Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd

Ian Levy <ian.levy@ncsc.gov.uk> Fri, 20 December 2019 13:32 UTC

Return-Path: <ian.levy@ncsc.gov.uk>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD64120111 for <dmarc@ietfa.amsl.com>; Fri, 20 Dec 2019 05:32:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HGgRlQhe5Gqz for <dmarc@ietfa.amsl.com>; Fri, 20 Dec 2019 05:32:27 -0800 (PST)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-eopbgr110121.outbound.protection.outlook.com [40.107.11.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C960120025 for <dmarc@ietf.org>; Fri, 20 Dec 2019 05:32:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X200NNZqe/hAiGDo5oGO+wKjPcK1Js4nmkx5ZMVHeGsgnELFPD1RelpxthmCvJj3q/U+QPXZgcqGfsh/1RcXy/LfD3f/eO0c77BbfFmhPyzFPBWenKPzWkrUMvguMxzImHcpDwLSku+LrnDd6sBGhJ6FDAhdbnXddcHcJ6bfEYTaZn+hPGFd3B9UZflsRnTa7qde0Q/fcfn2Qxk1c4GvvjSv47kAq8Iww4W7EBXhoeiFiSZzlH/QWVgkp3/ogWfcaL3B9PDepbrBuTeZ6ELKi64BvkFOT0NMC1Y1E2d7a97+vSa2JqwxSuTcdsEFKGhEujL9KB6dmS4sCjowmevLJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=anRSCk1/XH709pht26YormrjJBv+HwV5LTGCw0n5tpA=; b=hFiR32phP/SMCNv/nrr/WUlg2wqTwA2oOUV3m+VWREHxQtwDneVJ0E8yy4TM9r7bWGX7mG923vRjfc5Be2v/t/xgnHFej3Xz/dkXyuGr6knDeYK9UMdkFgZhxSuba5n9qJaevpPXlEtyPdCt9o4+zY0CDRMZobesceIPLBOG8SFaJYy+uBe9Wh6jZeqIizgnkaM472dhKBtLBhT/tC4dTSkTGBX+OajSHBu+DFRQmKZK6vPviotQOwCbu9dfA0ylLP3gpTgsXeR3jzdLg+7VGoJzjFcm7AiEmU0EAqvphdtCIZQRN1L5Z4OyudVyNR8LAKu7jHQh3GiBTlfL0gZ87g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=anRSCk1/XH709pht26YormrjJBv+HwV5LTGCw0n5tpA=; b=k8C9LHJiS2D3cQAYmf6fa91QHfrAEf61EA6HmqiYj2Geo/T9vk2EFWl2c72GIhSUhkFhuq54ROZbRLcGzLwqVQTk6+m7LqBGm6nqY0veqY4/HuTptybk2AmK1TjkCainVlTwRgRqB6l54SgpJKVYTk0p68qHrajqKqBBd950MMQ=
Received: from LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM (20.176.157.151) by LO2P123MB2511.GBRP123.PROD.OUTLOOK.COM (20.176.155.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.15; Fri, 20 Dec 2019 13:32:24 +0000
Received: from LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM ([fe80::b07d:fef5:217b:2f3d]) by LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM ([fe80::b07d:fef5:217b:2f3d%7]) with mapi id 15.20.2559.016; Fri, 20 Dec 2019 13:32:24 +0000
From: Ian Levy <ian.levy@ncsc.gov.uk>
To: Brandon Long <blong=40google.com@dmarc.ietf.org>, "Kurt Andersen (b)" <kboth@drkurt.com>
CC: IETF DMARC WG <dmarc@ietf.org>, Scott Kitterman <sklist@kitterman.com>
Thread-Topic: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
Thread-Index: AQHVUkRUHW06UOOZ+kq6kqLLLMMrLqcaPC6AgANurWOAaHWPgIAADzIAgAAY2wCAAGFPgIAAblcAgCMwBICACHMnAIAAhUuAgAADjgCAABnTAIABS5OAgAEl+gCAAhZNAIAL5+rw
Date: Fri, 20 Dec 2019 13:32:24 +0000
Message-ID: <LO2P123MB228540329379ED4FBF497072C92D0@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM>
References: <728d7df1-d563-82f4-bfb3-a65a75fdd662@gmail.com> <082f2102-693c-136d-874c-1182f12a6818@gmail.com> <CABa8R6vV3=mONXUehda_6C616CyEXPRjceSN8T+DcPmLQwcXOA@mail.gmail.com> <92703458.QmNNAb80T6@l5580> <CABuGu1ob6CYTt7_X1pMfGpajMOoytN3wuX_i+9MQf9nUYkzk0g@mail.gmail.com> <CABa8R6vSYGWxR5SOEQq0GZ+++L=jhEpOThzaTeyPUd4gUT85SA@mail.gmail.com> <CABuGu1q9ExpWGk38BZszBMeoKuZe0p77ng5EE43omhu6mU4kCg@mail.gmail.com> <CABa8R6sQ+hVccAVX0vZ-WOxBFsKVGFbfCUUCN9uOAR9p9vnwyw@mail.gmail.com>
In-Reply-To: <CABa8R6sQ+hVccAVX0vZ-WOxBFsKVGFbfCUUCN9uOAR9p9vnwyw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.levy@ncsc.gov.uk;
x-originating-ip: [51.141.26.231]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 65e379f2-68e2-4603-7c02-08d785510ca7
x-ms-traffictypediagnostic: LO2P123MB2511:
x-microsoft-antispam-prvs: <LO2P123MB2511604793A8607D09D591D6C92D0@LO2P123MB2511.GBRP123.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:3826;
x-forefront-prvs: 025796F161
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(376002)(346002)(136003)(366004)(396003)(39850400004)(189003)(199004)(33656002)(186003)(66446008)(71200400001)(44832011)(2906002)(55236004)(26005)(5660300002)(4326008)(478600001)(52536014)(81156014)(8676002)(81166006)(8936002)(6506007)(53546011)(55016002)(54906003)(66476007)(86362001)(7696005)(9686003)(316002)(76116006)(110136005)(66946007)(64756008)(66556008); DIR:OUT; SFP:1102; SCL:1; SRVR:LO2P123MB2511; H:LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eK/wFsPO5oaghDv33nN2MwL0FUcYSAI8cEkPGQVP+nDUMQKjaQBxyQPjHc0TREaDHS7eJVg58Mc2Z27STN6IZFwbAVadKL5WDOgwObVsUBZKvv2sNBcPPEgolbL2D23hytPiJxXNzEx/oSlvLyMhsnOpHMgIZ3CsHftvYDqtIwbWDG3dQ0WAyfhX87inJ2DeyjNL5+3rHlqoWXt8jODDh6KjhJbVy6SDRyg3YCOQQygxZqYvhV8j/c/D31K8Roy40ydj/9UnXs9qdD7wViwhwWMxAYGVq1dry393+aejFoJ3r81KgDbaRpOgIFwaydKr5XcF5cot6TaorXzR+GnLx1QZgTu/xN7dPrtW8xHapCaG6qv44XJEwyZxGeuYTQsnkyvOvhEBRgvE8slkKeha4ip5zf7oyqXYm/cSotuLS8Vizu0+5xp1WMDeIWs3rBslSjA/4egR8pSc5W3JsQItxNgJfxntyCixAAj6vxfW+CQ=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LO2P123MB228540329379ED4FBF497072C92D0LO2P123MB2285GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 65e379f2-68e2-4603-7c02-08d785510ca7
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2019 13:32:24.6483 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: X3BVsYtOClXJS/Y8RAqPpZ7nL10Z+PtperwCopDqhCvAICz6EuAHJ0MX9nQKSx7wh4VlzIu3z5oWbUSw50li6w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P123MB2511
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/NccRmuNmWppGrkbU5phy3Vhffic>
Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 13:32:31 -0000

  *   Maybe no one would be willing to go with np=reject without being able to confirm there's no good mail doing that.

Exactly this. As we’ve pushed DMARC across gov.uk we’ve found all sorts of interesting things in the reporting we get.

Ta.

I.

--
Dr Ian Levy
Technical Director
National Cyber Security Centre
ian@ncsc.gov.uk<mailto:ian@ncsc.gov.uk>

Staff Officer : Kate Atkins, kate.a@ncsc.gov.uk<mailto:kate.a@ncsc.gov.uk>
Pronouns : he/him

(I work stupid hours and weird times – that doesn’t mean you have to. If this arrives outside your normal working hours, don’t feel compelled to respond immediately!)

From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Brandon Long
Sent: 12 December 2019 23:38
To: Kurt Andersen (b) <kboth@drkurt.com>
Cc: IETF DMARC WG <dmarc@ietf.org>rg>; Scott Kitterman <sklist@kitterman.com>
Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd



On Wed, Dec 11, 2019 at 7:45 AM Kurt Andersen (b) <kboth@drkurt.com<mailto:kboth@drkurt.com>> wrote:
On Tue, Dec 10, 2019 at 2:13 PM Brandon Long <blong@google.com<mailto:blong@google.com>> wrote:

On Mon, Dec 9, 2019 at 6:27 PM Kurt Andersen (b) <kboth@drkurt.com<mailto:kboth@drkurt.com>> wrote:
On Mon, Dec 9, 2019 at 4:54 PM Scott Kitterman <sklist@kitterman.com<mailto:sklist@kitterman.com>> wrote:
On Monday, December 9, 2019 7:41:27 PM EST Brandon Long wrote:

> I'm sure I probably missed this, but couldn't we avoid this question by just mandating no reporting for non-existing organizational domains?  Is that a non-starter?

It's one of the use cases we are trying to cover.  I don't know if that makes it a non-starter.

Unless I'm misunderstanding Brandon's suggestion, it seems like you (Brandon) are asking if doing no reporting on missing org domains solves the scalability problem. *Getting* reports for missing org domains is the main purpose of the PSD proposal so it would render the purpose moot.

Hmm, I guess I don't see it that way.

Preventing phishing attacks from nonexistent.gov.uk<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fnonexistent.gov.uk&data=02%7C01%7Cian.levy%40ncsc.gov.uk%7C522306c0a8a84aca4a7308d77f5c5d4b%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637117906987236215&sdata=Be5QRL1NweewdLl2E6UbuliKRWqAEZb0KPS7YW8nn5E%3D&reserved=0>amp;reserved=0>, insomuch as DMARC can be used for such, seems way more important than the reporting.  Obviously, getting to p=reject without reporting is more challenging.  You can certainly have policy without reporting.

While it is very true that receivers may implement validation and possibly enforcement without reporting, we could solve the use case of phishing from missing org-level domains by the same approach that we can solve it from any missing domain - just don't accept mail from such bogus sources. That does not help the overseers of a domain realm (org-1, aka LPSD) to tackle takedowns or public awareness campaigns against such abuse though.

I mean, that was also true for all DMARC, the point was the owner was asking everyone to do that.  If you're saying we should have a different system for trying to get everyone to not accept messages from non-existent domains... ok, but I'm not sure where that would come from.

Maybe no one would be willing to go with np=reject without being able to confirm there's no good mail doing that.  That seems more likely to be true for existing large scale branded domains (which I guess gov.uk<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgov.uk&data=02%7C01%7Cian.levy%40ncsc.gov.uk%7C522306c0a8a84aca4a7308d77f5c5d4b%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637117906987246211&sdata=ADl8m4tEnSW2tzuk6dWIVU7sx8Y%2BRUQ%2FS1cffxjsuOU%3D&reserved=0> falls into), whereas setting that policy for the newer branded domains (.google) and multi-organizational (.bank) seems fine without reporting.

Brandon
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright ©