Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations

Joseph Brennan <brennan@columbia.edu> Thu, 23 July 2020 13:07 UTC

Return-Path: <jb51@columbia.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6D3A3A0A88 for <dmarc@ietfa.amsl.com>; Thu, 23 Jul 2020 06:07:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8QgMEJB4NjBJ for <dmarc@ietfa.amsl.com>; Thu, 23 Jul 2020 06:07:42 -0700 (PDT)
Received: from mx0a-00364e01.pphosted.com (mx0a-00364e01.pphosted.com [148.163.135.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 565E93A0A82 for <dmarc@ietf.org>; Thu, 23 Jul 2020 06:07:42 -0700 (PDT)
Received: from pps.filterd (m0167072.ppops.net [127.0.0.1]) by mx0a-00364e01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06NCgVCw026434 for <dmarc@ietf.org>; Thu, 23 Jul 2020 09:07:41 -0400
Received: from sendprodmail12.cc.columbia.edu (sendprodmail12.cc.columbia.edu [128.59.72.20]) by mx0a-00364e01.pphosted.com with ESMTP id 32bw8tua1y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dmarc@ietf.org>; Thu, 23 Jul 2020 09:07:40 -0400
Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) by sendprodmail12.cc.columbia.edu (8.14.4/8.14.4) with ESMTP id 06ND7dgx051315 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <dmarc@ietf.org>; Thu, 23 Jul 2020 09:07:39 -0400
Received: by mail-io1-f69.google.com with SMTP id 63so4027398ioy.4 for <dmarc@ietf.org>; Thu, 23 Jul 2020 06:07:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=oY+jgFE2s4ZMaGz8+Jumo0LfmLUuGJeXi6Gy7DHYtwE=; b=b2VRTDPb9enNiOxMjL3kpgXVnWUAXdyLHDJObXapawK9FSivIDFnh8cHwpJ00bSPTh DZsGOgBqdoXRNeMw15DhbOGcgN+JUGwpoMkpfl7xfDEQX+RspsIrdQ5GtfkilMm8o3IH 3RO28IfLOlOaYwMdfC6y/qG1/k/1VArY4UcmNmbKD+CY5gCA9cQWMahrp2C1j1e7Deo0 F1C3xWckzC+OXD7JZwI8Ke/9QzadGZ0JDfeyXAeCKy/b9/O08xyecowkEP/rV1HkuhdZ bKOLtoR3KYzC/k1+ZCuMeQSV3WJoOTnFLzFwmr07D2pZS3U5xzxbaToZgeHnXCVnm5eQ //pw==
X-Gm-Message-State: AOAM533S0HhKnMrkq3A1IJzvZRO+TZklY9AoOx5eQjNtahwro1Pd/B+N kp3CoxpVSqKJRADAKMKZgF9WkpFUFK5kO4rXrIaXHRtwoYAtcbc3v8ulPrncgWpF79hn5PbtRtc XgXreuH2mjhLfD6AMEASSAkjlNQbsZA==
X-Received: by 2002:a92:c703:: with SMTP id a3mr4506577ilp.159.1595509658484; Thu, 23 Jul 2020 06:07:38 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyTQ/1z3ZSwTH3ljG9smnjCYDQSx51142RS0Nlt2sEF9ECJtiq4ZEDpBZtshHoa07WoDGDopB5MouqNSSnqFxM=
X-Received: by 2002:a92:c703:: with SMTP id a3mr4506538ilp.159.1595509657961; Thu, 23 Jul 2020 06:07:37 -0700 (PDT)
MIME-Version: 1.0
References: <cd9258e6-3917-2380-dd9b-66d74f3a64d3@gmail.com> <20200717210053.674D61D2C431@ary.qy> <CAL0qLwbkhG-qUyGqxaEjcFn2Lb7wPMhcPFEMA8eqptBJpePPxA@mail.gmail.com> <8efcf71c-f841-46a4-10b7-feb41a741405@gmail.com> <CAL0qLwbK7GQXkiS+H8GtsvHMzWr4o431Shc7Cc9MhqsTiHfzFw@mail.gmail.com> <bc7ed18c-8f1d-b41b-0a4b-3aa180a63563@gmail.com> <CAL0qLwYgs7py1aTQ87pykNT_0dpnrKz=+1DxMMSQMgbwz4XZDg@mail.gmail.com> <381c7792-5bd8-a1be-6b93-b7df015a2333@gmail.com> <d8bab034-7539-fbb4-faa0-daf6aa51e087@wisc.edu>
In-Reply-To: <d8bab034-7539-fbb4-faa0-daf6aa51e087@wisc.edu>
From: Joseph Brennan <brennan@columbia.edu>
Date: Thu, 23 Jul 2020 09:07:27 -0400
Message-ID: <CAMSGcLAfhvsJhzB0Ukaer_ZCS276vZ5i=k08KAcWudJ0mLvLEw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-CU-OB: Yes
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-23_05:2020-07-23, 2020-07-23 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Ckv0QvdZUXwGM9syj8b1TB3BFf0>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 13:07:44 -0000

On Mon, Jul 20, 2020 at 6:05 PM Jesse Thompson
<jesse.thompson=40wisc.edu@dmarc.ietf.org> wrote:
>
>
>
> It calls into question whether we (or any domain) should publish DMARC policies.  Gmail.com doesn't publish a DMARC policy, after all, and many people (such as some on this list) are using gmail.com to subscribe to lists, and they don't have to suffer the consequences of DMARC.


I interpret Gmail's approach as a fine marketing decision. It means
mail from gmail.com is more deliverable than mail from yahoo and aol.
They must be smiling every time some domain rejects end-user mail for
DMARC violations.

>
> I think that we just have to agree that From-munging by MLMs is a permanent reality.  It needs to be documented more prominently (and promoted as part of the DMARC marketing) so that implementations are more consistent, so that un-munging tactics and/or MUA behavior can be consistently implemented.
>

I'd be happier for the proposed standard to say that DMARC policy
"SHOULD NOT" be compromised by rewriting From lines-- and see how that
goes over. My reasoning is that blessing the practice makes it easier
for bad actors to craft spoofed mail and get it accepted. The opposite
of the purpose of DMARC, isn't it?









-- 
Joseph Brennan
Lead, Email and Systems Applications