On Aug 24, 2014, at 3:07 PM, Larry Finch via dmarc-discuss <dmarc-discuss@dmarc.org> wrote:
> > On Aug 24, 2014, at 4:05 PM, Matt Simerson via dmarc-discuss > <dmarc-discuss@dmarc.org> wrote: > >> >> On Aug 24, 2014, at 5:18 AM, Nicolás via dmarc-discuss >> <dmarc-discuss@dmarc.org> wrote: >> >>> Hi! >>> >>> I'm new to DMARC, I configured it just a bunch of days ago, and even that I >>> think it's a great idea, I'm worried about its limitations over mailing >>> lists. I've read the FAQ about this, and I'm not quite clear about what can >>> I do to avoid DMARC checkings to fail. >> >> On lists you don't manage, there is little you can do besides pester the >> list operator and ask them to make their list DMARC compatible. But: >> >> 1. list operators tend to be change resistant >> 2. there are now patches available for most list software to make them >> DMARC compatible >> 3. For unmaintained MLMs, like ezmlm, turning off options like subject >> prefix and trailers suffices. >> 4. ezmlm-idx does have patches >> 5. Some of the MLM patches don't rewrite the sender *unless* they detect a >> p=reject policy >> 6. see #1 >> >> I'm not going to rehash material from the FAQ but thinking about it from the >> list operators perspective, why should *they* have to change *their* list so >> that your silly little anti-phishing security thingy works? (I don't >> subscribe to that school of thought, but that's frequently the attitude) >> > > This is a vast oversimplification. Yes, it is possible to change the way list > servers work to pass DMARC. However, doing so creates problems with lists > that are set for replies to go to the list, and also makes it harder to > identify who the actual sender is. And the requirement that we not add a > footer violates the law that says that lists must include opt-out > instructions in a footer. But the bigger problem is that it is costly. We run > 17 lists on L-Soft’s listserv. We use an out of date version that meets our > needs. To update to the version that supports DMARC compatibility would cost > us about $6,000. We contacted L-Soft, and were told that they would give us a > special deal, and only charge us $3,000 if we were willing to bypass > maintenance support. Our annual budget to run our Linux virtual server is > $275. Our lists are supported by voluntary contributions and managed by > volunteer administrators. So our solution is to ban Yahoo and AOL addresses > from posting to a list. > I understand you may not have budgeted upgrades, but nowadays timely upgrades are part of staying secure. http://www.cvedetails.com/vulnerability-list/vendor_id-69/Lsoft.html
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)