On 5/15/15 5:09 PM, Terry Zink wrote: > Hector, > >> You should give DMARC+ATPSrev4 a shot. It works great. > My perception of your +1 to your solution is this: "I run my own mail server > and moderate my own DNS zone. I have a couple of users on my domain. > Everything works so easy." > > Yet you then admit: > >> not all domains will be able to use DMARC and/or ATPSrev4. > The "not all domains" who won't use this will be large senders and receivers > who account for the majority of phishing targets and email receivers. And if > you haven't solved it for the majority of phishing targets and potential > victims, how can you call this a solution? At best, it's having done > something interesting and a self-pat-on-the-back, but most of the problem is > not solved. And if most of the problem is not solved nor will be, why pursue > it? > > How do you get around this? Who do you expect to implement it? Dear Terry,
I can't speak for Hector nor would I include ATPS, but a very small group of us managed this type of feedback largely operated automatically to deal with mailing-lists, dial-ups, open-proxies, etc. Each category triggered different testing and investigative criteria. The collected dataset then applied against inbound email seen by about 70% of the entire world's email users. This service was initially free and pre-built into the various mail programs. This approach scales to very high levels while causing very low overhead. In contrast, SPF and reverse look ups represent orders of magnitude greater overhead. We handled various European schools such as Ja.net and even several of the largest ESPs, some of whom are participating on this list but may not be aware of our prior involvement. Beyond just DMARC feedback, protection will require feedback augmented with mail-traps that are separately available as a service. With DMARC forcing all messages to be authorized in some manner, the type of gaming that can be involved becomes much easier to exclude. There is no silver bullet, but once this type of feedback is instantiated, the abuse seen by recipients should be greatly reduced with far less ending up in spam folders. The best part is this can retain full SMTP compatibility. As some of the larger DMARC domains start offering third-party specific feedback, the value of such authoritative data will be high and should spur greater adoption. Regards, Douglas Otis _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
