hack #2 for Yahoo DMARC breakage

John R. Levine johnl at iecc.com
Wed Apr 9 22:37:18 UTC 2014

> 2: introduce an "Original Authentication Results" header to indicate
> you have performed the authentication and you are validating it

This was someone's hack that doesn't work.  The idea is that you make an 
RFC5451 Authentication-Results header for the incoming message, change the 
name to original-authentication-results to circumvent some MTAs that strip 
incoming A-R headers, and send it as part of the signed outgoing message.

The reason it doesn't work is that spammers can add fake o-a-r headers as 
easily as lists can add real ones, so you need to make a whitelist of well 
behaved senders who don't send faked mail so you know whether to believe 
them.  But once you have the whitelist of well behaved senders, you can 
skip the o-a-r stuff and just deliver the mail.

I gather somewhere there is a private non-standard bilateral 
implementation of this, but it still seems like an awfully complicated way 
to do your spam filtering.

John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2314 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140409/b2b70f22/attachment.bin>

More information about the NANOG mailing list