[ih] Grotty Email behavior (better subject ID...)

John Levine johnl at iecc.com
Mon Sep 6 19:55:18 PDT 2021


It appears that Steffen Nurpmeso via Internet-history <steffen at sdaoden.eu> said:
>dcrocker at bbiw.net wrote in
> |The actual culprit is DMARC, which enforces authenticated From header 
> |field domain name use. ...

>And RFC 9057 which added the Author: header field that likely
>would have avoided this obnoxious situation when it would have
>been shipped alongside DMARC.

Very unlikely.

The original motivation for DMARC was heavily forged commercial domains
like paypal.com that send direct from the company to the recipient.  The
only thing a message from Paypal ever says is "something happened, look
at the web site to see what it was" so they made a reasonable decision that
if a strict DMARC policy lost a little legit mail along with a lot of phishes,
that's a good tradeoff.

Unfortunately, AOL and Yahoo which were at the time separate badly run companies
each had huge security breaches (twice for Yahoo) in which crooks stole people's
entire address books.  The crooks took pairs of stolen addresses and started
sending spam that appeared to come from a friend of the recipient.  Not surprisingly,
this led to vast numbers of support calls.  AOL and Yahoo independently decided
to outsource their support problem to the rest of the Internet by publishing
a DMARC policy record that made all the forged spam bounce, with the side effect
of breaking every mailing list in the world.  (Yahoo knew that would happen and
did not care, according to someone who was in the room.)

Now we have sort of a cargo cult around DMARC, with putative experts insisting
that everyone should have a p=reject DMARC policy because it is "more secure"
which it is for only a rather narrow version of "secure."  In fact it can be
helpful if A) your mail is forged a lot and B) you don't send any legit mail
via paths that DMARC cannot describe.  Some domains are like that, but many
are not.   Mine are not which is why I have no plan ever to publsh a DMARC
policy other than p=none.

The yelling about mailing lists was loud enough that there is now a thing called
ARC which more or less provides a log in the message of what the authentication
results were a prior hops, so in principle recipient systems can look at mail
they know is from something like a mailing list and use the ARC info to see if
it would have passed DMARC when it arrived at the list.  Several large mail
systems including Gmail and Outlook/Hotmail are now added ARC headers (I think
invalid ones at Microsoft) but so far nobody I know is using it to fix DMARC
overfiltering.

As Dave has often pointed out, many mail programs, perhaps most these days, do
not show the From: address so the nominal benefit of DMARC, that you can tell
that the sender is "real" does not exist.  People who run large mail systems
tell me that despite the fact that it is so easy to evade, DMARC still blocks
a lot of phishing which means unsurprisingly that many crooks are lazy or
ignorant.

It's hard to see how an additional Author header would make much difference here.

R's,
John



More information about the Internet-history mailing list