IETF Logo Mail Archive

Re: [dmarc-ietf] Reversing modifications from mailing lists

Alessandro Vesely <vesely@tana.it> Mon, 06 December 2021 11:39 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D56C3A07BE for <dmarc@ietfa.amsl.com>; Mon, 6 Dec 2021 03:39:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Level:
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b=DTEzECMQ; dkim=pass (1152-bit key) header.d=tana.it header.b=Az0HWYQL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 559b5D9tVcv4 for <dmarc@ietfa.amsl.com>; Mon, 6 Dec 2021 03:39:50 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92C3A3A07B4 for <dmarc@ietf.org>; Mon, 6 Dec 2021 03:39:49 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1638790782; bh=j/Qq+QmjPVn9U8jmqZlOYQy5nKE/CnPv9Dp434mGd7Q=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=DTEzECMQHbiFdq/oIXi30GXsfAOI2T7Bdj2ofZzFAy2By2XO/2e3Inmt1z+duRjNN nr9P7QLnsdZvAkGZxsXAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1638790782; bh=j/Qq+QmjPVn9U8jmqZlOYQy5nKE/CnPv9Dp434mGd7Q=; h=To:Cc:References:From:Date:In-Reply-To; b=Az0HWYQLbBE2wfakvd1Ts+NTrlDoZQeYd7cNE2Zjrr5ROFQmXwZArSXp6/zocMm0R Dxpko5ACEJ/THOuc00jXqls6y4Ie6S4y7opAB9pY0vIVZclmq5tkJ6sdi2QAR0Yp1z PrpvD9x7BVV/POmUqU0sqrjMzvzHKVQsKE3HOWyXPN6cN79V7Xg4UtAdPGKO5
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Original-Cc: dmarc@ietf.org
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC09F.0000000061ADF67E.00005D0A; Mon, 06 Dec 2021 12:39:42 +0100
To: Wei Chuang <weihaw=40google.com@dmarc.ietf.org>
Cc: dmarc@ietf.org
References: <20211129030358.BC1EA30B80A5@ary.qy> <0e941529-1c93-b84d-ae7f-01c505a52c60@tana.it> <d6116d53-b415-f4d1-67e6-3a765f83754d@taugh.com> <4eb213fc-c269-3d62-36dd-50fd39efb368@tana.it> <CAAFsWK2BLP8+GOVzdDtn_PsyAGaKwt0Y3F_hQWkdTHdC6RhD=A@mail.gmail.com> <b2b240b0-a658-b852-fe22-6902de577745@taugh.com> <d3bb0d23-8930-8b7e-3c5e-03821daaae2a@tana.it> <CAAFsWK3yQAn-SSfpp7mAx70+EaCu=_bHjrDROyb+KL1gjKVb5Q@mail.gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <ab653403-6a11-fe21-e708-57348152ac71@tana.it>
Date: Mon, 06 Dec 2021 12:39:41 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <CAAFsWK3yQAn-SSfpp7mAx70+EaCu=_bHjrDROyb+KL1gjKVb5Q@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/8rzaVdpQmPt2QsTOSq9-ovKE_ZI>
Subject: Re: [dmarc-ietf] Reversing modifications from mailing lists
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2021 11:39:57 -0000

On Sun 05/Dec/2021 20:55:30 +0100 Wei Chuang wrote:
> On Wed, Dec 1, 2021 at 3:45 AM Alessandro Vesely <vesely@tana.it> wrote:
>> On Tue 30/Nov/2021 18:30:39 +0100 John R Levine wrote:
>>> On Tue, 30 Nov 2021, Wei Chuang wrote:
>>>> What about adding a footer to some html mime part is poorly handled when
>>>> using "l="?  Multipart bodies could be handled by other techniques.
>>>
>>> See section 8.2 in the DKIM spec which says if you use l= you need to
>>> be careful with your MIME boundaries so naughty people can't add another
>>> part that overlays the real message. >
> Agreed there's risk in HTML hiding content and showing malicious things but
> that risk has existed before.  An updated DKIM authenticator could help us
> understand who did those malicious updates along some forwarding path.


ARC can do better for such kind of forensic analysis.


>> [...]  Hence I retract what I said in my previous message[*], that l=
>> works well with a wide range of mailing lists. >
> Could a way of dealing with "l=" is extending the list-canon
> <https://datatracker.ietf.org/doc/html/draft-kucherawy-dkim-list-canon> ideas
> of identifying signatures by mime-parts into identifying length as well?
> In other words, with list-canon each part generates a hash, and similarly
> each part can have a length of the content in that part that is claimed.
> It also records the content-type for each part.  I'm going to guess that
> this is to help identify changes like what I believe you are concerned
> with.


Those ideas have been ruminated for a while.  See also
https://datatracker.ietf.org/doc/html/draft-crocker-dkim-doseta-00
https://datatracker.ietf.org/doc/html/draft-vesely-smooth-canon-00

In fact, at this point DKIM is what it is, for the good and the bad of it.


>> Anyway, I wouldn't want to authenticate a message that underwent an HTML 
>> footer addition, because it can completely replace the original content in
>> the end recipient's eyes.  My draft requires footers to be plain text.
> 
> I was looking at the footers that Googlegroups puts in, and it seems to add
> them to both the text/plain and text/html parts.  At least one IETF mailing
> list adds a new mime-part with text/plain.  BTW has someone cataloged all
> these possible mailing list changes?


Wikipedia has a list of ten software packages, dunno if it's complete:
https://en.wikipedia.org/wiki/List_of_mailing_list_software
It doesn't dig into their peculiarities.

Mailing lists existed before computers, and are not regulated by strict rules, 
so trying to harness their behavior holds little water.  For example, it is 
customary these days to have discussion fora backed by mailing lists, where 
messages arrive with a From: display name referring to a user while the address 
part points to the forum server.  In that case, the user most likely typed the 
text in a web page, so the From: is not /re/-written, it's written that way 
from the start.  Although those messages have parts that were not written by 
the user, it is not possible to catalogue the changes.  And not even ARC can 
handle such messages in a way that would results in a From: address pointing to 
the real author.


Best
Ale
--

v2.23.0 | Report a Bug | By Email