[NANOG] Re: [NANOG]Re: Scheduled Maintenance Finished

[Rich Kulawiec via NANOG <nanog () lists nanog org>]

On Sun, Mar 02, 2025 at 11:17:35PM +0100, Florian Weimer wrote:
> Many mailing lists have moved away from Subject:/body rewriting
> because it breaks DKIM signatures and may prevent successful message
> delivery to recipients whose servers enforce the sender's DMARC
> policy.  The alternative is to rewrite the From: line, at least for
> senders with restrictive DMARC policies, but this breaks other things.

And this is one of the great ironies of the entire DKIM/DMARC push:
it breaks things that were working just fine for decades while (a) providing
no anti-spam value [1] and (b) making the email forgery problem *much*
worse [2].

---rsk

[1] I've been monitoring deployment over all email traffic to several
dozen domains scattered across a number of servers scattered across a
number of networks.  And amusingly (or not), significantly more spam
is correctly signed than non-spam.  This should surprise nobody; it's
been a repeated pattern with multiple technologies that were claimed
to deal with spam effectively and have instead either had no real impact
or made the problem worse.

[2] The convergence of multiple bad choices is in play here.  First, the
proliferation of new TLDs that have been rapidly overrun by abusers
of all descriptions.  Second, dubious choices in email user interfaces
that obfuscate sender addresses.  Third, equally dubious choices in email
UIs that mark messages that pass validation as "signed" or "secure"
or "certified" or whatnot.  Fourth, the increasing inability of users
to understand email address RHS, e.g., to distinguish example.com from
example.tld or example.com.tld or exammple.com or exammple.tld.  Fifth,
many example.com's of the world don't send plaintext email messages;
they mark them up with HTML and graphics and so on, which means that
they're teaching their users that any message which *looks like* it's
from them is really from them.  Sixth, they also include URLs and
encourage their users to use those URLs. Seventh, as everyone here
is painfully aware, there are all kinds of hosting/cloud operations
that will happily take example.tld's money even though they know full
well they're not the real example.com and know equally full well what
they're really doing.

The result of all this is that users are being trained to fall for
forgeries, and there is ample supporting infrastructure to make those
forgeries effective.  Yeah, abusers will have a hard time successfully
forging messages from example.com and getting them delivered:
*but they don't have to* because example.tld (for ~1000 values of "tld")
is available.  And of course example.tld can recreate the language and
appearance of messages from the real example.com at will, and can mimic
the web site, which means that users will be presented messages that
look like, feel like, smell like they're from example.com, are dutifully
marked as "authentic" or whatever in their email client...and are all
fakes that lead them to a fake web site.

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/Q2SXCMMAYYFCWCLNCK2FQRI25DPDPR2J/