Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

[Dotzero <dotzero@gmail.com>]

On Mon, Aug 17, 2020 at 10:01 AM Laura Atkins <laura@wordtothewise.com>
wrote:

>
>
> On 17 Aug 2020, at 14:18, Dotzero <dotzero@gmail.com> wrote:
>
>>
>> And, 17 years on, we know that domain level authentication doesn’t
>> actually help filter spam nor does it provide law enforcement with a potent
>> tool for locating and identifying spammers. It was promising, it didn’t
>> live up to the promise.
>>
>> There were a lot of thrown at the wall during those 3 days of talks. One
>> of them was domain level opt-out. Another was a global opt-out list similar
>> to the postal opt-outs run by the DMA. Another was a technology called
>> TEOS. HashCash. The list of things we discussed as promising solutions was
>> extensive. Just because we discussed a particular kind of solution does not
>> mean that anything was decided. It also doesn’t mean that any particular
>> solution mentioned was workable.
>>
>>
>> https://www.ftc.gov/sites/default/files/documents/public_events/ftc-spam-forum/transcript_day1.pdf
>>
>> https://www.ftc.gov/sites/default/files/documents/public_events/ftc-spam-forum/transcript_day2.pdf
>> <https://www.ftc.gov/sites/default/files/documents/public_events/ftc-spam-forum/transcript_day2..pdf>
>>
>> https://www.ftc.gov/sites/default/files/documents/public_events/ftc-spam-forum/transcript_day3.pdf
>>
>>
>>
>> Thanks.  Let me quote a paragraph by Paul Q. Judge, from the 3rd pdf:
>>
>>    It doesn't require that one day everyone turns it on and we begin
>>    to drop the rest of the e-mail and break e-mail.  If a domain
>>    decides to turn it on, then they've prevented forgery for their
>>    domain and they're protected.  For persons that have not turned it
>>    on, then their e-mail still flows but they are not able to
>>    stop people from forging messages from their domain.  So, I think
>>    it's something useful and can be deployed incrementally.
>>
>>
>> We know, now, that turning on domain level protection does not stop
>> phishing attacks against that company. It stops direct spoofing of the
>> domain, but the phishers simply use a completely different domain. Just
>> this weekend I got a PayPal phish. PayPal who helped invent DMARC are still
>> getting spoofed and phished. Sure, the phishers aren’t using the
>> paypal.com domain, but that doesn’t seem to have any effect on their
>> success at stealing money from people.
>>
>
> You raise an interesting point, Laura. Whatever "solutions" we put in
> place, the abusers/bad guys will evolve. One of the problems for the good
> guys (for some definition of good) is that standards work takes years
> (decades?)  while the bad  guys change their tactics at will. Crime existed
> before the Internet and will continue long after we are all dead and buried.
>
>
> Totally agreed. The issue here is that DMARC is a fundamentally flawed
> model for preventing phishing. Phishers were adapting to mailbox provider
> filters even before DMARC and there was a lot of cousin and non-look-alike
> domain phishing even during the initial discussions. I know these issues
> were brought up during discussion of the protocol. Unfortunately, they
> weren’t sufficiently addressed and now we’re at a point where, to my mind,
> DMARC doesn’t fix anything while also breaking a lot of ways folks use mail.
>
>
DMARC fixes one thing and one thing only, direct domain abuse. Not cousin
domains, not homoglyphs and not a whole bunch of other things. It
was successful in achieving its intended purpose. It was initially
developed and deployed privately as a "private club". The intent in making
it a public standard was to enable any domain, regardless of size or
connections to be able to participate if that domain needed to fight direct
domain abuse, noting the caveats regarding individual user accounts vs
transactional email.

It’s a little late now to go back. I think this is an opportunity to think
> about the underlying technical problems as well as a chance to revisit the
> assumptions about how email is used. Discussing things like Dave’s drafts
> will give us a chance to talk about how people actually use email to
> communicate with one another. And how we can allow brands what they want
> without breaking email too much for the rest of us.
>
> It seems we're still stuck midstream...
>>
>>
>> Stuck at what? Many of the people who were at that conference are still
>> working in the field and understand both the purpose and what came out of
>> the forum. I’d also say that most of what happened there is a nice bit of
>> history but is also irrelevant to addressing the spam problem as it is now.
>> Email has evolved significantly in the last 5 years, much less the last 15.
>> We can use the discussion as history to say “we looked at this and it
>> didn’t work” but I don’t really see a lot of value in saying “let’s retread
>> things from a decade and a half ago that didn’t work.”
>>
>
> I think the most
>  useful thing we can say about the FTC workshops is that they were a
> forcing mechanism that instigated a lot of effort and innovation in the
> space. Some of those efforts fell by the wayside and some still persist.
>
>
> You think? I’m not sure I’d agree. I saw the workshop as mostly a
> political (and educating the politicians) exercise. The effort and
> innovation were already there and being done by a lot of people who weren’t
> there. I’m kinda bemused by the importance folks have assigned to it in
> relation to the vastly different email ecosystem we have today.
>
> I think this is a matter of perspective. DK was gaining
traction because...Yahoo! SPF was not that widely deployed (yet). I wrote
about the FTC being a forcing mechanism because of the threat of
regulation. The threat wasn't formal and it wasn't specific as to what it
meant, but it certainly got people's attention.

 Michael Hammer