On Tuesday, February 16, 2016 06:17:27 AM Roland Turner via dmarc-discuss
wrote:
> Scott Kitterman wrote:
> > To
> > the extent ARC is useful to mitigate the DMARC mailing list issue, it's
> > only useful with additional data inputs that are not public and are not
> > feasible for small providers
Franck Martin wrote:
> As I said earlier spamhaus and surbl has the data. The question is not
> which domains to trust, but which domains not to trust.
They may or may not. (Analysing Received: headers to learn about forwarding
behaviour is not an obviously important input for those
On Tuesday, February 16, 2016 06:02:31 AM Roland Turner via dmarc-discuss
wrote:
> Scott Kitterman wrote:
> >> Roland Turner wrote:
> >>
> >> This is just a diffusion process, not an exclusion of smaller players.
> >> Indeed, it would almost appear that you'd be happier if the big guys had
> >>
Scott Kitterman wrote:
> To
> the extent ARC is useful to mitigate the DMARC mailing list issue, it's only
> useful with additional data inputs that are not public and are not feasible
> for small providers to generate on their own.
I meant to ask earlier: would you level the same criticism at
The problem with the e-mail community, is few people drives all of us
away from mailing lists.
On Mon, Feb 15, 2016 at 3:47 PM, John R Levine wrote:
>> As I said earlier spamhaus and surbl has the data. The question is not
>> which domains to trust, but which domains not to
As I said earlier spamhaus and surbl has the data. The question is not
which domains to trust, but which domains not to trust.
On Mon, Feb 15, 2016 at 3:35 PM, John Levine wrote:
>>ARC purpose is to say when DMARC fail and the email should be rejected that
>>it is ok to let it
>ARC purpose is to say when DMARC fail and the email should be rejected that
>it is ok to let it through. As such there is no scale problem and anyone
>can do it.
ARC provides no protection against replay attacks, in particular,
against taking a set of ARC headers from a benign message and
Spamhaus and SURBL both publish a domain blocking list, this is enough to
use to block emails that went through bad domains (as per ARC custody chain)
Of course, this has to be built into the MTA, but it is all opensource, it
is not out of reach, just volunteers and work...
On Mon, Feb 15, 2016
The difference in this case is one, maintaining a Wordpress site, requires a
lot of vigilance, but no information/data that's not publicly available. To
the extent ARC is useful to mitigate the DMARC mailing list issue, it's only
useful with additional data inputs that are not public and are
Scott, I don't really see any difference in the class of problem. You could
choose to outsource email it to Google Apps or Microsoft Office 365 if you
don't want to figure this stuff out yourself. Many do, from SMB to
enterprise level, even though email is core to just about every company's
ARC purpose is to say when DMARC fail and the email should be rejected that
it is ok to let it through. As such there is no scale problem and anyone
can do it.
If email is your core business, then complaining you have to do some work,
will not give any sympathy.
On Mon, Feb 15, 2016 at 11:17 AM,
That's a totally different class of problem. Any competent sysadmin with some
time can maintain a CMS based web site (e.g. Wordpress). The fact that so
many are not competently managed is a function of capability and willingness
to do a little work, not a function of inadequate scale.
Also,
Yes it is a "you have to be this tall to ride with us". For instance, many
Wordpress sites are on URL blocking lists, because the managers cannot keep
with basic security updates. So if you want to host a website, you have to
be that tall to ride with us (or find a hosting company, that will give
On Monday, February 15, 2016 07:27:21 AM Roland Turner via dmarc-discuss
wrote:
> Scott Kitterman wrote:
> > It would be nice if we didn't design standards that only worked at a
> > certain scale. "You must be this tall to ride" worries me.
>
> There's nothing about ARC that is scale-specific,
Hello, list.
Starting March, 1 2016 Mail.Ru begins to implement restrictive DMARC
policy for public mailbox domains with my.com being the first domain to
publish p=reject policy. Please make sure to update configuration if you
need special handling for DMARC-restrictive domains.
In future,
John Levine wrote:
> DMARC does an OK job when crooks use the exact domain name, which they
> stilll do a lot, but we still don't have a clue about what to do when
> they don't, other than trying to filter it because it looks evil, not
> because it sorta kinda looks like a domain name in someone
16 matches
Mail list logo