What are mailing lists and why do they show as domain spoofs?

What are Mailing Lists?

Mailing lists are a long-standing way of having mass e-mail communication throughout a community. These communities topics can range anywhere from comic books, to science and technology projects, and all the way to legitimate business needs of employees working within a community to develop new standards. There are also many mailing lists for Linux and other systems, keeping your teams informed of new and exciting projects that can benefit your company. Often, mailing lists have an online page where you can view the archives.

How do these mailing lists affect APD?

Many of these mailing lists have been around for a long time, misconfigured, and generally "messy". Most mailing list-servers break both SPF and DKIM as the list-serv becomes the sending IP (breaking SPF) and then also modifies the messages (breaking DKIM). This results in many mail security systems calling these man-in-the-middle domain spoof attacks.

How do I confirm this is my issue?

Many mailing lists use the format of [project-name] in the subject, which most of the time returns results in a google search with details about the project. You will also want to look up the IP/Hostname of the sending server. Many of the well-known list-servers generally have the word "list" in the hostname. An example is the Linux server "lists.gnu.org" which is a popular list server for Linux teams.

What needs to be done to correct this?

Agari engineers can override specific sending IPs and Hostnames as allowed forwarders, preventing APD from calling these messages spoofs. That, however, is only for APD, and other security controls may flag them as spoofs as well.

Please collect specific examples of the mailing lists you are seeing, including the sending domain, the sending IP address, any information you have about said mailing list, and submit a support case with the information.

Things to consider:

Due to the open-source nature of mailing lists, they are generally very open and anyone can join. This means a spammer or attacker can join a mailing list and send out unwanted content.

Due to the above problem, Agari has seen companies make policies against mailing lists, setting their DMARC policy to p=reject, knowing some of these messages will be rejected by their SEG. Those companies then recommend that their employees go to the project's website for updates and to not rely on email communication.

Is there a long term fix?

As this is a well-known issue, a few major players in the email world are working on the Authenticated Received Chain (ARC) protocol to directly address forwarders like mailing lists. At the current time of writing, ARC has not been finalized, and Google and MS 365 are the only systems using it.

For more information about ARC, see rfc8617 (ietf.org)