source would be. Scott K ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
Franck Martin wrote: > As I said earlier spamhaus and surbl has the data. The question is not > which domains to trust, but which domains not to trust. They may or may not. (Analysing Received: headers to learn about forwarding behaviour is not an obviously important input for those organisations at present and, consequently, is something that they're probably not doing much of.) I'd suggest that the important question is whether they're likely to be willing to publish data to support ARC-enabled DMARC decision-making once (a) good ways of doing so are known and (b) fast-moving pieces that are worth delivering this way have been identified. I'd guess "yes", but we're not yet at the point where we know that either of those assumptions is true. - Roland ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
On Tuesday, February 16, 2016 06:02:31 AM Roland Turner via dmarc-discuss wrote: > Scott Kitterman wrote: > >> Roland Turner wrote: > >> > >> This is just a diffusion process, not an exclusion of smaller players. > >> Indeed, it would almost appear that you'd be happier if the big guys had > >> excluded smaller players from this initiative... > > > > Until maybe someday the results of the analysis to use ARC are somehow > > available, they have. > > All diffusion looks like this. > > The "one size fits all" mentality gave us the lost decade. Recognising that > differently-situated practitioners need different things and developing a > range of tools/protocols/etc. to suit the range of needs (most of which > will be not useful for most practitioners) is not merely more effective, it > currently appears to be the only way forward. > > The use of an open standard (which I am in favor of and > > this is good), doesn't materially change that. If I can write code to > > implement a standard, but don't have the necessary inputs to use it, it's > > not particularly of use. > > "not particularly of use to Scott" != "not useful". > > This is of course a different question to the one about whether/how to > involve yourself, more below. > > Personally, I try to consider putting my time where either I'll benefit > > Eminently sensible, I do the same. > > > or I think the global Internet will benefit. > > Likewise, and so here's the challenge: the big guys hardening their part of > the environment against criminals doesn't merely improve life for the big > guys (e.g. by shifting criminals' focus elsewhere), they are so big that > they are materially altering the economics in a way that makes crime less > profitable and therefore less likely than it would otherwise be. This > directly benefits the global Internet in a way that a > batteries-included-but-less-impactful approach could not, even assuming > that such an approach exists (are you aware of one?). > > Do you really mean "or", or do you actually mean "and"? We are talking about > an initiative that, if successful, will materially benefit the global > Internet, even though you personally will not be able wield the resulting > tool for some time, or possibly even ever (unlikely, but possible). Do you > support it anyway? > > (A less charitable interpretation is that your concern is merely resentment > or envy of large organisations. Presumably this is not correct.) No. Not at all. I do mean 'or'. I quite routinely invest time in things to make the Internet work better that don't personally benefit me. Obviously the greater the personal and systemic benefit the greater my motivation, but I certainly have and do work on things that don't help me in any way proportionate to the time I invest in it. Along with the good things you (quite reasonably) describe, there will also be an increased tendency towards concentration of power in a few hands. Personally, I think that's a bad thing. Your previous message in this thread captured my concern very nicely. Thanks, Scott K ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
Scott Kitterman wrote: > To > the extent ARC is useful to mitigate the DMARC mailing list issue, it's only > useful with additional data inputs that are not public and are not feasible > for small providers to generate on their own. I meant to ask earlier: would you level the same criticism at SMTP, given that running a useful mail-receiving-server without a solid DNSBL is now more-or-less infeasible? Does the fact that Spamhaus is already available free of charge to all of the small guys change this analysis? Perhaps the fact that SMTP was developed at a time that abuse was not widespread gives it a free pass on this front? Presumably you don't argue that, *because* we're already in a high-abuse environment we should therefore cease collaboration on any class of solution which happens to require more data than is either: (a) feasible for small guys to process usefully, or (b) available to small guys at all? Would the public availability from a trustworthy source of data that makes it possible to use ARC to decide when to override DMARC policies[1] change your position? - Roland 1: I *don't* believe that this would take the form of a whitelist. It's more like the ability to recognise changes in baseline behaviour by forwarders who may or may not be ARC signing. I suspect that John Levine's concerns about whitelists have some strength. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
The problem with the e-mail community, is few people drives all of us away from mailing lists. On Mon, Feb 15, 2016 at 3:47 PM, John R Levinewrote: >> As I said earlier spamhaus and surbl has the data. The question is not >> which domains to trust, but which domains not to trust. > > > No, really, they don't. Take it from someone who actually writes MTA > software, and probably knows more than most people about what's in the DBL. > > >>> ARC provides no protection against replay attacks, in particular, >>> against taking a set of ARC headers from a benign message and sticking >>> them on malware or spam. (This isn't saying it's misdesigned, just >>> that it does what it does.) >>> >>> That means that it only makes sense to evaluate ARC headers on mail >>> from hosts that you believe are generally trustworthy. Large mail >>> systems have enough mail flow that they usually already have a pretty >>> good idea who's trustworthy, small mail systems don't. >>> >>> I have a database that has logged every single connection to my MTA >>> since 2008, and which mail was treated how, but that's still nowhere >>> near enough to provide useful reputation info about sources other than >>> ones that are so so large that I can just whitelist them anyway. >>> Scott and I aren't saying the code's too hard to write, we can code >>> anything we want to. We don't have the data. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
As I said earlier spamhaus and surbl has the data. The question is not which domains to trust, but which domains not to trust. On Mon, Feb 15, 2016 at 3:35 PM, John Levinewrote: >>ARC purpose is to say when DMARC fail and the email should be rejected that >>it is ok to let it through. As such there is no scale problem and anyone >>can do it. > > ARC provides no protection against replay attacks, in particular, > against taking a set of ARC headers from a benign message and sticking > them on malware or spam. (This isn't saying it's misdesigned, just > that it does what it does.) > > That means that it only makes sense to evaluate ARC headers on mail > from hosts that you believe are generally trustworthy. Large mail > systems have enough mail flow that they usually already have a pretty > good idea who's trustworthy, small mail systems don't. > > I have a database that has logged every single connection to my MTA > since 2008, and which mail was treated how, but that's still nowhere > near enough to provide useful reputation info about sources other than > ones that are so so large that I can just whitelist them anyway. > Scott and I aren't saying the code's too hard to write, we can code > anything we want to. We don't have the data. > > R's, > John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
>ARC purpose is to say when DMARC fail and the email should be rejected that >it is ok to let it through. As such there is no scale problem and anyone >can do it. ARC provides no protection against replay attacks, in particular, against taking a set of ARC headers from a benign message and sticking them on malware or spam. (This isn't saying it's misdesigned, just that it does what it does.) That means that it only makes sense to evaluate ARC headers on mail from hosts that you believe are generally trustworthy. Large mail systems have enough mail flow that they usually already have a pretty good idea who's trustworthy, small mail systems don't. I have a database that has logged every single connection to my MTA since 2008, and which mail was treated how, but that's still nowhere near enough to provide useful reputation info about sources other than ones that are so so large that I can just whitelist them anyway. Scott and I aren't saying the code's too hard to write, we can code anything we want to. We don't have the data. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
Spamhaus and SURBL both publish a domain blocking list, this is enough to use to block emails that went through bad domains (as per ARC custody chain) Of course, this has to be built into the MTA, but it is all opensource, it is not out of reach, just volunteers and work... On Mon, Feb 15, 2016 at 3:00 PM, Scott Kitterman via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > The difference in this case is one, maintaining a Wordpress site, requires > a > lot of vigilance, but no information/data that's not publicly available. > To > the extent ARC is useful to mitigate the DMARC mailing list issue, it's > only > useful with additional data inputs that are not public and are not feasible > for small providers to generate on their own. > > It's the difference between can, but often shouldn't and can't. > > I'll stop here though, the horse was probably dead a few mails ago. > > Scott K > > On Monday, February 15, 2016 02:11:57 PM Al Iverson via dmarc-discuss > wrote: > > Scott, I don't really see any difference in the class of problem. You > could > > choose to outsource email it to Google Apps or Microsoft Office 365 if > you > > don't want to figure this stuff out yourself. Many do, from SMB to > > enterprise level, even though email is core to just about every company's > > business. For some, that's very much the reason to job it out to a > company > > who focuses on email as an area of expertise. > > > > On the flip side, I disagree with regard to your take on running a blog. > > Anybody can do it, but many people outsource that as well. I personally > > host my blog with a third party service, because self-hosted Wordpress is > > one of the most hacked into things out there and I want no part of that > > noise, even though in theory I could handle it. I know I'm not the only > > one, and just about anything in this paragraph could similarly apply to > > email. > > > > Regards, > > Al Iverson > > > > > > -- > > Al Iverson - Minneapolis - (312) 275-0130 > > Simple DNS Tools since 2008: xnnd.com > > www.spamresource.com & aliverson.com > > > > On Mon, Feb 15, 2016 at 1:35 PM, Franck Martin via dmarc-discuss < > > > > dmarc-discuss@dmarc.org> wrote: > > > ARC purpose is to say when DMARC fail and the email should be rejected > > > that it is ok to let it through. As such there is no scale problem and > > > anyone can do it. > > > > > > If email is your core business, then complaining you have to do some > work, > > > will not give any sympathy. > > > > > > On Mon, Feb 15, 2016 at 11:17 AM, Scott Kitterman via dmarc-discuss < > > > > > > dmarc-discuss@dmarc.org> wrote: > > >> That's a totally different class of problem. Any competent sysadmin > with > > >> some > > >> time can maintain a CMS based web site (e.g. Wordpress). The fact > that > > >> so > > >> many are not competently managed is a function of capability and > > >> willingness > > >> to do a little work, not a function of inadequate scale. > > >> > > >> Also, following that example, I choose to blog on wordpress.com, > > >> specifically > > >> so I don't have to worry about such things, but the blog isn't a core > > >> business > > >> function, so that's fine. Email is more important, so I care more how > > >> and > > >> where it gets done. > > >> > > >> Scott K > > >> > > >> On Monday, February 15, 2016 10:56:57 AM Franck Martin via > dmarc-discuss > > >> > > >> wrote: > > >> > Yes it is a "you have to be this tall to ride with us". For > instance, > > >> > > >> many > > >> > > >> > Wordpress sites are on URL blocking lists, because the managers > cannot > > >> > > >> keep > > >> > > >> > with basic security updates. So if you want to host a website, you > have > > >> > > >> to > > >> > > >> > be that tall to ride with us (or find a hosting company, that will > give > > >> > > >> you > > >> > > >> > a child seat) > > >> > > > >> > The mail ecosystem is going this way too. The tools are opensource, > > >> > available to all, but you need to deploy them and maintain them. > > >> > > > >> > The spat of serious data breaches because of email, is making all > of us > > >> > very nervous that kids can create so much havoc so easily... > > >> > > > >> > On Sun, Feb 14, 2016 at 11:27 PM, Roland Turner via dmarc-discuss < > > >> > > > >> > dmarc-discuss@dmarc.org> wrote: > > >> > > Scott Kitterman wrote: > > >> > > > It would be nice if we didn't design standards that only worked > at > > >> > > > a > > >> > > > > >> > > certain > > >> > > > > >> > > > scale. "You must be this tall to ride" worries me. > > >> > > > > >> > > There's nothing about ARC that is scale-specific, except for the > > >> > > >> obvious > > >> > > >> > > observation that there's a batteries-not-included problem, so the > > >> > > >> analysis > > >> > > >> > > work required to make good use of it as a receiver is likely to be > > >> > > infeasible for smaller receivers meaning that: > > >> > > > > >> > > - initially only larger receivers will do it, and > > >> > > - if it
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
The difference in this case is one, maintaining a Wordpress site, requires a lot of vigilance, but no information/data that's not publicly available. To the extent ARC is useful to mitigate the DMARC mailing list issue, it's only useful with additional data inputs that are not public and are not feasible for small providers to generate on their own. It's the difference between can, but often shouldn't and can't. I'll stop here though, the horse was probably dead a few mails ago. Scott K On Monday, February 15, 2016 02:11:57 PM Al Iverson via dmarc-discuss wrote: > Scott, I don't really see any difference in the class of problem. You could > choose to outsource email it to Google Apps or Microsoft Office 365 if you > don't want to figure this stuff out yourself. Many do, from SMB to > enterprise level, even though email is core to just about every company's > business. For some, that's very much the reason to job it out to a company > who focuses on email as an area of expertise. > > On the flip side, I disagree with regard to your take on running a blog. > Anybody can do it, but many people outsource that as well. I personally > host my blog with a third party service, because self-hosted Wordpress is > one of the most hacked into things out there and I want no part of that > noise, even though in theory I could handle it. I know I'm not the only > one, and just about anything in this paragraph could similarly apply to > email. > > Regards, > Al Iverson > > > -- > Al Iverson - Minneapolis - (312) 275-0130 > Simple DNS Tools since 2008: xnnd.com > www.spamresource.com & aliverson.com > > On Mon, Feb 15, 2016 at 1:35 PM, Franck Martin via dmarc-discuss < > > dmarc-discuss@dmarc.org> wrote: > > ARC purpose is to say when DMARC fail and the email should be rejected > > that it is ok to let it through. As such there is no scale problem and > > anyone can do it. > > > > If email is your core business, then complaining you have to do some work, > > will not give any sympathy. > > > > On Mon, Feb 15, 2016 at 11:17 AM, Scott Kitterman via dmarc-discuss < > > > > dmarc-discuss@dmarc.org> wrote: > >> That's a totally different class of problem. Any competent sysadmin with > >> some > >> time can maintain a CMS based web site (e.g. Wordpress). The fact that > >> so > >> many are not competently managed is a function of capability and > >> willingness > >> to do a little work, not a function of inadequate scale. > >> > >> Also, following that example, I choose to blog on wordpress.com, > >> specifically > >> so I don't have to worry about such things, but the blog isn't a core > >> business > >> function, so that's fine. Email is more important, so I care more how > >> and > >> where it gets done. > >> > >> Scott K > >> > >> On Monday, February 15, 2016 10:56:57 AM Franck Martin via dmarc-discuss > >> > >> wrote: > >> > Yes it is a "you have to be this tall to ride with us". For instance, > >> > >> many > >> > >> > Wordpress sites are on URL blocking lists, because the managers cannot > >> > >> keep > >> > >> > with basic security updates. So if you want to host a website, you have > >> > >> to > >> > >> > be that tall to ride with us (or find a hosting company, that will give > >> > >> you > >> > >> > a child seat) > >> > > >> > The mail ecosystem is going this way too. The tools are opensource, > >> > available to all, but you need to deploy them and maintain them. > >> > > >> > The spat of serious data breaches because of email, is making all of us > >> > very nervous that kids can create so much havoc so easily... > >> > > >> > On Sun, Feb 14, 2016 at 11:27 PM, Roland Turner via dmarc-discuss < > >> > > >> > dmarc-discuss@dmarc.org> wrote: > >> > > Scott Kitterman wrote: > >> > > > It would be nice if we didn't design standards that only worked at > >> > > > a > >> > > > >> > > certain > >> > > > >> > > > scale. "You must be this tall to ride" worries me. > >> > > > >> > > There's nothing about ARC that is scale-specific, except for the > >> > >> obvious > >> > >> > > observation that there's a batteries-not-included problem, so the > >> > >> analysis > >> > >> > > work required to make good use of it as a receiver is likely to be > >> > > infeasible for smaller receivers meaning that: > >> > > > >> > > - initially only larger receivers will do it, and > >> > > - if it works then, over time, vendors/developers will embed > >> > >> slow-moving > >> > >> > > pieces in products and/or reputation data providers will add faster > >> > >> moving > >> > >> > > pieces to their services. > >> > > > >> > > This is just a diffusion process, not an exclusion of smaller > >> > > players. > >> > > Indeed, it would almost appear that you'd be happier if the big guys > >> > >> had > >> > >> > > excluded smaller players from this initiative... > >> > > > >> > > I'd also point out that we spent most of a decade (2003 - 2011) > >> > >> wandering > >> > >> > > in a
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
Scott, I don't really see any difference in the class of problem. You could choose to outsource email it to Google Apps or Microsoft Office 365 if you don't want to figure this stuff out yourself. Many do, from SMB to enterprise level, even though email is core to just about every company's business. For some, that's very much the reason to job it out to a company who focuses on email as an area of expertise. On the flip side, I disagree with regard to your take on running a blog. Anybody can do it, but many people outsource that as well. I personally host my blog with a third party service, because self-hosted Wordpress is one of the most hacked into things out there and I want no part of that noise, even though in theory I could handle it. I know I'm not the only one, and just about anything in this paragraph could similarly apply to email. Regards, Al Iverson -- Al Iverson - Minneapolis - (312) 275-0130 Simple DNS Tools since 2008: xnnd.com www.spamresource.com & aliverson.com On Mon, Feb 15, 2016 at 1:35 PM, Franck Martin via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > ARC purpose is to say when DMARC fail and the email should be rejected > that it is ok to let it through. As such there is no scale problem and > anyone can do it. > > If email is your core business, then complaining you have to do some work, > will not give any sympathy. > > On Mon, Feb 15, 2016 at 11:17 AM, Scott Kitterman via dmarc-discuss < > dmarc-discuss@dmarc.org> wrote: > >> That's a totally different class of problem. Any competent sysadmin with >> some >> time can maintain a CMS based web site (e.g. Wordpress). The fact that so >> many are not competently managed is a function of capability and >> willingness >> to do a little work, not a function of inadequate scale. >> >> Also, following that example, I choose to blog on wordpress.com, >> specifically >> so I don't have to worry about such things, but the blog isn't a core >> business >> function, so that's fine. Email is more important, so I care more how and >> where it gets done. >> >> Scott K >> >> On Monday, February 15, 2016 10:56:57 AM Franck Martin via dmarc-discuss >> wrote: >> > Yes it is a "you have to be this tall to ride with us". For instance, >> many >> > Wordpress sites are on URL blocking lists, because the managers cannot >> keep >> > with basic security updates. So if you want to host a website, you have >> to >> > be that tall to ride with us (or find a hosting company, that will give >> you >> > a child seat) >> > >> > The mail ecosystem is going this way too. The tools are opensource, >> > available to all, but you need to deploy them and maintain them. >> > >> > The spat of serious data breaches because of email, is making all of us >> > very nervous that kids can create so much havoc so easily... >> > >> > On Sun, Feb 14, 2016 at 11:27 PM, Roland Turner via dmarc-discuss < >> > >> > dmarc-discuss@dmarc.org> wrote: >> > > Scott Kitterman wrote: >> > > > It would be nice if we didn't design standards that only worked at a >> > > >> > > certain >> > > >> > > > scale. "You must be this tall to ride" worries me. >> > > >> > > There's nothing about ARC that is scale-specific, except for the >> obvious >> > > observation that there's a batteries-not-included problem, so the >> analysis >> > > work required to make good use of it as a receiver is likely to be >> > > infeasible for smaller receivers meaning that: >> > > >> > > - initially only larger receivers will do it, and >> > > - if it works then, over time, vendors/developers will embed >> slow-moving >> > > pieces in products and/or reputation data providers will add faster >> moving >> > > pieces to their services. >> > > >> > > This is just a diffusion process, not an exclusion of smaller players. >> > > Indeed, it would almost appear that you'd be happier if the big guys >> had >> > > excluded smaller players from this initiative... >> > > >> > > I'd also point out that we spent most of a decade (2003 - 2011) >> wandering >> > > in a highly-inclusive -all/o=-/discardable wilderness. It took the >> world's >> > > most-heavily-phished organisation working directly with one of the big >> > > guys >> > > in private to get any purchase on the problem, and their subsequent >> > > sharing >> > > of it (DMARC) to bring about progress more broadly. It would appear >> that >> > > ARC is on a similar path to improving the situation for largest >> unresolved >> > > piece of the problem (supporting forwarding). This does suggest a >> general >> > > difficulty in using a consensus-driven process to devise solutions, >> rather >> > > than merely refine/standardise/evolve them, however this does not seem >> > > like >> > > a reason for concern, it may simply indicate that we've gotten as far >> as >> > > we >> > > can get at present with such processes. The important test when >> deciding >> > > whether to cooperate would appear to be whether the particular >> solution >> > > unduly benefits the big
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
ARC purpose is to say when DMARC fail and the email should be rejected that it is ok to let it through. As such there is no scale problem and anyone can do it. If email is your core business, then complaining you have to do some work, will not give any sympathy. On Mon, Feb 15, 2016 at 11:17 AM, Scott Kitterman via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > That's a totally different class of problem. Any competent sysadmin with > some > time can maintain a CMS based web site (e.g. Wordpress). The fact that so > many are not competently managed is a function of capability and > willingness > to do a little work, not a function of inadequate scale. > > Also, following that example, I choose to blog on wordpress.com, > specifically > so I don't have to worry about such things, but the blog isn't a core > business > function, so that's fine. Email is more important, so I care more how and > where it gets done. > > Scott K > > On Monday, February 15, 2016 10:56:57 AM Franck Martin via dmarc-discuss > wrote: > > Yes it is a "you have to be this tall to ride with us". For instance, > many > > Wordpress sites are on URL blocking lists, because the managers cannot > keep > > with basic security updates. So if you want to host a website, you have > to > > be that tall to ride with us (or find a hosting company, that will give > you > > a child seat) > > > > The mail ecosystem is going this way too. The tools are opensource, > > available to all, but you need to deploy them and maintain them. > > > > The spat of serious data breaches because of email, is making all of us > > very nervous that kids can create so much havoc so easily... > > > > On Sun, Feb 14, 2016 at 11:27 PM, Roland Turner via dmarc-discuss < > > > > dmarc-discuss@dmarc.org> wrote: > > > Scott Kitterman wrote: > > > > It would be nice if we didn't design standards that only worked at a > > > > > > certain > > > > > > > scale. "You must be this tall to ride" worries me. > > > > > > There's nothing about ARC that is scale-specific, except for the > obvious > > > observation that there's a batteries-not-included problem, so the > analysis > > > work required to make good use of it as a receiver is likely to be > > > infeasible for smaller receivers meaning that: > > > > > > - initially only larger receivers will do it, and > > > - if it works then, over time, vendors/developers will embed > slow-moving > > > pieces in products and/or reputation data providers will add faster > moving > > > pieces to their services. > > > > > > This is just a diffusion process, not an exclusion of smaller players. > > > Indeed, it would almost appear that you'd be happier if the big guys > had > > > excluded smaller players from this initiative... > > > > > > I'd also point out that we spent most of a decade (2003 - 2011) > wandering > > > in a highly-inclusive -all/o=-/discardable wilderness. It took the > world's > > > most-heavily-phished organisation working directly with one of the big > > > guys > > > in private to get any purchase on the problem, and their subsequent > > > sharing > > > of it (DMARC) to bring about progress more broadly. It would appear > that > > > ARC is on a similar path to improving the situation for largest > unresolved > > > piece of the problem (supporting forwarding). This does suggest a > general > > > difficulty in using a consensus-driven process to devise solutions, > rather > > > than merely refine/standardise/evolve them, however this does not seem > > > like > > > a reason for concern, it may simply indicate that we've gotten as far > as > > > we > > > can get at present with such processes. The important test when > deciding > > > whether to cooperate would appear to be whether the particular solution > > > unduly benefits the big guys compared to other viable solutions that > are > > > already known about. ! > > > > > > If there are none, then cooperating on ARC would appear to be a > > > > > > no-brainer. > > > > > > > Solving the mailing list 'problem' in a way that requires me to > switch > > > > to > > > > gmail (or some other large scale provider) to get my list mail > delivered > > > > > > is > > > > > > > worse than no solution at all for me. > > > > > > Obviously. This is not being proposed, see the comments about about > > > vendors/developers and reputation data providers. > > > > > > - Roland > > > ___ > > > dmarc-discuss mailing list > > > dmarc-discuss@dmarc.org > > > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > > > > > NOTE: Participating in this list means you agree to the DMARC Note Well > > > terms (http://www.dmarc.org/note_well.html) > > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) >
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
That's a totally different class of problem. Any competent sysadmin with some time can maintain a CMS based web site (e.g. Wordpress). The fact that so many are not competently managed is a function of capability and willingness to do a little work, not a function of inadequate scale. Also, following that example, I choose to blog on wordpress.com, specifically so I don't have to worry about such things, but the blog isn't a core business function, so that's fine. Email is more important, so I care more how and where it gets done. Scott K On Monday, February 15, 2016 10:56:57 AM Franck Martin via dmarc-discuss wrote: > Yes it is a "you have to be this tall to ride with us". For instance, many > Wordpress sites are on URL blocking lists, because the managers cannot keep > with basic security updates. So if you want to host a website, you have to > be that tall to ride with us (or find a hosting company, that will give you > a child seat) > > The mail ecosystem is going this way too. The tools are opensource, > available to all, but you need to deploy them and maintain them. > > The spat of serious data breaches because of email, is making all of us > very nervous that kids can create so much havoc so easily... > > On Sun, Feb 14, 2016 at 11:27 PM, Roland Turner via dmarc-discuss < > > dmarc-discuss@dmarc.org> wrote: > > Scott Kitterman wrote: > > > It would be nice if we didn't design standards that only worked at a > > > > certain > > > > > scale. "You must be this tall to ride" worries me. > > > > There's nothing about ARC that is scale-specific, except for the obvious > > observation that there's a batteries-not-included problem, so the analysis > > work required to make good use of it as a receiver is likely to be > > infeasible for smaller receivers meaning that: > > > > - initially only larger receivers will do it, and > > - if it works then, over time, vendors/developers will embed slow-moving > > pieces in products and/or reputation data providers will add faster moving > > pieces to their services. > > > > This is just a diffusion process, not an exclusion of smaller players. > > Indeed, it would almost appear that you'd be happier if the big guys had > > excluded smaller players from this initiative... > > > > I'd also point out that we spent most of a decade (2003 - 2011) wandering > > in a highly-inclusive -all/o=-/discardable wilderness. It took the world's > > most-heavily-phished organisation working directly with one of the big > > guys > > in private to get any purchase on the problem, and their subsequent > > sharing > > of it (DMARC) to bring about progress more broadly. It would appear that > > ARC is on a similar path to improving the situation for largest unresolved > > piece of the problem (supporting forwarding). This does suggest a general > > difficulty in using a consensus-driven process to devise solutions, rather > > than merely refine/standardise/evolve them, however this does not seem > > like > > a reason for concern, it may simply indicate that we've gotten as far as > > we > > can get at present with such processes. The important test when deciding > > whether to cooperate would appear to be whether the particular solution > > unduly benefits the big guys compared to other viable solutions that are > > already known about. ! > > > > If there are none, then cooperating on ARC would appear to be a > > > > no-brainer. > > > > > Solving the mailing list 'problem' in a way that requires me to switch > > > to > > > gmail (or some other large scale provider) to get my list mail delivered > > > > is > > > > > worse than no solution at all for me. > > > > Obviously. This is not being proposed, see the comments about about > > vendors/developers and reputation data providers. > > > > - Roland > > ___ > > dmarc-discuss mailing list > > dmarc-discuss@dmarc.org > > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > > > NOTE: Participating in this list means you agree to the DMARC Note Well > > terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
Yes it is a "you have to be this tall to ride with us". For instance, many Wordpress sites are on URL blocking lists, because the managers cannot keep with basic security updates. So if you want to host a website, you have to be that tall to ride with us (or find a hosting company, that will give you a child seat) The mail ecosystem is going this way too. The tools are opensource, available to all, but you need to deploy them and maintain them. The spat of serious data breaches because of email, is making all of us very nervous that kids can create so much havoc so easily... On Sun, Feb 14, 2016 at 11:27 PM, Roland Turner via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > Scott Kitterman wrote: > > > It would be nice if we didn't design standards that only worked at a > certain > > scale. "You must be this tall to ride" worries me. > > There's nothing about ARC that is scale-specific, except for the obvious > observation that there's a batteries-not-included problem, so the analysis > work required to make good use of it as a receiver is likely to be > infeasible for smaller receivers meaning that: > > - initially only larger receivers will do it, and > - if it works then, over time, vendors/developers will embed slow-moving > pieces in products and/or reputation data providers will add faster moving > pieces to their services. > > This is just a diffusion process, not an exclusion of smaller players. > Indeed, it would almost appear that you'd be happier if the big guys had > excluded smaller players from this initiative... > > I'd also point out that we spent most of a decade (2003 - 2011) wandering > in a highly-inclusive -all/o=-/discardable wilderness. It took the world's > most-heavily-phished organisation working directly with one of the big guys > in private to get any purchase on the problem, and their subsequent sharing > of it (DMARC) to bring about progress more broadly. It would appear that > ARC is on a similar path to improving the situation for largest unresolved > piece of the problem (supporting forwarding). This does suggest a general > difficulty in using a consensus-driven process to devise solutions, rather > than merely refine/standardise/evolve them, however this does not seem like > a reason for concern, it may simply indicate that we've gotten as far as we > can get at present with such processes. The important test when deciding > whether to cooperate would appear to be whether the particular solution > unduly benefits the big guys compared to other viable solutions that are > already known about. ! > If there are none, then cooperating on ARC would appear to be a > no-brainer. > > > Solving the mailing list 'problem' in a way that requires me to switch to > > gmail (or some other large scale provider) to get my list mail delivered > is > > worse than no solution at all for me. > > Obviously. This is not being proposed, see the comments about about > vendors/developers and reputation data providers. > > - Roland > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
On Monday, February 15, 2016 07:27:21 AM Roland Turner via dmarc-discuss wrote: > Scott Kitterman wrote: > > It would be nice if we didn't design standards that only worked at a > > certain scale. "You must be this tall to ride" worries me. > > There's nothing about ARC that is scale-specific, except for the obvious > observation that there's a batteries-not-included problem, so the analysis > work required to make good use of it as a receiver is likely to be > infeasible for smaller receivers meaning that: Yes. Exactly it. > - initially only larger receivers will do it, and > - if it works then, over time, vendors/developers will embed slow-moving > pieces in products and/or reputation data providers will add faster moving > pieces to their services. > > This is just a diffusion process, not an exclusion of smaller players. > Indeed, it would almost appear that you'd be happier if the big guys had > excluded smaller players from this initiative... Until maybe someday the results of the analysis to use ARC are somehow available, they have. The use of an open standard (which I am in favor of and this is good), doesn't materially change that. If I can write code to implement a standard, but don't have the necessary inputs to use it, it's not particularly of use. > I'd also point out that we spent most of a decade (2003 - 2011) wandering in > a highly-inclusive -all/o=-/discardable wilderness. It took the world's > most-heavily-phished organisation working directly with one of the big guys > in private to get any purchase on the problem, and their subsequent sharing > of it (DMARC) to bring about progress more broadly. It would appear that > ARC is on a similar path to improving the situation for largest unresolved > piece of the problem (supporting forwarding). This does suggest a general > difficulty in using a consensus-driven process to devise solutions, rather > than merely refine/standardise/evolve them, however this does not seem like > a reason for concern, it may simply indicate that we've gotten as far as we > can get at present with such processes. The important test when deciding > whether to cooperate would appear to be whether the particular solution > unduly benefits the big guys compared to other viable solutions that are > already known about. ! If there are none, then cooperating on ARC would > appear to be a no-brainer. Personally, I try to consider putting my time where either I'll benefit or I think the global Internet will benefit. > > Solving the mailing list 'problem' in a way that requires me to switch to > > gmail (or some other large scale provider) to get my list mail delivered > > is worse than no solution at all for me. > > Obviously. This is not being proposed, see the comments about about > vendors/developers and reputation data providers. It's not being proposed, but I expect it'll be the effect. Scott K ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] reject DMARC policy for my.com domain starting March, 1 2016
Hello, list. Starting March, 1 2016 Mail.Ru begins to implement restrictive DMARC policy for public mailbox domains with my.com being the first domain to publish p=reject policy. Please make sure to update configuration if you need special handling for DMARC-restrictive domains. In future, policy will be updated for other Mail.Ru public mailbox domains, including mail.ua, bk.ru, inbox.ru, list.ru and finally mail.ru. -- Vladimir Dubrovin Head of QA Service @Mail.Ru ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] what MUAs show, was introduction to the list-virtual
John Levine wrote: > DMARC does an OK job when crooks use the exact domain name, which they > stilll do a lot, but we still don't have a clue about what to do when > they don't, other than trying to filter it because it looks evil, not > because it sorta kinda looks like a domain name in someone else's > DMARC record. +1, not the FUSPP. - Roland ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)