IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Scott Kitterman <sklist@kitterman.com> Sat, 15 April 2023 03:28 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0FCFC14CE33 for <dmarc@ietfa.amsl.com>; Fri, 14 Apr 2023 20:28:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.097
X-Spam-Level:
X-Spam-Status: No, score=-6.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FUZZY_PAYPAL=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="sEG7s/7G"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="DXwZvszP"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PGo5W0YTW_AM for <dmarc@ietfa.amsl.com>; Fri, 14 Apr 2023 20:28:34 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3771EC14CE24 for <dmarc@ietf.org>; Fri, 14 Apr 2023 20:28:34 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 5BDF5F802AE for <dmarc@ietf.org>; Fri, 14 Apr 2023 23:28:21 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1681529286; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=VAfpWwpyFwSAntXHOfUBJnt3/G3AJoBiyf1fhDv8zLk=; b=sEG7s/7GRGQx4pfvDbxLCLQrWYzsCsc4RyUF18kIkD6Nvifk/EvSnQAlI3QhPYF9TBijS B76LhkbHeMlIzx+Bg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1681529286; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=VAfpWwpyFwSAntXHOfUBJnt3/G3AJoBiyf1fhDv8zLk=; b=DXwZvszPRLYC8x+oSfc2z9ywdvkk9R3M2/XTzXAXsbAid5vYao+5UQ/9tYDmM6+1Vrqkc iz45rGT2E6XvCZ6fZwPrBBklkyWcgOW3yH6UKDnKEY/YG6Q2lZKLPn4h7IxJ3ZHrDaj9c7Y 0N/It9idjNt1elH9FNjYG1T2VFj3vRjCbKO/8+La13cy/GMdKmP0KmOYg2LZ4QoWiH5SRxV rur2gESfJ5H7v/E2m4EY6LMSAFgxpZNzVWOAfsttO6z7HM6AxjSWGoajklPAHcVUu6rABjk hQp2LF0uVA0Qqd6dV/YQfcobORPO8458cH8Fw82XaJsrw/dL4TufFT8ZWhuw==
Received: from localhost.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 284FDF80270 for <dmarc@ietf.org>; Fri, 14 Apr 2023 23:28:06 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Fri, 14 Apr 2023 23:28:01 -0400
Message-ID: <6539122.tkA9bUOPov@localhost>
In-Reply-To: <CAFcYR_VzGmukoB18f1FW5PdXaD=bG6u-_yOSV2kz4NYOVS-9QA@mail.gmail.com>
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <CAL0qLwYrXAgP5qR6B+aTU5gop07E1AzC+QWTOixbJSq1occe5A@mail.gmail.com> <CAFcYR_VzGmukoB18f1FW5PdXaD=bG6u-_yOSV2kz4NYOVS-9QA@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/0VpfIKV9_SZSlVu0IAedFi_y2zc>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2023 03:28:38 -0000

One thing that would be super nice and not have any negative interoperability 
impacts relative to DMARC is if the From munging was limited to domains that 
publish p=reject (as this list does).  I don't recall having seen it outside 
IETF lists.

Scott K

On Friday, April 14, 2023 11:12:25 PM EDT Emanuel Schorsch wrote:
> I agree there are no silver bullets. But different policies make fighting
> abuse harder or easier. To give a concrete example we see huge volumes of
> abuse spoofing "gmail.com" fromHeader. There are also a huge number of
> benign parties that have become accustomed to spoofing "gmail.com". This
> makes it much more challenging to get it perfectly right when
> distinguishing the abusive cases from the benign cases. I point this out
> mainly to emphasize two points:
> 1) There is real abuse happening for domains that don't yet have a policy
> beyond p=none. This abuse has noticeably higher volumes than other sources
> of spoofing.
> 2) When benign traffic routinely follows the same practices as
> spammers/phishers it makes it more difficult to cleanly separate the
> buckets.
> 
> Compare this to the abuse levels we see spoofing Paypal, a domain with a
> p=reject policy. Of course there's no silver bullet and the levels aren't
> zero. There is DisplayName spoofing, there is cousin domain spoofing. But,
> it is substantially easier to mitigate against these because there are very
> few benign users sending mail from paypaI.com (using a capital i), or using
> a display name of "Paypal" signing with random domains and sending large
> volumes. From what I have seen, spoofing a domain like Paypal is
> substantially harder to scale because the benign and abusive cases are much
> more cleanly separated.
> 
> I would love to find a way for Mailing Lists to operate without the pain of
> from-munging and also give domains like gmail.com a tool to protect
> themselves. Obviously we are not there yet, so instead there is a very real
> and painful tradeoff to consider. I don't know what the solution is (maybe
> mailing lists can use from-munging, ARC and X-Original-From and destination
> receivers that participate can then unmunge it if that receiving user
> trusts that mailing list?). But I think we should be able to agree that
> there is a real security risk that stricter DMARC policies provide value
> against, AND that those stricter policies degrade the mailing list
> experience. Of course that says nothing about whether or not that tradeoff
> is reasonable or should be made :)
> 
> Instead of being forced to pick between two unappealing options I would
> love to put more effort into figuring out solutions that make both cases
> work. Maybe there is no solution. But I am optimistic that with some
> creative thinking and group problem solving we can work out something that
> protects against domain impersonation and allows Mailing Lists to work more
> effectively than the current solutions.
> 
> On Fri, Apr 14, 2023 at 10:08 PM Murray S. Kucherawy <superuser@gmail.com>
> 
> wrote:
> > On Fri, Apr 14, 2023 at 6:47 PM Douglas Foster <
> > 
> > dougfoster.emailstandards@gmail.com> wrote:
> >> Unless a mailing list has controls in place to ensure that EVERY post
> >> comes from the asserted participant, it is the height of hypocrisy to ask
> >> an evaluator to assume that the post is from the asserted participant.
> >> 
> >>  IETF cannot do even the easiest part of that task, so I have no reason
> >>  to
> >> 
> >> expect better elsewhere.
> > 
> > Nobody is asking the evaluator to assume anything.  That's what email
> > authentication is about; it shouldn't assume anything, and you only really
> > know something when you get a "pass".  Reacting harshly to a "fail" when
> > there are so many legitimate ways the current authentication schemes can
> > fail is folly.  But people are looking for silver bullets, so here we are.
> > 
> > A world free of fraudulent email is a laudable goal, of course.  But since
> > DMARC can only actually affect direct domain attacks, and makes no
> > discernible attempt to mitigate cousin domain or display name attacks to
> > which attackers can trivially switch, I think I'd like to see some proof
> > that it staves off enough of the darkness to be worth this level of
> > defense.
> > 
> > -MSK, participating
> > _______________________________________________
> > dmarc mailing list
> > dmarc@ietf.org
> > https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email