[Slackbuilds-users] Today's DMARC debacle
rob0 at slackbuilds.org
Sun Mar 18 20:20:04 UTC 2018
Today a poster from a domain which published a DMARC "p=reject"
policy posted to our mailing list. Either his DMARC record is new,
or gmail just started enforcing DMARC, and so, unseen by all our
numerous gmail/googlemail and Google Apps subscribers, you were
kicked off our list.
Yes, it's stupid. DMARC allows third/fourth parties to do this
denial of service. Mailing lists since forever have used the
original sender's "From:" header, but the list server's envelope
sender. DMARC looks at the header, not the envelope.
But, as with so many things, we are stuck with stupid stuff.
GNU Mailman already has a workaround for the problem: it looks up
DMARC for the poster's domain, and if a "p=reject" is published, the
From header is rewritten. Yay, so you don't know who it was from.
(Another workaround is to simply disallow posts from such domains.)
Anyway, I'm working on the first workaround, and the poster who
triggered all this is temporarily blocked from posting.
We have placed the list on emergency moderation mode for now.
Please, no more posts about this until I get it resolved. I will
reply here when it is.
I'm sorry for the inconvenience. I am sorry that DMARC exists.
Fortunately it was only the posts (two) from this poster which caused
all the havoc. Every subscriber who was removed from the list should
have received their notification of removal. The problem was not a
matter of gmail not accepting mail from us; only that the DMARC
perpetrator was listed in the From: header. Not a factor for the
removal notification mails from Mailman.
Rob McGee - /dev/rob0 - rob0 at slackbuilds.org
More information about the SlackBuilds-users