Lindsay Haisley writes:
> What goes into an address comment is, or should be, purely
> informational on a human level, and ignored on a computational
> level.
Unfortunately, we can't depend on that:
There are a few possible mechanisms that attempt mitigation of
[display name] attacks, such as:
o If the display name is found to include an email address (as
specified in [MAIL]), execute the DMARC mechanism on the domain
name found there rather than the domain name discovered
originally.
DMARC draft, sec. 15.2. This is discussion of matters outside the
scope of DMARC itself, not a normative specification, and the document
itself says there are legitimate uses of email addresses in display
names (or comments). But that hasn't stopped the spam-fighters in the
past; it may not stop them this time. AFAICS, putting an address from
a DMARC domain anywhere in the mail leaves you subject to a possible
DMARC reject unless you satisfy "from alignment" for that domain
exactly as specified in DMARC.
That's not implemented by anyone now, and may never be. And
obfuscating the address as in the OP may help, but for my previous
work address that would be
stephen dot turnbull dot 1 at econ dot ohio-state dot edu
which is 57 characters. You pays your money and you takes your
choice, I guess.
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
