IETF Logo Mail Archive

Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?

Alessandro Vesely <vesely@tana.it> Tue, 18 April 2023 17:11 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20DFEC17B32E for <dmarc@ietfa.amsl.com>; Tue, 18 Apr 2023 10:11:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="9SqhJ4tK"; dkim=pass (1152-bit key) header.d=tana.it header.b="BGcrRrem"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5fCmYNx0WEZE for <dmarc@ietfa.amsl.com>; Tue, 18 Apr 2023 10:11:39 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C739C17B331 for <dmarc@ietf.org>; Tue, 18 Apr 2023 10:11:35 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1681837892; bh=UDHLNMMVGd51/WcY2biT8CDTIG9Scn5njMgK/Zg8Hc0=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=9SqhJ4tKQnZwZkRtrYDVFryCJCJ60n+W6l/hYVdm/KvUT4Pd8Bx1E1MEhz8OQ+r5m iIBCAOoSJLRYET/HxLXDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1681837892; bh=UDHLNMMVGd51/WcY2biT8CDTIG9Scn5njMgK/Zg8Hc0=; h=Date:Subject:To:References:From:In-Reply-To; b=BGcrRremVKrIdJl5N/xmtTxskNticSl/UCVspowZE7VvwM7xVY3bbl2zWDTq13PB7 8tMy30V4r4kor921q+V5ScjkCFGJnXEf1XRQtDA/n7N1ByZpcys0FKzsV0oZ8vlJ8Z yJ60DQnUA3M6Xpq2s6xxQHVvreEq8kikk7x2xdhEP0mB/oooR4Af4sSJx+u/S
Original-Subject: Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC129.00000000643ECF44.00005168; Tue, 18 Apr 2023 19:11:32 +0200
Message-ID: <c75c4a1e-571f-af22-8520-4d924a7ef113@tana.it>
Date: Tue, 18 Apr 2023 19:11:32 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <4FD1C711-7A7D-40E5-88DE-95CDD248F92B@wordtothewise.com> <20230417160520.0398EBF3F4F7@ary.qy> <CAJ4XoYenNNNaiWJooioZDo9GhKUgZ2G+CmHSpXmt4jm9OD1ueg@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <CAJ4XoYenNNNaiWJooioZDo9GhKUgZ2G+CmHSpXmt4jm9OD1ueg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/58Zg734ivqgH5glgVEPhCBgNJ68>
Subject: Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 17:11:48 -0000

On Mon 17/Apr/2023 22:59:29 +0200 Dotzero wrote:
> On Mon, Apr 17, 2023 at 12:05 PM John Levine <johnl@taugh.com> wrote:
>> It appears that Laura Atkins  <laura@wordtothewise.com> said:
>>
>>> Is this another issue we should document and make recommendations 
>>> about? I was thinking along the line that transactional SaaS providers 
>>> should fully support DMARC and should not allow companies using p=reject 
>>> in their business mail to access the service? >>
>> Section 2.4 says that everything other than the From: header is out of 
>> scope. Section 11.4 describes display name attacks and it looks OK to 
>> me. I suppose we might tweak 2.4 to clarify that anything other than 
>> the mailbox in the RFC5322.From field is out of scope to avoid any 
>> implication that we're talking about the comment part. 
>
> +1
>
>> It's not exactly a secret that bad guys can use misleading comments as 
>> easily as good guys. If we tried to enumerate all the ways that people 
>> might do dumb things, we would die of old age before we finished so I 
>> would prefer not to start.
>
> +1


Section 11.4 also brings an example of rewritten From:.  It doesn't say that 
that in several cases doing such sort of construct is necessary because of 
DMARC.  Perhaps it could?


>> At M3 people occasionally have talked about extending DMARC to cover 
>> the From comment but it's such an ill-defined problem (what's 
>> allowable? how could you tell?) that it has never gone anywhere.
>
> There are things that can be done but to me they fall under local policy 
> and not interoperability. For example, if an email address is displayed but 
> doesn't match the From email address, don't display it. Some sites never 
> display the comment and only display the From email address. Things like 
> that.


Perhaps when DMARC will work smoothly, someone will find out how to tell 
legitimate rewriting from plain spoof.


Best
Ale
--

v2.23.0 | Report a Bug | By Email