Re: [dmarc-ietf] Issue submission - Mailing list security and potential solutions using DMARC
Doug Foster <fosterd@bayviewphysicians.com> Wed, 16 September 2020 17:16 UTC
Return-Path: <btv1==528cb4dd270==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E77263A1221 for <dmarc@ietfa.amsl.com>; Wed, 16 Sep 2020 10:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mmrDutsWjoGv for <dmarc@ietfa.amsl.com>; Wed, 16 Sep 2020 10:16:03 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 101E73A11DD for <dmarc@ietf.org>; Wed, 16 Sep 2020 10:16:02 -0700 (PDT)
X-ASG-Debug-ID: 1600276559-11fa3109a8152a80001-K2EkT1
Received: from webmail.bayviewphysicians.com (webmail.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id 4XGevxL3Dg5ak1EW (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Wed, 16 Sep 2020 13:15:59 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:subject:to:from; bh=L4uNzC3l59/9Kpu9+9Bv+M182EyfKbbttHFNmtACOfc=; b=AyFIsk+pdXQlB24Ugu+wJksV+iqGkRx4NuLf14rGfGA/vJ/yTUVY8XYQgwWVOlFsa baEkhOsGkXc+lGQAUjLRI3ulDty6I0XvRIQcawF5h38AIjM+T20j9YPBpgcAtXG4V gk1RE8FoDN3rlE9lRykojpgLs3nforR5pSf6wwC40=
Received: from MSA189 (UnknownHost [192.168.2.194]) by webmail.bayviewphysicians.com with SMTP (version=TLS\Tls12 cipher=Aes256 bits=256); Wed, 16 Sep 2020 13:15:50 -0400
From: Doug Foster <fosterd@bayviewphysicians.com>
X-Barracuda-RBL-IP: 192.168.2.194
To: 'Joseph Brennan' <brennan@columbia.edu>, 'IETF DMARC WG' <dmarc@ietf.org>
References: <CAL0qLwZEDNT+LZDMrzecSuTD794jn0CoXRA5FG=rk6QJXO5Hyg@mail.gmail.com> <20200913025842.1BBDD208C94C@ary.qy> <CAMSGcLDKRMbJ_30jZdKE_6hkKaktwBxU6_E=E=bnK2_CKMNEXw@mail.gmail.com> <rjqo4u$114c$2@gal.iecc.com> <CAMSGcLDs8Rh5hBvtNWU34e4aTT0xnjEMGYdgC322Jfg-tsMGLg@mail.gmail.com> <CAJ4XoYd5axJEhy9D+0ZVzd_P+tKntLHF57spAhWtrFa2j8=_jQ@mail.gmail.com> <CAMSGcLAgMKC_5XzDc1YGCrrKNF2D6t2OyfMGox0XWU_nKxRUzQ@mail.gmail.com>
In-Reply-To: <CAMSGcLAgMKC_5XzDc1YGCrrKNF2D6t2OyfMGox0XWU_nKxRUzQ@mail.gmail.com>
Date: Wed, 16 Sep 2020 13:15:48 -0400
X-ASG-Orig-Subj: RE: [dmarc-ietf] Issue submission - Mailing list security and potential solutions using DMARC
Message-ID: <001301d68c4d$05584650$1008d2f0$@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGYzF0RevzCZv0cMcnSda8rvSdWwALZLxYuAdTFq3EBjng8WQHst2CmAib1Ud8BN2JbGamKwhAw
Content-Language: en-us
X-Exim-Id: 001301d68c4d$05584650$1008d2f0$
X-Barracuda-Connect: webmail.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1600276559
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 3558
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.84668 Rule breakdown below pts rule name description ---- ---------------------- --------------------------------------------------
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/G2VJLgZdlwoOiqUVazsVhoBryzc>
Subject: Re: [dmarc-ietf] Issue submission - Mailing list security and potential solutions using DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2020 17:16:14 -0000
I cannot agree with your logic. Assuming that you want your email gateway to accept this message, it is because the list and the organization behind it have a positive reputation with you. Your trust in this message is not because you have a prior relationship or reputation data each individual list member. Indeed, we do not even know the complete list of members from whom reputation data would need to be assembled. DMARC requires one of two actions: - either the list confirms its identity to your email gateway by altering the From Address, or - your email gateway is configured to confirm the list identity using other parameters such as the an SPF-verified SMTP From Address. There is no evasion of identity. By either method, there is formal verification of identity where there was previously no verification. I understand the disruption when From-Rewrite was not available and AOL was not willing to create exceptions. I understand the perceived inconvenience of a rewritten From address. But I see the network of trust only enhanced, not diminished, by the DMARC mechanism. Doug Foster -----Original Message----- From: dmarc [mailto:dmarc-bounces@ietf.org] On Behalf Of Joseph Brennan Sent: Wednesday, September 16, 2020 11:03 AM To: IETF DMARC WG Subject: Re: [dmarc-ietf] Issue submission - Mailing list security and potential solutions using DMARC What I mean is that mailing list software developers were obliged to find a variety of ways to evade dmarc enforcement, for the sake of delivering legitimate mail, and mailbox server developers learned to allow mangled mail for the same reason. Widespread acceptance of email that evades an authentication method diminishes its effectiveness. On Wed, Sep 16, 2020 at 10:46 AM Dotzero <dotzero@gmail.com> wrote: > > > > On Tue, Sep 15, 2020 at 12:02 PM Joseph Brennan <brennan@columbia.edu> wrote: >> >> >> >> On Tue, Sep 15, 2020 at 11:55 AM John Levine <johnl@taugh.com> wrote: >>> >>> In article >>> <CAMSGcLDKRMbJ_30jZdKE_6hkKaktwBxU6_E=E=bnK2_CKMNEXw@mail.gmail.com> >>> , Joseph Brennan <brennan@columbia.edu> wrote: >>> >"Domain administrators must not apply dmarc authentication to >>> >domains from which end users send mail that may be re-sent via >>> >lists or automatic forwarding." -- done. Then dmarc will be simple >>> >and reliable, and bank statements and similar messages are >>> >protected as intended. Building in a standard workaround >>> >significantly weakens the whole concept, doesn't it? >>> >>> Unfortunately, we have ample evidence that domain operators will >>> ignore that advice. >>> >>> According to someone who was in the room when Yahoo flipped the >>> switch, the person in charge said words to the effect that I know >>> this will screw up everyone's mailing lists and I don't care. >>> >> >> The irony is, the result being to diminish the effectiveness of dmarc for everybody. >> >> >> Joseph Brennan >> Lead, Email and Systems Applications >> Columbia University Information Technology >> >> > > Can you support your assertion with data? There was zero change post-yahoo/AOL implementation vs pre-yahoo/AOL implementation for the organization I worked for at the time. > > Michael Hammer -- Joseph Brennan Lead, Email and Systems Applications Columbia University Information Technology _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
- [dmarc-ietf] Issue submission - Mailing list secu… Douglas E. Foster
- Re: [dmarc-ietf] Issue submission - Mailing list … Alessandro Vesely
- Re: [dmarc-ietf] Issue submission - Mailing list … Dotzero
- Re: [dmarc-ietf] Issue submission - Mailing list … Douglas E. Foster
- Re: [dmarc-ietf] Issue submission - Mailing list … Murray S. Kucherawy
- Re: [dmarc-ietf] Issue submission - Mailing list … Murray S. Kucherawy
- Re: [dmarc-ietf] Issue submission - Mailing list … John Levine
- Re: [dmarc-ietf] Issue submission - Mailing list … Joseph Brennan
- Re: [dmarc-ietf] Issue submission - Mailing list … John Levine
- Re: [dmarc-ietf] Issue submission - Mailing list … Joseph Brennan
- Re: [dmarc-ietf] Issue submission - Mailing list … Alessandro Vesely
- Re: [dmarc-ietf] Issue submission - Mailing list … Dotzero
- Re: [dmarc-ietf] Issue submission - Mailing list … Joseph Brennan
- Re: [dmarc-ietf] Issue submission - Mailing list … Doug Foster
- Re: [dmarc-ietf] Issue submission - Mailing list … Alessandro Vesely