IETF Logo Mail Archive

Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99

Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 13 July 2021 21:21 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B91D3A1071 for <dmarc@ietfa.amsl.com>; Tue, 13 Jul 2021 14:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hGXSXBnLTFyS for <dmarc@ietfa.amsl.com>; Tue, 13 Jul 2021 14:21:55 -0700 (PDT)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D54D3A106E for <dmarc@ietf.org>; Tue, 13 Jul 2021 14:21:55 -0700 (PDT)
Received: by mail-oi1-x22c.google.com with SMTP id s23so15449304oij.0 for <dmarc@ietf.org>; Tue, 13 Jul 2021 14:21:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OYFsf/zP3rLJ5b1ehMz7+IGyuuXtnVOEX6wfRv/WaPg=; b=k2Fei3syJ1BhLE3C7gARXXrUvrbXZfybBrvEejARjef+iRy1lDqNgRtw7s87IbKzaQ wG4ytMuvIllc8OkIouIJdjx9esrQbQh9XD03TcP91s0xNUAsvhfun3wkyHb4Yq3UOq0u I/uzuLwFOJsQhqmTF5ILBPywgzSFdG4x1oTDsZQ8JGKONrYY7hGaixaZcvcsPwk4DRuV GZe+MfJBuroC0K+y6CDSVCrTEPvzhALo5yME8yTqu1WxKCUynBIJV7D8/GiBwnmOv72c +x1ek0+2tDkuLQQH9OYT46CI4BfwOrHw8yc84biNXjjk3D8mDJC5lk4bASYvSAxAkclR j+7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OYFsf/zP3rLJ5b1ehMz7+IGyuuXtnVOEX6wfRv/WaPg=; b=FEQKyYbZBJ3qqdwRtz9glntXDzf6MG37QiPqwAv7EK56ZY2tQRHoR4NUNVYgHE4ycp nVEXLZS8cMiwRZRBBkz9vpzXK/3FWEEKRbcG02x2e/vJSaU9pBQdHIU98VzU9/pc7ClH esLhS9AFb8xGPQEo49OdFhEM3e8VdeTVAsDIzhxQCvDuyQ0KLWuuiCERRHNWA2R0M3f5 uElbOW1grJ/hr66GGk239OIlBTo/9IBIAqvTemetwGJvhrA65EHej+w3/xR6yULlIIv3 SrmEu/7ggwBEqmq5mX+VdDcmuDQE1vJ21iH9+JbfGQDfnrJb5n7FBTV0SDx2sqhXWnwR NdoA==
X-Gm-Message-State: AOAM532nLpWGhqHrohDFKnskd7YEQtRyHWwONBjFaH/XLQNUfTXaFZM6 wPdc5TRYPW3FbsZrCfTzFvgKMZvLrw1PR0T9+Jnl6me2
X-Google-Smtp-Source: ABdhPJw+JXKOcSqSb6SuHE9tPl4XgFivZEykZkJ3b0QvimA7JueBP7b7LLfm5Q9Vqm3O/22m1RwrZgKVO4anc9MmI14=
X-Received: by 2002:aca:c6cf:: with SMTP id w198mr168546oif.73.1626211313711; Tue, 13 Jul 2021 14:21:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8=yvgXP2WgHayhGU2Hg2E0RcNgZBFjfw1cM-qKWkTG-+w@mail.gmail.com> <CAH48Zfys9cwTskjjdeJ14Y-wDBuqLseDEEiNvwC9BonLAwMyVw@mail.gmail.com> <CAHej_8mTF7DFwDiCHBq_mK40E+vuFS6iB+MQ3Co3pS=ZdqXkcg@mail.gmail.com>
In-Reply-To: <CAHej_8mTF7DFwDiCHBq_mK40E+vuFS6iB+MQ3Co3pS=ZdqXkcg@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 13 Jul 2021 17:21:40 -0400
Message-ID: <CAH48Zfy2enymaSpHXJ0EpBS29iunt-Dnm1H58vEsX4fc7LEdvA@mail.gmail.com>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aefc7005c707d3f3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/28HvlSKdJrJ7pxID7xXny4Z-Veg>
Subject: Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 21:22:00 -0000

Thank you.   I will review it.

On Tue, Jul 13, 2021, 2:10 PM Todd Herr <todd.herr=
40valimail.com@dmarc.ietf.org> wrote:

> On Tue, Jul 13, 2021 at 7:03 AM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> I understand that under the current specification, PCT has been useful
>> because P=NONE with PCT=100 produces different results than QUARANTINE with
>> PCT=0.   This is an anomaly that I would hope we can fix, but if not, we
>> need to specify that the only valid settings are PCT=0 or PCT=100.   The
>> specification should force numbers between 1 and 99 to be interpreted as
>> either 0 or 100.
>>
>> The current PCT specification is fatally flawed because the denominator
>> is undefined and unstable.  Suppose that a domain owner concludes that most
>> but not all of his traffic will produce DMARC PASS.   Should the percentage
>> be based on message volume or Source IP counts?    Either way, the volume
>> distribution received by any single evaluator will be different than the
>> volume distribution sent out.
>>
>> But the larger problem is that the evaluator is performing a conditional
>> probability, because the policy is only applied to messages that produce
>> DMARC FAIL.    If there is no impersonation, an unauthenticated message has
>> a 100% probability of being legitimate.    The denominator is determined by
>> the volume of impersonation messages, not by the volume of legitimate
>> messages.   The percentage offered by the sending domain owner is useless.
>>
>> Next, assume that an accurate probability can be determined, and that 80%
>> of unauthenticated messages are legitimate and 20% are impersonations.
>> Does it make sense to apply that probability rule to
>> message disposition?    It will produce these results:
>>
>> Legitimate and DMARC ignored, message accepted = 80%*80% = 64% of total
>>
>> Legitimate and DMARC enforced, message blocked = 80%*20% = 16% of total
>>
>> Impersonation and DMARC ignored, message accepted = 20%*80% = 16% of total
>>
>> Impersonation and DMARC enforced, message blocked = 20%*20% = 4% of total
>>
>> Therefore, the correct decision is applied only 68% of the time, and the
>> wrong decision is applied 32% of the time.   This is unsatisfactory for
>> protecting against ransomware, and also unsatisfactory for reliably
>> delivering wanted messages.
>>
>> The actual volume of impersonating messages will be determined by the
>> spammer, not by the domain owner, so the whole notion of choosing a
>> percentage is flawed.    The domain owner does not have the information
>> needed to provide a usable percentage.   The message evaluator can only
>> determine the percentage by carefully examining many messages and
>> categorizing the source.  Once the source is categorized, guessing is no
>> longer necessary and the percentage is irrelevant.
>>
>>
>>
> I believe you'll find that your ideas, or at least sentiments quite
> similar to them, are captured in draft-ietf-dmarc-dmarcbis-02
>
> First, draft-ietf-dmarc-dmarcbis-02 makes a small but substantial change
> to the definition of the pct tag from what's currently in RFC 7489. Where
> RFC 7489 reads:
>
>    pct:  (plain-text integer between 0 and 100, inclusive; OPTIONAL;
>       default is 100).  Percentage of messages from the Domain Owner's
>       mail stream to which the DMARC policy is to be applied.
>
>
> draft-ietf-dmarc-dmarcbis-02 instead starts with this text:
>
>    pct:  (plain-text integer between 0 and 100, inclusive; OPTIONAL;
>
>       default is 100).  For the RFC5322.From domain to which the DMARC
>
>       record applies, the "pct" tag is the percentage of messages
>
>       producing a DMARC result of "fail" to which the Domain Owner
>       wishes its preferred handling policy be applied.
>
> Since the concept of applying DMARC policy to messages that produce a
> DMARC result of "pass" doesn't exist, it doesn't make sense to claim that
> "pct" applies to the entire mailstream.
>
> Next, draft-ietf-dmarc-dmarcbis-02 contains a substantial rewrite of the
> Message Sampling section (now section 6.7.4) that goes to great lengths to
> attempt to show that the desired pct value really can't be counted on to be
> applied as asked for, and what might actually happen could vary widely from
> what's desired.
>
> https://datatracker.ietf.org/doc/draft-ietf-dmarc-dmarcbis/
>
>
> --
>
> *Todd Herr* | Technical Director, Standards and Ecosystem
> *e:* todd.herr@valimail.com
> *m:* 703.220.4153
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email