IETF Logo Mail Archive

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Jesse Thompson <jesse.thompson@wisc.edu> Tue, 18 August 2020 18:05 UTC

Return-Path: <jesse.thompson@wisc.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D31DB3A099B for <dmarc@ietfa.amsl.com>; Tue, 18 Aug 2020 11:05:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.048
X-Spam-Level:
X-Spam-Status: No, score=-2.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_PHARMACY=1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.949, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wisc.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqvqn5WVncFp for <dmarc@ietfa.amsl.com>; Tue, 18 Aug 2020 11:05:47 -0700 (PDT)
Received: from wmauth4.doit.wisc.edu (wmauth4.doit.wisc.edu [144.92.197.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53F5F3A09A3 for <dmarc@ietf.org>; Tue, 18 Aug 2020 11:05:47 -0700 (PDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2177.outbound.protection.outlook.com [104.47.55.177]) by smtpauth4.wiscmail.wisc.edu (Oracle Communications Messaging Server 8.0.2.4.20190812 64bit (built Aug 12 2019)) with ESMTPS id <0QF900R7AU91HZG0@smtpauth4.wiscmail.wisc.edu> for dmarc@ietf.org; Tue, 18 Aug 2020 13:05:25 -0500 (CDT)
X-Wisc-Env-From-B64: amVzc2UudGhvbXBzb25Ad2lzYy5lZHU=
X-Spam-PmxInfo: Server=avs-4, Version=6.4.7.2805085, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2020.8.18.180018, AntiVirus-Engine: 5.75.0, AntiVirus-Data: 2020.7.23.5750001, SenderIP=[104.47.55.177]
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TGv3PtoXgAUqDMxcd2g7jBsIZty2NI4EZX403uNZJkRCsYFpP6L4P3V3F0AcIzFFYhUcWUVwz2Dv6nUBs40uQ8dL5lagg36t25V0p9Xgd2kxMrwsLeBJJoM5TWPHCZk5BBUMwUkuoI4jLCgaG1HwK3rBMjwsMzMKQNluOgmEGN3rmWACozBOSpOtAce4gd8ZxNAfMQ8ffxDKwy1odsh3TC8I0ZLZArkdJqScNjl2ZYgEhhxweOixBr42jc4wPNJchiG4Mpj2Miw1y68loRa/RPdBZEhAcgfxeAdUyU3n+L6Rx1Pc5JJh5dMdpLtKS/zZ7jC3rTDP9BiQ283o3kBvBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E5UbmJQQGEd6qMKFsXmmtj6QDUJk99/WzMXBgYdwi7A=; b=FWXKYXMIGtABUDGAzJeRahdlujCMq6nTXlQIETqPws6fK3iPRI1pNgYCksngpl+ZVX8WR73leID2ZyNtytWfm+6vITltZ0+S/CAI1mxtALAj5XO+K1shvT7Ex6XvSXlkdamLhyv/Qw4KyBJuGPu+tBhGewbMfzGR+6Pq/dp4q+NnmUcOc/uButgunHtqZsqTum2fWWVt7UBFZ44n76BtD4kHy34k18N+22gCHH6gsBKokzvmmU3vzh7HVkhO24cBLzqhw+Vy59vsbjfcZT7y2DqHiG1FjEjFPA+EH8KuiQJRWf6hqncBHe+8hDYqQ8/j/vCQ7fiBIJTFAejLR70qwA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wisc.edu; dmarc=pass action=none header.from=wisc.edu; dkim=pass header.d=wisc.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisc.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E5UbmJQQGEd6qMKFsXmmtj6QDUJk99/WzMXBgYdwi7A=; b=MqQt/C7/THyYW1OktmaZqkCDpvz8xJSw2wL9JjaWQKQAV6WXIOzoDUNrjrksrlx0AAmF9zBuTMumlOV4Nd5wEuySBx9V5dpC+rsfahuozaDJo32uky5xSG9uvoJri1vPHRTXFIocNcc7s0jGwKFF9G8tx357HKC7T3WUA+kC4OU=
Received: from CY4PR0601MB3668.namprd06.prod.outlook.com (2603:10b6:910:91::31) by CY4PR06MB2918.namprd06.prod.outlook.com (2603:10b6:903:13c::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.22; Tue, 18 Aug 2020 18:05:24 +0000
Received: from CY4PR0601MB3668.namprd06.prod.outlook.com ([fe80::d873:6271:eb77:2ef7]) by CY4PR0601MB3668.namprd06.prod.outlook.com ([fe80::d873:6271:eb77:2ef7%6]) with mapi id 15.20.3283.028; Tue, 18 Aug 2020 18:05:24 +0000
To: dmarc@ietf.org
References: <20200808023259.1D07F1E60C2D@ary.qy> <977bbb4f-c393-0314-df72-17f342f2f975@wisc.edu> <59f44f8b-9a7d-2dc2-37d9-ed6b0c40fb40@tana.it>
From: Jesse Thompson <jesse.thompson@wisc.edu>
Message-id: <be807534-c4f8-6ecc-45e4-b3d03e9b7c20@wisc.edu>
Date: Tue, 18 Aug 2020 13:05:11 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Thunderbird/81.0a1
In-reply-to: <59f44f8b-9a7d-2dc2-37d9-ed6b0c40fb40@tana.it>
Content-type: text/plain; charset="utf-8"
Content-language: en-US
Content-transfer-encoding: 7bit
X-ClientProxiedBy: CH2PR07CA0005.namprd07.prod.outlook.com (2603:10b6:610:20::18) To CY4PR0601MB3668.namprd06.prod.outlook.com (2603:10b6:910:91::31)
MIME-version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.0.2.111] (47.12.96.133) by CH2PR07CA0005.namprd07.prod.outlook.com (2603:10b6:610:20::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24 via Frontend Transport; Tue, 18 Aug 2020 18:05:23 +0000
X-Originating-IP: [47.12.96.133]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 5664a0d1-3194-4f55-59c7-08d843a14769
X-MS-TrafficTypeDiagnostic: CY4PR06MB2918:
X-Microsoft-Antispam-PRVS: <CY4PR06MB291836A6D0253196D94C5042F65C0@CY4PR06MB2918.namprd06.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: F7T+ZA4Pxe7eM613ZZAhyLFMvuwoO8/d0UPjtuRdezcxs1Un84Hl/MIZcg2wuHmyBhUwBs3mkX33Y1DjD41qu6FNp4FJhaDGra8eLG/+dDpTPbfeV4ZLQfiK8lxENi93D/uWSaHJUtjq2YoeGrheItjCVgOgQs1ZWvivp9EK9L6a8KOzn+60X0/P/ofymB892Qet5Bc/LxdT3QcScxsqgK3xVIWNuQbDUt8sVbebhq9VHReeXVW4dODyIwKa0kgCf/MhENGEuD9sdwy4XcscxsAvbbuow0lm5k8S9U/HXwi84z2JLPC4Xa1fzLQgv6T7Z94yg3pzbypr0wsSgxnS/XYP9Ya3H4osu0+fHd3J5A/aZtTGz6DaPuM+RV8nHDVwMu10wxNVAy/1s5+VdH6k3C0p+INvo3uFuB3yIO9OTtWMwkgRMnHAuGIuGOOvbyY0
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR0601MB3668.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(396003)(346002)(366004)(39860400002)(136003)(6916009)(36756003)(66556008)(2906002)(5660300002)(8676002)(66476007)(31696002)(66946007)(86362001)(6486002)(75432002)(478600001)(6666004)(31686004)(16576012)(44832011)(8936002)(16526019)(956004)(26005)(786003)(316002)(186003)(53546011)(2616005)(83380400001)(43740500002)(130980200001)(223123001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: GA9NvxcwoYNdhvErkcokijc85UBOhqAcrpWbF9JARKTohxE1B82RKWAobqKxuUbNR7hARQ25EqpyOlpxT1ff+XAZuIHLhYw5XvYrFySnnQgAV8WvtBmY9WYxlsP4LyYLpeSQF7Qy2TLm97xcN44yYNMpGcjDQ5kzV348rHT3QPcNDYmsj3asId6nMTVLm50pT8/eIZLyWeyRayFCOcJ2nugACvsElTaWJY39cbqMmxiicQjrSLACuRZ13G3YGzXLC6eE/6viAbQ5Rd/a2XpE1EWP6i7gURk5kFtw67xccu52UF1jTMEih7DggBm0/0PVt5RleVzfHq2VsRrPmDh1s5hjVAXyqu1U1OrCHU278sbsmTi/SXcaY2L00ilbm4h/C6yQRErljmZf+Vky2KDfPmLJA9qE20Rl9KcaUaGRzgTMK0X2tItdlEc95JgPwG6R9vrKZR1Sr536A/cqcXu23KKFfdWehp2vMzyOx6ti/370yxImJOV9t3v2/eZOGYYMBxX46zA4+iB1fCo3SIQlyNvt8BEfxX2WBFt4oCkYorRFlNs24Ic0vrMYuvpy8coSbIZSCSAXfid+QE8IeFRLHvZp5gkMkVUN9pR4sHRJJFs/ZOgZqf2wEVHCgqz5/A4fxc1DeRuGtvzyNP2dJ+0ERg==
X-OriginatorOrg: wisc.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 5664a0d1-3194-4f55-59c7-08d843a14769
X-MS-Exchange-CrossTenant-AuthSource: CY4PR0601MB3668.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Aug 2020 18:05:24.2206 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 2ca68321-0eda-4908-88b2-424a8cb4b0f9
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 7Q234jUwaUjiI+W7g7Gexvf8T4Ok5kEXRSUxL7xmb61r0+8x/PeaHJJjsw84rx1E/M0HpR7syq3JBuE7SXjZIg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR06MB2918
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/LAxCB6H6bf1YtScEw1dRENQkot8>
Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 18:05:51 -0000

On 8/18/20 3:54 AM, Alessandro Vesely wrote:
> On Tue 18/Aug/2020 01:39:16 +0200 Jesse Thompson wrote:
>> On 8/7/20 9:32 PM, John Levine wrote:
>>>> We need spoofing protection for all of our domains without being told we're misdeploying.
>>>
>>> I would be interested to better undertstand the meaning of "need"
>>> here. It is my impression that most people vastly overestimate how
>>> much of a phish target they are. Paypal and big banks certainly are,
>>> other places, a lot less so.
>>
>> (Sorry, I was on a much-needed vacation.)
> 
> 
> Much *needed*?  Oh, well...

Anecdotally.  My family can attest, if that helps ;-)


>> Ok, that's fair, I should have realized that one was over-stated.  *Need* would imply that domain-spoofing is more common than it is in reality.
> 
> 
> Yes, domain spoofing is common.  You don't need to be PayPal to be spoofed.  Then, one can say it's an innocuous kind of abuse.  Since you're not PayPal, it's just noise.  Yet, in a perfect word, I'd opt to avoid it.

Yes, I just can't prove it to the extent that the people saying we're "misdeploying" DMARC would expect me to.  How do I tell the difference between a faculty member innocently using Gmail to send from their personal address within our domain vs. a bad actor doing the same to send spear phishing to a peer at another university?  In my mind, I should just assume that it's a problem, or is potentially a problem, so I'd rather nip it in the bud by deploying DMARC on domains used by users.


>> Cybersecurity-minded folk in EDU tend to equate observed inbound phishing with spoofing (even though most phishing is spoofing the display name and message bodies, not the domain) and conclude that they *need* DMARC without really understanding the nuances.  Given the opportunity that DMARC marketing promises, they definitely *want* inbound DMARC enforcement for domain-spoofing of inbound mail (they'll defer to the email-minded folk to figure out the local policy exemptions, ARC, etc), as well as *want* domain policies that prevent the potential domain spoofing scenarios of owned domains (again, the email-minded folk will figure out how to actually "misdeploy" DMARC).  To them, it's just a checkmark towards some "maturity" benchmark that they use to compare to their peers.
> 
> 
> Nice synthesis.  They believe DMARC works as advertised.  What does it take to believe that DMARC /could/ work as advertised?

It seems like we're close.  I am glad that you are pushing back (in the other thread) on the notion that DMARC shouldn't be useful for all types of domains.


>> Email-minded folk in EDU, knowing that DMARC doesn't really have much practical application to phishing, like having the observability that DMARC provides, as well as the hammer that moving past p=none provides as a way to coerce their complex, decentralized institution into a more sustainable operation:
>>
>> * Departments sending transactional email - move them to dedicated subdomains (this is where really complex institutions would benefit from walking the domain tree instead of always inheriting from the org domain)
> 
> 
> This is a good idea even without DMARC concerns.

Yes, and those departments that we have converted to subdomains seem to be happy with the result.  It usually takes some convincing, however.  People tend to have a strong preference to associate with the brand of the org domain (which is where we have our users).


>> * People sending user email from random places - move them to authenticated submission (preferably OAuth - since basic authentication is the reason why so many passwords are exposed)
> 
> 
> This sound just like an email-client configuration problem.  It shouldn't be so hard.

Gmail is the most common "client" allowing users to submit mail outside of our supported submission pathways.  In theory, Google could make some improvements to Gmailify (to support more OAuth scenarios) and actively transition their legacy users to reconfigure their Gmail settings to properly use our domain, but it's not a high priority for Google (paraphrasing Brandon; hopefully accurately)

It's not much different than people innocently using any random ESP to send newsletters from their personal address.  Because all of these "clients" allow non-authenticated submission of our domain, users have come to expect it to work and they don't want to be told otherwise.


>> The latter scenario is interesting because a single user sending from a random place doesn't really show up in DMARC aggregate reports.
> 
> 
> Why not?  If they send to DMARC-compliant receivers, their aggregate reports should show records without the right MSA signature, not even failed, and foreign domain authentications only.  That doesn't tell which users misconfigured their client, but gives a good idea of the level of user education one has achieved.

Right, you only get metrics indicating a relative volume of users who may fall into various camps.  It is complicated when the domain is also used for transactional mail; which is something that happens entirely out of our control specifically because DMARC enforcement wasn't in place when email was invented.  

This is where the DMARC reporting analysis services come into play, since they do a good job at identifying the ESPs (from the raw data) that are sending the non-compliant mail.  But again, aggregate reports don't show the left hand side of the address, so they can't be used to identify specific users.  To get that, you need forensic reports, or use SPF macros; both options having their pitfalls.


> It should also show which domains users tend to use for submission, in case an organization wants to automate third-party authorization...

Yes, aggregate reports are great at identifying which of our domains have successfully isolated transactional mail and have set up third-party authorization.  

If we see from aggregates that pharmacy.wisc.edu is using an ESP but have neglected setting up SPF/DKIM per the ESP's instructions, then we know who to reach out to and how to help them.  They're already on the right track, anyway.  That's the happy path.  There are many other scenarios.

Jesse

v2.23.0 | Report a Bug | By Email