IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Mark Alley <mark.alley@tekmarc.com> Sat, 15 April 2023 03:37 UTC

Return-Path: <mark.alley@tekmarc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79F14C14CE33 for <dmarc@ietfa.amsl.com>; Fri, 14 Apr 2023 20:37:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.096
X-Spam-Level:
X-Spam-Status: No, score=-6.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FUZZY_PAYPAL=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tekmarc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VmKIGSc1Clse for <dmarc@ietfa.amsl.com>; Fri, 14 Apr 2023 20:36:59 -0700 (PDT)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1763AC14CE24 for <dmarc@ietf.org>; Fri, 14 Apr 2023 20:36:59 -0700 (PDT)
Received: by mail-pl1-x630.google.com with SMTP id d15so3102489pll.12 for <dmarc@ietf.org>; Fri, 14 Apr 2023 20:36:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tekmarc.com; s=google; t=1681529818; x=1684121818; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MHa+AvSIt2AKYcaaIlf2WByruqYYs7mzaYWyKd1m8b4=; b=XOzeQ3FoPCnl/qdxLiNPsjMCNZBOTUEhWTd7ZRJXZd++YEPl+eamiuuXJPibPVjF5Z JVdsVqvsE2RpUTiaNP3FfrB6tahwV4mcuZjV0ZQx8wcK63tEK5NA0D5jKTE5F6e3wq5L GXAjqBmSMJ27ZxUq5hT88xKsDuI1c4vogDwsq4bzO8EImuk2+PWTKS/jbs4un51MVCbO trOZwpV17MucjQ0vXQ9zYUGubYLpiwNHE6Zdl4R6wG6cmJ25fzJ1OPYKU4gUXLRzt7md Z0EaqK95O+S5alBnPtRC+22sCTrgBZGSoyO00fb6wBY0ZDMSX+RsNIKFr/smU8KPLeH/ MTxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681529818; x=1684121818; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MHa+AvSIt2AKYcaaIlf2WByruqYYs7mzaYWyKd1m8b4=; b=eKqi649BcTMvjDiA5nHYUNk4WYMRDzoq4P6VzWiGSle1l8LDs1B0UHE48s9CTdHmWg p2oGUXt67Lv/5VQyqNfTPISKhRVMKADpTpHMPX5Lokigkk52+haBMMxPLad4ACpw8hdg ChHLAjjitIna3rQThkfU4XEOzwZMCLVBrduIX+RrNO1H97+1vVxBada4KBO9+bAZlxp9 oMO60CVQwcc7+PimQ/FljnwrDzU9CtAw8VrTjm9AYiT4LX+CL1ghquCed6dJyTDFc+Og hqbp+g3gD3B3VOmNW0pgqW65Ez50R0obt91v9u20H/dO8746wKbutPGSGgJxCsVDZsvu etPg==
X-Gm-Message-State: AAQBX9ep8yYv6yDW0lWBFeK9PjTscmCzpmkh8tbmk5UE7it3Qk6i/PdF eT0F2yEcO7Fm3RsIejO0/Rh35vULFLBbQLVC/lq3mw==
X-Google-Smtp-Source: AKy350bMXpSKE7cEQaISh2Vm5UHXwgPsqbdpViwe9jXPp1JoEYAOebpUgB9QbAzmz6Y204GC3fUkHZGNMlVR99PY0uM=
X-Received: by 2002:a17:90a:4403:b0:246:ac0b:9d40 with SMTP id s3-20020a17090a440300b00246ac0b9d40mr7883860pjg.15.1681529818162; Fri, 14 Apr 2023 20:36:58 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <CAL0qLwYrXAgP5qR6B+aTU5gop07E1AzC+QWTOixbJSq1occe5A@mail.gmail.com> <CAFcYR_VzGmukoB18f1FW5PdXaD=bG6u-_yOSV2kz4NYOVS-9QA@mail.gmail.com> <6539122.tkA9bUOPov@localhost>
In-Reply-To: <6539122.tkA9bUOPov@localhost>
From: Mark Alley <mark.alley@tekmarc.com>
Date: Fri, 14 Apr 2023 22:36:48 -0500
Message-ID: <CAP1hoyTh51XgmxQVKiCqqWpfRpivJBk7qjbTcK-zwxc4eOgqkQ@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007dc98405f957abc0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/J3BBpDZLY5piUAqNZL2b1RAMoys>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2023 03:37:03 -0000

I'm aware of some mail relays of several orgs and a few SaaS providers that
from munge to prevent spoofing of other domain's from their internal
users/servers that may be sending through them.

I believe NETsuite is one such example, not necessarily conditionally, it's
just blanket munging (regardless of policy) with the display name field
reflecting the actual sender.

- Mark Alley


On Fri, Apr 14, 2023, 10:28 PM Scott Kitterman <sklist@kitterman.com> wrote:

> One thing that would be super nice and not have any negative
> interoperability
> impacts relative to DMARC is if the From munging was limited to domains
> that
> publish p=reject (as this list does).  I don't recall having seen it
> outside
> IETF lists.
>
> Scott K
>
> On Friday, April 14, 2023 11:12:25 PM EDT Emanuel Schorsch wrote:
> > I agree there are no silver bullets. But different policies make fighting
> > abuse harder or easier. To give a concrete example we see huge volumes of
> > abuse spoofing "gmail.com" fromHeader. There are also a huge number of
> > benign parties that have become accustomed to spoofing "gmail.com". This
> > makes it much more challenging to get it perfectly right when
> > distinguishing the abusive cases from the benign cases. I point this out
> > mainly to emphasize two points:
> > 1) There is real abuse happening for domains that don't yet have a policy
> > beyond p=none. This abuse has noticeably higher volumes than other
> sources
> > of spoofing.
> > 2) When benign traffic routinely follows the same practices as
> > spammers/phishers it makes it more difficult to cleanly separate the
> > buckets.
> >
> > Compare this to the abuse levels we see spoofing Paypal, a domain with a
> > p=reject policy. Of course there's no silver bullet and the levels aren't
> > zero. There is DisplayName spoofing, there is cousin domain spoofing.
> But,
> > it is substantially easier to mitigate against these because there are
> very
> > few benign users sending mail from paypaI.com (using a capital i), or
> using
> > a display name of "Paypal" signing with random domains and sending large
> > volumes. From what I have seen, spoofing a domain like Paypal is
> > substantially harder to scale because the benign and abusive cases are
> much
> > more cleanly separated.
> >
> > I would love to find a way for Mailing Lists to operate without the pain
> of
> > from-munging and also give domains like gmail.com a tool to protect
> > themselves. Obviously we are not there yet, so instead there is a very
> real
> > and painful tradeoff to consider. I don't know what the solution is
> (maybe
> > mailing lists can use from-munging, ARC and X-Original-From and
> destination
> > receivers that participate can then unmunge it if that receiving user
> > trusts that mailing list?). But I think we should be able to agree that
> > there is a real security risk that stricter DMARC policies provide value
> > against, AND that those stricter policies degrade the mailing list
> > experience. Of course that says nothing about whether or not that
> tradeoff
> > is reasonable or should be made :)
> >
> > Instead of being forced to pick between two unappealing options I would
> > love to put more effort into figuring out solutions that make both cases
> > work. Maybe there is no solution. But I am optimistic that with some
> > creative thinking and group problem solving we can work out something
> that
> > protects against domain impersonation and allows Mailing Lists to work
> more
> > effectively than the current solutions.
> >
> > On Fri, Apr 14, 2023 at 10:08 PM Murray S. Kucherawy <
> superuser@gmail.com>
> >
> > wrote:
> > > On Fri, Apr 14, 2023 at 6:47 PM Douglas Foster <
> > >
> > > dougfoster.emailstandards@gmail.com> wrote:
> > >> Unless a mailing list has controls in place to ensure that EVERY post
> > >> comes from the asserted participant, it is the height of hypocrisy to
> ask
> > >> an evaluator to assume that the post is from the asserted participant.
> > >>
> > >>  IETF cannot do even the easiest part of that task, so I have no
> reason
> > >>  to
> > >>
> > >> expect better elsewhere.
> > >
> > > Nobody is asking the evaluator to assume anything.  That's what email
> > > authentication is about; it shouldn't assume anything, and you only
> really
> > > know something when you get a "pass".  Reacting harshly to a "fail"
> when
> > > there are so many legitimate ways the current authentication schemes
> can
> > > fail is folly.  But people are looking for silver bullets, so here we
> are.
> > >
> > > A world free of fraudulent email is a laudable goal, of course.  But
> since
> > > DMARC can only actually affect direct domain attacks, and makes no
> > > discernible attempt to mitigate cousin domain or display name attacks
> to
> > > which attackers can trivially switch, I think I'd like to see some
> proof
> > > that it staves off enough of the darkness to be worth this level of
> > > defense.
> > >
> > > -MSK, participating
> > > _______________________________________________
> > > dmarc mailing list
> > > dmarc@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dmarc
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email