Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99

Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 13 July 2021 11:02 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D82643A13AE for <dmarc@ietfa.amsl.com>; Tue, 13 Jul 2021 04:02:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZ4eX63sjDGw for <dmarc@ietfa.amsl.com>; Tue, 13 Jul 2021 04:02:45 -0700 (PDT)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39D3A3A13AC for <dmarc@ietf.org>; Tue, 13 Jul 2021 04:02:44 -0700 (PDT)
Received: by mail-oi1-x22b.google.com with SMTP id c197so448530oib.11 for <dmarc@ietf.org>; Tue, 13 Jul 2021 04:02:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=f/klUnQLsZ3ePFPBgi7OLp7J9toLi358WLFww8bX/Fw=; b=vgPPOCLSKAMszObFOTjxjZghy8CvUv5w3uQwqV0RNYZ/oofn6JF9h11CUCKwhHPT0T oOmq1nq1ZAf3iZ34HS0bn9EhlhSP6fjWY2yU/Ee/ENM9rFaNTDjjshAUJfWv5mJqp9Zf McQK/hTXPnvpuclNOVHxcwDTEKRMK0RvZCLnSl8S5Q/VQnE3WSRV95XlRzFTm0RpXw9g 0F/EkCLZTMfAyWIvB8HoVnnJk+eDDwZVYc2L2xKY9jQ/V+t/kis7YNo0Km9/TqpkJsTP HERXBhLZ/vXNWsNxrandvdCfHWu26aDHcYO+O/9Id6vggIR0FcPppNBJOFAgT4YycPQD TfHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=f/klUnQLsZ3ePFPBgi7OLp7J9toLi358WLFww8bX/Fw=; b=s0qLlfM5OGAOhgwsjutp/vM8F4ZqdnBksIOPRJ+CCwFj4I1kPwCIj95TpPX7oSuc3r sBG9GDIwn49E5V/O/qwcOyNweKIN4LzuWrxbLD2IFvqfuITF/O/KDCyORw1O5+3VPv1t ohQoQu3o2vABM7g/TWCp2qfT5MIZNzd4hOLYWsl5wm8aDgdHqqMGFeukthetMJ97krah pXJ8lDmPaOPlG6S4D3PxhueulkKuO3q9YjYMECPXhYLc+3BMZytDdR//JyK849pAPuQm TkbMFodKnVevK8mlLZVrMnDCl5dRPBUwwaAbsNeay+7iJXwuV6/DWLW6fYAsgoUs9XEv QU9A==
X-Gm-Message-State: AOAM530m5lEXY8mrGRkyR1mfAMl0DXqJtkbY7tXfWHQAbnH0RlET/7Pt PO/LokzGnUUIMtjsbEfDPLx7JtMpaS6AHqXv7AOAInF3
X-Google-Smtp-Source: ABdhPJzPJ5Mm0taX1dWbkc5B4gwSSKPyXOfMkVl5XTRAoDlQhrf7fAlwJA4RBCq56ytflchzfEM38yerZv0IN2q5E3k=
X-Received: by 2002:a05:6808:1153:: with SMTP id u19mr14324126oiu.20.1626174163551; Tue, 13 Jul 2021 04:02:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8=yvgXP2WgHayhGU2Hg2E0RcNgZBFjfw1cM-qKWkTG-+w@mail.gmail.com>
In-Reply-To: <CAHej_8=yvgXP2WgHayhGU2Hg2E0RcNgZBFjfw1cM-qKWkTG-+w@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 13 Jul 2021 07:02:34 -0400
Message-ID: <CAH48Zfys9cwTskjjdeJ14Y-wDBuqLseDEEiNvwC9BonLAwMyVw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005c884805c6ff2dae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/8u60kxGAbi-fQWOC9cidURAHDE4>
Subject: Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 11:02:47 -0000

I understand that under the current specification, PCT has been useful
because P=NONE with PCT=100 produces different results than QUARANTINE with
PCT=0.   This is an anomaly that I would hope we can fix, but if not, we
need to specify that the only valid settings are PCT=0 or PCT=100.   The
specification should force numbers between 1 and 99 to be interpreted as
either 0 or 100.

The current PCT specification is fatally flawed because the denominator is
undefined and unstable.  Suppose that a domain owner concludes that most
but not all of his traffic will produce DMARC PASS.   Should the percentage
be based on message volume or Source IP counts?    Either way, the volume
distribution received by any single evaluator will be different than the
volume distribution sent out.

But the larger problem is that the evaluator is performing a conditional
probability, because the policy is only applied to messages that produce
DMARC FAIL.    If there is no impersonation, an unauthenticated message has
a 100% probability of being legitimate.    The denominator is determined by
the volume of impersonation messages, not by the volume of legitimate
messages.   The percentage offered by the sending domain owner is useless.

Next, assume that an accurate probability can be determined, and that 80%
of unauthenticated messages are legitimate and 20% are impersonations.
Does it make sense to apply that probability rule to
message disposition?    It will produce these results:

Legitimate and DMARC ignored, message accepted = 80%*80% = 64% of total

Legitimate and DMARC enforced, message blocked = 80%*20% = 16% of total

Impersonation and DMARC ignored, message accepted = 20%*80% = 16% of total

Impersonation and DMARC enforced, message blocked = 20%*20% = 4% of total

Therefore, the correct decision is applied only 68% of the time, and the
wrong decision is applied 32% of the time.   This is unsatisfactory for
protecting against ransomware, and also unsatisfactory for reliably
delivering wanted messages.

The actual volume of impersonating messages will be determined by the
spammer, not by the domain owner, so the whole notion of choosing a
percentage is flawed.    The domain owner does not have the information
needed to provide a usable percentage.   The message evaluator can only
determine the percentage by carefully examining many messages and
categorizing the source.  Once the source is categorized, guessing is no
longer necessary and the percentage is irrelevant.


Doug Foster