IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC ATPS Interop Note

Douglas Otis <doug.mtview@gmail.com> Wed, 13 May 2015 00:42 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9541E1A88AF for <dmarc@ietfa.amsl.com>; Tue, 12 May 2015 17:42:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23LgFrpOuRk1 for <dmarc@ietfa.amsl.com>; Tue, 12 May 2015 17:42:41 -0700 (PDT)
Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com [IPv6:2607:f8b0:400e:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 906C31A8881 for <dmarc@ietf.org>; Tue, 12 May 2015 17:42:41 -0700 (PDT)
Received: by pacwv17 with SMTP id wv17so31819228pac.0 for <dmarc@ietf.org>; Tue, 12 May 2015 17:42:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=+cr8xeMkEgoTHAPaDI5UsXLHoZ/QXas4opox1Lnj6aw=; b=QpU47esPHLVwq5Zi51pn6hP12VavCE+OlupevV1VE24xmUqJDtARxDxZzK5h/+LO8T Wmr/mSnqB21PI+FGqbzZ1tV3YTnbRCEvjcJllt7FPtyhxYuwB/h999NHKGx29q1SpSw5 v2Yfy8FZN0zB95ofYwRYpk6Vy2SMUwsffFpJWXPAH7WhuY7n8zHXTNEw4H0291o5Xt29 h67Z3Y1OcdJ0zI/aLx6hYc9oo0HQv+vEtakMT1Bl2a47j+NwVoT0n/KP9I88sH7q6/FW 9hw7ki2FHm2OSihR97C09ghZM6AHsmqZolBYq3N5TZcAVtoxBVoEm2QnLOM1RyNjcgvq jkuA==
X-Received: by 10.68.246.38 with SMTP id xt6mr32232656pbc.20.1431477761171; Tue, 12 May 2015 17:42:41 -0700 (PDT)
Received: from US-DOUGO-MAC.local (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id wt1sm17377326pbc.4.2015.05.12.17.42.37 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 May 2015 17:42:39 -0700 (PDT)
Message-ID: <55529DFB.3010704@gmail.com>
Date: Tue, 12 May 2015 17:42:35 -0700
From: Douglas Otis <doug.mtview@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: dmarc@ietf.org
References: <554BC30F.1020107@isdg.net> <4087F3E9-540E-45C7-9AE1-2B71FC90CB5F@kitterman.com> <CAL0qLwbZo1=xg_AWNT550H25M64Hj9Bg+5WPsNhd4SFV4j1xnQ@mail.gmail.com> <554BE12A.7010606@isdg.net> <26011.1431106173@vindemiatrix.encs.concordia.ca> <554D3D1E.9050509@isdg.net> <27522.1431236028@vindemiatrix.encs.concordia.ca> <CAL0qLwYeWuovoCnK-Fo9PMajmAgRsxjpXav=ZuDL2A7jm2YLuw@mail.gmail.com> <14447.1431266709@vindemiatrix.encs.concordia.ca> <CAL0qLwbE_30cYWyRXCXkFbw4EMjwX-cy=48+o+c4qyrJY4LeLA@mail.gmail.com> <CAL0qLwbH6qTWhWVjpFAKmYU_fTdx8Hyy1PrE0ztLvG=3xmP_TA@mail.gmail.com> <554FEBB4.5050805@gmail.com> <CAL0qLwaVJY8eecoXV_Ctsxu5D5k+K6sg0dsQZtxafA22s4N1Vg@mail.gmail.com> <5550FB6C.7050802@gmail.com> <55518F96.8040708@isdg.net>
In-Reply-To: <55518F96.8040708@isdg.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/6Jj24SBmw0ciRDW811wuXKkhHDU>
Subject: Re: [dmarc-ietf] DMARC ATPS Interop Note
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 00:42:43 -0000


On 5/11/15 10:28 PM, Hector Santos wrote:
> On 5/11/2015 2:56 PM, Douglas Otis wrote:
>>
>> On 5/10/15 10:08 PM, Murray S. Kucherawy wrote:
>>> On Sun, May 10, 2015 at 4:37 PM, Douglas Otis
>>> <doug.mtview@gmail.com> wrote:
>>>> ATPS included an onerous task for any third-party service
>>>> likely used on a gratis basis. Each third-party was
>>>> expected
>>>> to learn specific hash algorithms of each From domain.  A
>>>> difficult process on top of changing their structure of
>>>> DKIM
>>>> signatures repeated tens of thousands of times for each
>>>> different first party domain. In addition, reputations
>>>> based
>>>> on the third-party relationship could not be leveraged
>>>> because of the optional hashing.
>>> I continue to find this repeated claim specious at best.
>>>
>> Unlike TPA-Label that required NO third-party authentication
>> method change, ATPS imposed two significant changes onto
>> third-parties:
>>
>> 1) A need for a new DKIM signature unique for _every_ Author
>> domain seen by the mediator.
>
> It should be off the DMARC record now.
Dear Hector,

Yes. DMARC uses SMTP outbound registration confirmation to
mitigate DKIM failure.  Sender header fields indicate the
domain responsible for issuing a message when present. 
DMARC failed to accommodate the Sender header field for
those domains handling normal email exchange.  Ignoring the
Sender header field is appropriate only when just direct or
transactional messages are issued by a domain asserting
restrictive DMARC policy.  In these cases, there would be
little chance either DKIM or outbound registration would be
negatively affected.

DMARC being unable to assert the domain handles normal email
exchanges likely to affect both DKIM and SMTP outbound
registration makes its resulting policy requests unreliable
and incompatible with RFC5322.  Restrictive DMARC policy
necessitate special handling of third-party services to
retain defined roles of From header fields per RFC5322. 

Rather than assisting other domains mitigate misapplied
policy, domains abusing DMARC are causing munged From header
fields and misapplied policy having a dangerous outcome of
legitimate messages being misplaced into Spam folders.  As
such, DMARC should signal when specific authorizations can
be obtained by using a uniform reference to either a
specific or a default domain or that the Sender header field
may offer an optional alignment when likely visible to the
recipient.
>> 2) A need to determine an _unspecified_ hash unique for each
>> Author domain seen by the mediator.
> Do we really need a hash?  I agree. This required new
> tools (Hash calculators, wizard, command line tools, DNS
> tools, etc) for DNS admin and sysops to be programmed. 
> Makes it harder to explore.
Third-party authorizations should be uniform, small, and
hard to explore.  Even to the point of publishing a wildcard
mitigating the generation of a large number of RRsets as
seen with DNS-SD that even expects this type exploring
behavior causing a real DDoS concern.
>> Both of these unnecessary and difficult impositions do not
>> align with those benefiting (the DMARC domain).
Many have not realized double signing is wide open to abuse
and will need similar DNS publishing techniques to adhere to
a broken window theory. 
http://en.wikipedia.org/wiki/Broken_windows_theory

Few things are more reprehensible than using DMARC to abuse
legitimate uses of email just to continue ignoring
compromised accounts.

TPA-Label did not presume DKIM use, but
draft-levine-dkim-conditional would allow a simpler
TPA-Label listing scheme signaled using DMARC.  Ignore all
additional constraints in TPA-Label, since a combined
strategy should safely handle a wider range of messages. 

It seems some have had some difficulty understanding the
rate of message handling involved by larger ESPs which makes
conditional handling fairly difficult to instrument.  Here
again, TPA-Label helps.  Unlike SPF's high overhead of
complex chained resource records,
draft-levine-dkim-conditional together with TPA-Label would
allow simple single resource record listings.  Their
retraction allows a quick abuse response.  Restoration can
be just as quick once abusive accounts have been disabled or
disinfected.

This represents a simple lightweight scheme that should
significantly reduce the rate of abuse by keeping the
Sending domains fully in the loop and easily instrumented.

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email