Re: [dmarc-ietf] Rethinking DMARC for PSDs
"Douglas E. Foster" <fosterd@bayviewphysicians.com> Mon, 08 April 2019 11:02 UTC
Return-Path: <btv1==0019ccb4d59==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24E951200D7 for <dmarc@ietfa.amsl.com>; Mon, 8 Apr 2019 04:02:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6RP6N2fQNMKm for <dmarc@ietfa.amsl.com>; Mon, 8 Apr 2019 04:02:37 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F46F12006D for <dmarc@ietf.org>; Mon, 8 Apr 2019 04:02:37 -0700 (PDT)
X-ASG-Debug-ID: 1554721355-0990573e633e780001-K2EkT1
Received: from webmail.bayviewphysicians.com (webmail.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id ooieDBf8DYjDEotm (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Mon, 08 Apr 2019 07:02:35 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h= content-type:mime-version:message-id:reply-to:date:subject:to:from; bh=gdxLJzaMc/QDG539l2WTeyk5cBHQI1hpykjWW1pH5hc=; b=UmnJW1NDCdqEMprjynkFcPjUVN2SuoY/Xz7qwQsDmxmPlzqS/Jwc8Ncr2Hq7Qu/rI Cw37x6+QHB3hxt4CfcnBVRYppC/QUnFU34DHvyte+YWU6IkEaiQp+2h5stpwXlgxa gXbvRLFWOFGJM4rv0lkkVD30PEi3j3sjF07B7+4dA=
Received: by webmail.bayviewphysicians.com via HTTP; Mon, 8 Apr 2019 07:02:26 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dmarc@ietf.org, John Levine <johnl@taugh.com>
Date: Mon, 08 Apr 2019 07:02:26 -0400
X-ASG-Orig-Subj: Re: [dmarc-ietf] Rethinking DMARC for PSDs
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <034c10b67aaf41a7809430c3c3b64c84@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0c98ee675aff48e8a15f888fc383b12c"
X-Originating-IP: [192.168.1.239]
In-Reply-To: <20190408005045.5EC462011B2BFE@ary.qy>
References: <20190408005045.5EC462011B2BFE@ary.qy>
X-Exim-Id: 034c10b67aaf41a7809430c3c3b64c84
X-Barracuda-Connect: webmail.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1554721355
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 7407
X-Barracuda-BRTS-Status: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/2f3-NAWzqEuaczKNgvaP2LZasUQ>
Subject: Re: [dmarc-ietf] Rethinking DMARC for PSDs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 11:02:40 -0000
Mr Levine brings up the valid point that there are a lot of mail filters with inadequate capabilities. I determined that my two products have inexcusable weaknesses, so I went shopping. I had only these rudimentary requirements: IP filtering Reverse DNS filtering Multi-factor whitelisting or some other safe mechanism for handling SPF policy mistakes. DMARC policy enforcement A secure-email method for outbound messages with sensitive content No domain spoofing by the product that is supposed to protect from domain spoofing. I was blown away when I discovered: Products that could not do IP filtering. Products that could do DMARC enforcement but not Reverse DNS filtering, and the reverse. Vendors who had no idea what multi-factor whitelisting meant. High-end vendors who did domain spoofing in their secure-email solution. (They have been notified.) Along the way, I was referred to three industry-analyst reports, and was equally disappointed that the reports showed no evidence of a theoretical framework on which to judge vendor differences. At least one analyst declared the industry "mature", which struck me as odd given the damage done by WannaCry and the obvious problems in the products I have been examining. I currently have exactly ONE vendor that is probably adequate, but I curtailed the discussion when I realized his costs were way higher than what I can interest management in spending. Overall, it appears product vendors have no idea what is actually needed and why. Since bad email filters are the problem, why is there no IETF working group to define the expected behavior of email filters? More importantly, can we start one NOW? I have been preparing to submit an email filter evaluation RFC as an individual, since this group seemed uninterested after an earlier post. But it would be better as a working group document, and it might become standards-worthy. Doug Foster ---------------------------------------- From: "John Levine" <johnl@taugh.com> Sent: Sunday, April 7, 2019 8:51 PM To: dmarc@ietf.org Cc: fosterd@bayviewphysicians.com Subject: Re: [dmarc-ietf] Rethinking DMARC for PSDs In article <c588c5eeec224162bffd080693c703e1@bayviewphysicians.com> you write: > The problem: > Spammers use non-existent domains to achieve identity spoofing, such as >tax.example.gov.uk > This is primarily a reception problem, because many recipient mail filters >are not equipped to block this type of fraud. .. Right, and we can stop right there. A decent spam filter will treat a nonexistent From: domain or envelope bounce address as extremely suspicious and send the message into spam folder purgatory. If someone's filters aren't doing that, it is unlikely that they're paying much if any attention to DMARC, and no amount of fiddling with DMARC will make any difference. My mail server rejects anything with a non-existent bounce address at SMTP time and I don't think it's ever rejected anything my users would want. The solution to this problem is for mail systems to fix their filters, not to invent yet another mail-breaking hack that they won't use anyway. R's, John
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Scott Kitterman
- [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs John Levine
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Jeremy Harris
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs John R Levine
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Ken O'Driscoll
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Dotzero
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Kurt Andersen (b)
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Scott Kitterman
- Re: [dmarc-ietf] Rethinking DMARC for PSDs John Levine
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Scott Kitterman
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Murray S. Kucherawy
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Tim Wicinski
- [dmarc-ietf] More rethinking on DMARC for PSDs Alessandro Vesely