IETF Logo Mail Archive

Re: [dmarc-ietf] Issue submission - Mailing list security and potential solutions using DMARC

"Murray S. Kucherawy" <superuser@gmail.com> Sun, 13 September 2020 01:12 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 331C93A0772 for <dmarc@ietfa.amsl.com>; Sat, 12 Sep 2020 18:12:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UpzVXB_bEf0F for <dmarc@ietfa.amsl.com>; Sat, 12 Sep 2020 18:12:10 -0700 (PDT)
Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com [IPv6:2607:f8b0:4864:20::931]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FF413A0774 for <dmarc@ietf.org>; Sat, 12 Sep 2020 18:12:10 -0700 (PDT)
Received: by mail-ua1-x931.google.com with SMTP id d18so2716325uav.4 for <dmarc@ietf.org>; Sat, 12 Sep 2020 18:12:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dxRWmlUMC90umwiFm2thjLCX1zV8eqoo9SOBvuKp+/Q=; b=RK4QCYD/3F7R3pfLg7uZgD8tOCj4zys+kT8jW9PJEdppsJrMfS8ccXiMldBWvv9KsW /832BnnCC+pEyR1cZ0uCKeiM5e1iFkD4UXWhAGyCIcC6yNpOz6WvXlnx21Y5emy73YNM EObDb4hKqdCgJHjEFQZYJtA6OD3x3GtygYQ+427CRgzOVLqgDFl4k8gIX/+B840VF8si KxtYKKoL1Jb1YFcaIf08yMH+JXIyMWtUjdlLe2ODkFO8To5FM0N1pxRs4mys1BZZe97t 1eDoVLQx5B/sZ6f4mFIzKbnAUqe5XQoL2kCtBYG4R+krFnn2qSGMtITTPKCaOo6VOlm9 XC1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dxRWmlUMC90umwiFm2thjLCX1zV8eqoo9SOBvuKp+/Q=; b=Ug0yjoBtPuA0GvjgMnvHp0g81qaJVyk2vy9Vns6m1KIw5G6KA/bWMTj/Pmya2JKdq1 F44EM9kdACanoJV/a+9ixfk2GfaEaWcGgFOny0OKnrrAfCuaV5peErZ0gxuA1LHCWLXo a0YLKD21RcgZxZZ53DJXYC6NkpPZvvLWtntePX5IgUArBqR5EZx4Gd0JVjJuOGxgSbtn NoEZnuHTTlwmkyPPW4sqK48CspYH9YOtnItSqcrRBGoEhQGIaI++e9Qgpn7rDADHIq9P aYZjR1dDqY8h5WjpYriRKCGCschPonmVoxUj88fIHjQXahx5H8TcQsH6Nbi50kIX1jKI z3Vg==
X-Gm-Message-State: AOAM530JgzXwOhiWm1jR/CH4G+7bR2brXn2fR2OczjfkcSgrvGT15CFV 62Zhr417SFNBh8x9JMKePotpcunEBLtQisyUOPb+pUSQ
X-Google-Smtp-Source: ABdhPJxOlRm2r810lu74U91/RTDv8+MDhTN1AEaarf0rjs4NWoxFr/rzxlNuV9bR/B2acvnNYtqYMDQjlvzhLcBvF1s=
X-Received: by 2002:ab0:627:: with SMTP id f36mr3976881uaf.76.1599959528786; Sat, 12 Sep 2020 18:12:08 -0700 (PDT)
MIME-Version: 1.0
References: <81937b856c4a4a40b313ae6b9b7af97b@bayviewphysicians.com>
In-Reply-To: <81937b856c4a4a40b313ae6b9b7af97b@bayviewphysicians.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Sat, 12 Sep 2020 18:11:57 -0700
Message-ID: <CAL0qLwbBnA62qV=9yTRWp5VSPAke75c=XesHqYgGfX_WBDog8Q@mail.gmail.com>
To: Doug Foster <fosterd@bayviewphysicians.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e4e9d05af279b19"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/OFaPZzI5hkmmcskIGX5aS78TwG8>
Subject: Re: [dmarc-ietf] Issue submission - Mailing list security and potential solutions using DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2020 01:12:12 -0000

On Thu, Sep 10, 2020 at 3:51 PM Douglas E. Foster <fosterd=
40bayviewphysicians.com@dmarc.ietf.org> wrote:

> Recently, I have become worried about the risks associated with using my
> regular email on this list, especially since everything goes into a
> long-term archive.   I am wishing that I had subscribed using a disposable
> account.       A general safety principle is to limit how and when one's
> email address is released, because once it is released, it cannot be taken
> back.     There are a number of potential problems associated with
> releasing actual email addresses onto a mailing list.
>
> Address Harvesting
>
> Any subscriber could potentially be harvesting email addresses from the
> list, and forwarding them to a spam source.   The spammer can tune his
> attacks more closely using other information gathered from list posts,
> including the list area of interest and other information disclosed in the
> course of list discussions.   If the harvesting is occurring, list
> participants and list operators have no method for identifying and closing
> the leak.
>
> Badly Behaved Subscriber / Stalking
>
> If a subscriber starts behaving badly toward another member, particularly
> in some form of cyber-stalking, the list operator can discharge the
> perpetrator from the list.   Unfortunately, the discharge action does not
> cut off access to the victim, because the victim's personal email address
> has already been disclosed.
>
> Malicious Content filtering
>
> A well-run list will implement a variety of techniques to prevent hostile
> content from being distributed.    However, once personal addresses have
> been disclosed, a bad actor can bypass those filters by sending the same
> prohibited traffic directly to any subscribers who have posted to the list.
>    Consequently, the burden of defense remains on the recipient
> organization, because the list defenses are too easily evaded.
>
> List Spoofing
>
> A well-run mailing list is likely to breed an elevated level of trust
> among the participants.   As a result, a successful spoof of the mailing
> list is that much more likely to be successful.    To the recipient, the
> DMARC list is primarily identified by the subject tag and the IETF footer.
>   The absence of attachments and the text-only format are additional clues.
>   These are arguably "trust indicators", and we have discussed that trust
> indicators have limited effectiveness.    For example, many MUAs will make
> URLs in a text-only message into a clickable link, blurring the visual
> distinctiveness between text and html messages.    An attacker could
> potentially replicate the subject tag and footer, apply a non-DMARC
> address, and send it from his own server.    The incoming email filter is
> unlikely to have the sophistication to recognize that this format is only
> supposed to come from IETF, so the message is likely to be allowed and the
> users are at risk of being duped.
>
> The Alternative
>
> All of these problems can be avoided if the subscriber is given an alias
> at enrollment, and the alias is used for all messages relayed on the
> subscriber's behalf.    For this list, my alias could be
> DougF.dmarc@ietf.org.   Messages sent to an alias address must be
> submitted through the list operator, and the list manager should have logic
> to reject messages from a non-subscriber that are targeting a subscriber
> alias.
>
> Because the personal email address is only known to the list operator,
> harvesting is impossible.   Any aliases that are harvested from the list
> will be unusable by a spammer operating outside the list.
>
> For the same reason, if a misbehaving subscriber is ejected from the list,
> he immediately loses access to the people who were the victims of his
> actions.
>
> List spoofing becomes less effective as well.   Legitimate list messages
> can be validated using DMARC with p=reject on the list domain.    Spoofed
> messages that reach the user will not have a From address in the list
> domain and will not follow the pattern of list aliases.
>
> Overall, I conclude that mailing lists have much to benefit from
> intelligent use of DMARCv1 as previously specified.
>
There's a large amount of stuff to tease out here because it covers a lot
of ground.  I'll tackle them in no particular order.  All of this is, once
again, as a participant only.

At first I thought this was a complaint about how the IETF runs its lists.
I was inclined to agree with Michael that all of this is off topic for this
working group, and instead propose that you reach out to the IETF Tools
Team to suggest they build the sort of aliasing mechanism you're talking
about or address your privacy concerns some other way.

I was also inclined to suggest that address harvesting from lists is
something I've never encountered in over a dozen years working with the
IETF, except for that one guy that time who got banned from participation
and so took it upon himself to clone the entire list membership and try to
start his own IETF.  But that happened only once and it was long ago, so
again I was going to say this is not a concern for us.

The argument in a subsequent message that we are compelled to respond to
everything we enumerated in RFC 7960 doesn't comport with the charter as I
read it, though I agree that we really shouldn't bother sending something
to the IESG that doesn't at least make a dent in the problems caused by
DMARC today.  (That is to say, perhaps, we don't need to deal with ALL of
RFC 7960.)

Then I finally got to your "The Alternative" section.  Now I'm torn.

A key advantage to DKIM, ARC, DMARC, etc., is that they operate at a layer
different from the composition and transport layers (between them,
really).  You can install a DKIM signer, and begin using SPF and/or DMARC,
without MLMs knowing they're even there.  That incremental nature has been
a key to their relative successes and easy deployment.

To the contrary, what you're proposing is, on its face, a fundamental
change in how MLMs operate.  It requires MLMs to select an alias that has a
domain name identical to the domain name under which it operates at the
time you register, rewrite your messages through the list with that From
field (and perhaps Reply-To field), and install an alias so that any
private direct replies to that alias are relayed to you without
modification (lest they fail authentication and thus become part of the
problem).  Your own mail server would need to be sure to accept that
alias.  If we expect MLMs to do this, it would take weeks or months to
specify, and years to get implemented and widely deployed.

Then I started thinking about implementation.  It might be possible, using
something like the milter API (which sendmail and posfix have, among
others, and through which all of my implementations have been done), to
write a plugin that implements all of these things.  Since milter
intercepts and modifies things at the SMTP layer, it could handle the
rewrites in both directions; software downstream of that would never even
know the changes were made.  Again, it could be totally incremental; no
change to MLMs or other protocol modules would be needed.

If we're willing to argue that DMARC implementations should at least
consider Sender, which seems (and this is NOT an official consensus
reading) to have support to at least try, then we're willing to accept that
implementation changes are on the table.  If so, I suggest this might also
be worth consideration.  I might even give it a try myself, and/or
contribute to a draft describing it, if there's no holes shot in the idea.

There are those who assert that this shouldn't be necessary; it's only
necessary because DMARC.  I firmly agree.  But perhaps this is a way out of
this hole we're in.  So now it seems interesting.  What am I missing?

-MSK

v2.23.0 | Report a Bug | By Email