[Slackbuilds-users] Today's DMARC debacle

Rob McGee rob0 at slackbuilds.org
Thu Mar 22 04:39:08 UTC 2018 

Some of you might not have seen this because your list delivery was 
suspended.  We think we have all the subscribers reenabled now.

The "fix" has been implemented and confirmed to work.  "Fix" is the 
wrong word; it is a workaround for the shortcomings of the DMARC 
protocol.  Our list was fine, but we had to break it in case some 
other poster gets the same silly idea to play with DMARC.

If you missed anything from 2018-03-18 11:47 UTC to now, here's the
link to the archives:

https://lists.slackbuilds.org/pipermail/slackbuilds-users/2018-March/thread.html

On Sun, Mar 18, 2018 at 20:20 UTC, I wrote:
> Today a poster from a domain which published a DMARC "p=reject" 
> policy posted to our mailing list.  Either his DMARC record is new, 
> or gmail just started enforcing DMARC, and so, unseen by all our 
> numerous gmail/googlemail and Google Apps subscribers, you were 
> kicked off our list.
> 
> Yes, it's stupid.  DMARC allows third/fourth parties to do this 
> denial of service.  Mailing lists since forever have used the 
> original sender's "From:" header, but the list server's envelope 
> sender.  DMARC looks at the header, not the envelope.
> 
> But, as with so many things, we are stuck with stupid stuff.
> 
> GNU Mailman already has a workaround for the problem: it looks up 
> DMARC for the poster's domain, and if a "p=reject" is published, the 
> From header is rewritten.  Yay, so you don't know who it was from.
> 
> (Another workaround is to simply disallow posts from such domains.)
> 
> Anyway, I'm working on the first workaround, and the poster who 
> triggered all this is temporarily blocked from posting.
> 
> We have placed the list on emergency moderation mode for now.  
> Please, no more posts about this until I get it resolved.  I will 
> reply here when it is.
> 
> I'm sorry for the inconvenience.  I am sorry that DMARC exists.
> 
> Fortunately it was only the posts (two) from this poster which caused 
> all the havoc.  Every subscriber who was removed from the list should 
> have received their notification of removal.  The problem was not a 
> matter of gmail not accepting mail from us; only that the DMARC 
> perpetrator was listed in the From: header.  Not a factor for the 
> removal notification mails from Mailman.

-- 
    Rob McGee - /dev/rob0 - rob0 at slackbuilds.org

More information about the SlackBuilds-users mailing list