On Aug 24, 2014, at 4:05 PM, Matt Simerson via dmarc-discuss <dmarc-discuss@dmarc.org> wrote:
> > On Aug 24, 2014, at 5:18 AM, Nicolás via dmarc-discuss > <dmarc-discuss@dmarc.org> wrote: > >> Hi! >> >> I'm new to DMARC, I configured it just a bunch of days ago, and even that I >> think it's a great idea, I'm worried about its limitations over mailing >> lists. I've read the FAQ about this, and I'm not quite clear about what can >> I do to avoid DMARC checkings to fail. > > On lists you don't manage, there is little you can do besides pester the list > operator and ask them to make their list DMARC compatible. But: > > 1. list operators tend to be change resistant > 2. there are now patches available for most list software to make them > DMARC compatible > 3. For unmaintained MLMs, like ezmlm, turning off options like subject > prefix and trailers suffices. > 4. ezmlm-idx does have patches > 5. Some of the MLM patches don't rewrite the sender *unless* they detect a > p=reject policy > 6. see #1 > > I'm not going to rehash material from the FAQ but thinking about it from the > list operators perspective, why should *they* have to change *their* list so > that your silly little anti-phishing security thingy works? (I don't > subscribe to that school of thought, but that's frequently the attitude) > This is a vast oversimplification. Yes, it is possible to change the way list servers work to pass DMARC. However, doing so creates problems with lists that are set for replies to go to the list, and also makes it harder to identify who the actual sender is. And the requirement that we not add a footer violates the law that says that lists must include opt-out instructions in a footer. But the bigger problem is that it is costly. We run 17 lists on L-Soft’s listserv. We use an out of date version that meets our needs. To update to the version that supports DMARC compatibility would cost us about $6,000. We contacted L-Soft, and were told that they would give us a special deal, and only charge us $3,000 if we were willing to bypass maintenance support. Our annual budget to run our Linux virtual server is $275. Our lists are supported by voluntary contributions and managed by volunteer administrators. So our solution is to ban Yahoo and AOL addresses from posting to a list. And the argument that it eliminates phishing is just wrong. I get just as many phishing emails as I did before AOL and Yahoo instituted DMARC p=reject. From forged AOL and Yahoo addresses (at least to the average user - I, of course, can identify them). There was a brief period of a couple of weeks where the quantity fell off, but it came back strong after AOL was hacked and an unknown number of accounts and their contact lists was compromised. And it continues to this day. AOL and Yahoo are trying to use DMARC to cover up their own insecure domains. DMARC has a place; banks and other financial institutions. But not public ISPs. Even Google agrees; they will still forward messages from AOL and Yahoo from lists that don’t implement DMARC workarounds (and that’s all they are; workarounds, not solutions). Google initially flags them as spam, but if users mark them not spam Google forwards them normally. I know this is a rehash, but a lot of people haven’t seen it all that recently. best regards, Larry -- Larry Finch finc...@portadmiral.org
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)