Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help

Michael Thomas <mike@mtcc.com> Mon, 25 January 2021 21:52 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 723223A19D0 for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 13:52:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.15
X-Spam-Level:
X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FTIcG7B-olrU for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 13:52:27 -0800 (PST)
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0B673A19DF for <dmarc@ietf.org>; Mon, 25 Jan 2021 13:51:58 -0800 (PST)
Received: by mail-pl1-x631.google.com with SMTP id e9so8512206plh.3 for <dmarc@ietf.org>; Mon, 25 Jan 2021 13:51:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=PK0B7LzcFiS0JvYWhyYDrEBiz3Bx4v/vLNik1QiEJ+c=; b=YDsqcrP0FHi/Nl1boETTESObAHbW0pybAIlyGzdM+0t3uMVpcmqKG8dM3wk675DL7V mR9MUqtO9g0syP1GgDz55MH5tkZ38+JS7WG6qsy5I2oTTBg/yMop48gOQKVLeLP/4hiv fFQzRMERcJgCw0PR/DqvT1Xs8CY6I8aSSzZCqTawoYqoIAhOFsj8QYU1W9OdnihChHFa VH0VF40G2Cssv+m53sGpk4VhMdFUIJm+sVAaBRIB7HxUzPfLlLW2sWAG3EjOsflCiq0r idjVH5Nwloym4/0Vt1GiWr3kxlcsEuIodU1uBssNkMdl6eKzF+Il4jb1W5aVZlsrg1Vl 2hCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=PK0B7LzcFiS0JvYWhyYDrEBiz3Bx4v/vLNik1QiEJ+c=; b=pPWrjylggOwT4XlprbYIMFADifbiLEUQ2TyNpuR837sJNe832iMYAcyK8W18JhmLFB 5nR+oOcXggCKU9QgTseWZVdcsGk+IahSYz4nw1lg8tuxnK/4dXrQO/OKidf5OK+0vgN+ wXiGRKXqQ7EoJnnc8afXtUaJvtZlzP3vAy1j6HKCdHSXgooF4yFIz8RpmzZhODEV/LGs Q1zRN1KBTfCQFowqfKagfj502Vu64+rPbG1l+jozjNKQipHTnNY7REeq/p3LdXF2goib B24KfvyiCbATvn6eZ8egyKuZyvpXEiPMgnA9q1NP7DoakmC2uTxHXsdB5hamUax26RcF AgmQ==
X-Gm-Message-State: AOAM530iZySgtKftGjs6D25nVrFXV7h063ztzpZwauBYUelLigwjsIfb eDPnKNX5aPMBdhGFnP0I9HLFeHC63iJOgA==
X-Google-Smtp-Source: ABdhPJzjGqgWss81NLwOveO726DShF/sQ+1LkEbNEm8yzHkd9SBpP1JKQxUjWzgI6TUj9YTciEXe2g==
X-Received: by 2002:a17:90a:c82:: with SMTP id v2mr2307245pja.171.1611611517790; Mon, 25 Jan 2021 13:51:57 -0800 (PST)
Received: from mike-mac.lan (107-182-35-22.volcanocom.com. [107.182.35.22]) by smtp.gmail.com with ESMTPSA id 5sm303861pjz.23.2021.01.25.13.51.56 for <dmarc@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 Jan 2021 13:51:57 -0800 (PST)
To: dmarc@ietf.org
References: <20210125195231.E0DE16C13E26@ary.qy> <12abca41-4420-37c7-c903-7decc012027a@mtcc.com> <CAHej_8nr=SOuk0eUR481xMWhQ8JC5fjhHeE64w++Ltf0XM9TQw@mail.gmail.com> <84ffcfcd-d391-4382-6a23-dfe100407476@mtcc.com> <3ff74c76-9ac9-d4ce-32aa-96fea9a8b0e3@crash.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <1767db9a-ce8a-7c85-0aec-7ebda4680ab2@mtcc.com>
Date: Mon, 25 Jan 2021 13:51:55 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <3ff74c76-9ac9-d4ce-32aa-96fea9a8b0e3@crash.com>
Content-Type: multipart/alternative; boundary="------------F7EFD4F82AFFA8B4B90D46F9"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/1m4BMqFKk-exDeH9rdhOCgKSDcY>
Subject: Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2021 21:52:34 -0000

On 1/25/21 1:26 PM, Steven M Jones wrote:
> On 1/25/21 12:18 PM, Michael Thomas wrote:
>>
>> On 1/25/21 12:08 PM, Todd Herr wrote:
>>> On Mon, Jan 25, 2021 at 2:56 PM Michael Thomas <mike@mtcc.com 
>>> <mailto:mike@mtcc.com>> wrote:
>>>
>>>
>>>     Sounds like a bug to me and an issue should be opened. Just
>>>     because it's
>>>     a 10 year old bug doesn't mean it's not a bug.
>>>
>>>
>>> I disagree.
>>>
>>> Authentication results should not differ at a given provider based 
>>> solely on the destination domain, so there is no reason to report 
>>> results separately for each destination domain. Further, there's no 
>>> value to the report generators, especially at large sites like 
>>> Google, to expend the resources necessary to generate and send X 
>>> reports when one will do.
>>>
>> So you're saying I should be free to spoof any domain I want because 
>> Google might be inconvenienced?
>>
>
> If the language in 7.2.1.1 that Seth cited is "working," then report 
> generators are sending reports that pass DMARC and the report 
> receivers are validating that before ingesting the attached reports. 
> However this only provides some degree of attribution for the report 
> itself...
>
Yes, if that were enforced that would solve the problem. Given the 
confusion my guess that it is not. That paragraph could be a lot more 
specific about the mechanisms and motivations which I suggested in #98. 
It probably requires even more than my suggestion after seeing all of 
the list traffic going by. If gsuite is aggregating reports from all of 
their domains they host into one report, there is clearly a problem both 
with the text and with implementations.

And of course, any proposed http method would have to provide equivalent 
protection.

Mike