moderated Evaluating turning on DMARC #update


 

Hi All,

You can ignore this if you don't know what DMARC is...

We continue to get instances of malicious forwarding of list messages to people not subscribed to the lists. I don't know why this is happening, but it's an issue. I have just added a DMARC record with p=none for the groups.io domain (and not yet to any of the enterprise domains we serve), so that I can get reports of how DMARC might affect deliverability. I'm not a fan of DMARC, but it was designed specifically to prevent the problem we're having now.

If you have any specific objections to turning on DMARC, please let me know.

Thanks,
Mark


 

Mark,

malicious forwarding of list messages to people not subscribed to the
lists. ... I have just added a DMARC record with p=none for the
groups.io domain ...
This will work for those posters/recipients subject to DMARC rewriting, Digests, Summaries, and notices. But are those major contributors to the problem? GMF had a spate of reports a while ago of people mystified by misdirected group messages, and that seemed to revolve predominantly around AOL. Is that where this is aimed?

Normal group messages, where the header From has the posting member's domain not Groups.io's, will fail DMARC regardless of Groups.io's settings. Unless I've missed something. That's the case where we're Waiting for Godot. Er, I mean ARC.

If you have any specific objections to turning on DMARC, please let me
know.
The only concern that comes to mind is that this could be another step down a path that leads to rewriting all From headers. I'd really rather not see that outcome.

Shal


Konstantin Ryabitsev
 

On Wed, Sep 15, 2021 at 10:50:59PM -0700, Shal Farley wrote:
Normal group messages, where the header From has the posting member's domain
not Groups.io's, will fail DMARC regardless of Groups.io's settings. Unless
I've missed something. That's the case where we're Waiting for Godot. Er, I
mean ARC.
For the record, it would be easy for groups.io to provide an option to be
DMARC-compliant, at least for DKIM-signed messages:

- don't modify signed headers (Subject, for example)
- don't modify the message body (e.g. don't append "Groups.io Links")

That's all it takes.

If you have any specific objections to turning on DMARC, please let me
know.
The only concern that comes to mind is that this could be another step down
a path that leads to rewriting all From headers. I'd really rather not see
that outcome.
Setting a DMARC record for groups.io won't impact these messages anyway.

-K


Ken Schweizer
 

If as Shall suggested "that this could be another step down a path that leads to rewriting all From headers" I too would not like to see that as it appears that those using their e-mail would have more difficulty determining who the author of the message is.

Ken S


Chris Jones
 

On Thu, Sep 16, 2021 at 04:24 PM, Ken Schweizer wrote:
I too would not like to see that as it appears that those using their e-mail would have more difficulty determining who the author of the message is.
OTOH that might be the lesser of two evils...

Chris


 

K,
- don't modify signed headers (Subject, for example)
- don't modify the message body (e.g. don't append "Groups.io Links")

That's all it takes.

Understood. But that is a very big "all".

It would largely defeat the "group" concept, turning Groups.io into a mere mail reflector.
> The only concern that comes to mind is that this could be another step down
> a path that leads to rewriting all From headers. I'd really rather not see
> that outcome.

Setting a DMARC record for groups.io won't impact these messages anyway.

Which messages are you referring to?

A DMARC record for groups.io will definitely apply to messages that have had their From rewritten into the groups.io domain. It wouldn't impact those that have not been rewritten (such as yours and mine), but that was the point I was making.

Shal


 

Chris,


OTOH that might be the lesser of two evils...

Says the guy whose From address is already being rewritten. ;-)

But your example does serve to show that Ken's concern about identifying the author has been suitably mitigated by the way Groups.io rewrites the From address (as opposed to the way Yahoo Groups botched the rewrite).

Still, the downstream impacts ("collateral damage") of From rewriting are such that I'd prefer to eliminate the need altogether. Which is what the proposed ARC mechanism is supposed to do, but I'm not sure where that is in terms of adoption by mailbox providers.

Shal


 

Hi Shal,

On Wed, Sep 15, 2021 at 10:51 PM Shal Farley <shals2nd@...> wrote:

This will work for those posters/recipients subject to DMARC rewriting,
Digests, Summaries, and notices. But are those major contributors to the
problem? GMF had a spate of reports a while ago of people mystified by
misdirected group messages, and that seemed to revolve predominantly
around AOL. Is that where this is aimed?

Yes, exactly. The spammer(s) uses AOL, Hotmail and Outlook accounts, all of which we re-write the From lines.

 
Normal group messages, where the header From has the posting member's
domain not Groups.io's, will fail DMARC regardless of Groups.io's
settings. Unless I've missed something. That's the case where we're
Waiting for Godot. Er, I mean ARC.


My understanding is that ARC is not yet adopted in any meaningful way.

 

The only concern that comes to mind is that this could be another step
down a path that leads to rewriting all From headers. I'd really rather
not see that outcome.


Agreed, I don't want that either.

Thanks,
Mark 


Konstantin Ryabitsev
 

On Thu, Sep 16, 2021 at 08:30:41AM -0700, Shal Farley wrote:
- don't modify signed headers (Subject, for example)
- don't modify the message body (e.g. don't append "Groups.io Links")

That's all it takes.
Understood. But that is a very big "all".

It would largely defeat the "group" concept, turning Groups.io into a mere
mail reflector.
So, give folks an option:

1. accept rewritten From: that will throw away original headers (and use ARC,
if that's the way you want to go); a lot of people don't care about
From: anyway, unless they are doing very specific things
2. preserve all original headers and message body and fullfill DMARC
policies of the original sender; most people wouldn't care for that, except
some people who really, REALLY care

This can easily be a per-list setting.

-K


 

K,


This can easily be a per-list setting.

This has headed off of Mark's original topic, if you'd like to see such a feature it would likely be best to start a new #suggestion topic about it.

Shal