Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

John Levine <johnl@taugh.com> Tue, 24 November 2020 17:07 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFF9C3A09E0 for <dmarc@ietfa.amsl.com>; Tue, 24 Nov 2020 09:07:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.049
X-Spam-Level:
X-Spam-Status: No, score=0.049 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=KutuFFqx; dkim=pass (2048-bit key) header.d=taugh.com header.b=gMUyAMOu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOFghyE1jb5t for <dmarc@ietfa.amsl.com>; Tue, 24 Nov 2020 09:07:07 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E60153A1218 for <dmarc@ietf.org>; Tue, 24 Nov 2020 09:06:23 -0800 (PST)
Received: (qmail 63416 invoked from network); 24 Nov 2020 17:06:23 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=f7b6.5fbd3d8f.k2011; bh=u6yHm8+DcWEQtz/+cRbIq+LICM9yHFCHwOEz4l1jCo8=; b=KutuFFqxujr3/bvhCs9gGtqQXAebcVbitnkbLhYEuFPaGPkhOmXg4cM65ljlnVnuSrvHaFD0YLJMByV4kgS9+BrHwlFoZojWyhd4SK6dgghrxl1Ck0k+RyNs/5zGO8lPiNIjPQGj8Jeg1BsBxoeiF0hi/SlEnYwe9H/Q3uCNKbWyhg1DQdlJU0tUAE6v+l3lgmio6euksHZJvuZIjs2EpSjhFO00XUnfPMOg4F/X5X8yJ1IX+ewmKag9vJ23aqFioS3Nv7BWHP66ddNTvdq6xTsoR2r85UAa206T9vomMH5Q9Ices+SfWZMuc7yB0h3nDyzHqntSDtYIC9eAwlo4tg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=f7b6.5fbd3d8f.k2011; bh=u6yHm8+DcWEQtz/+cRbIq+LICM9yHFCHwOEz4l1jCo8=; b=gMUyAMOuCT3NAk+nOsidhMIlgV99VL8YOaa0ZYnmke/ncTzgXLB29OQ8wqHRa9zD64AI6C/KjVWQvgZKETBa3B01Go1Ktt2TwvVCeylP9OgA1phhd7MfyC7xGu//dL5HyIKLgSQBQqPC+qZpKI1082I/flm2PmTp/4miR0rglGsbv7dHPhntdF4S1iGlMJ7FvT3fDD8wb1ytpz+LGRHchWepVy7zEyDA+YcUgqgaMVp0QWD9usSeZVvhjDHZzNAKzS9glzmN6ocpCRMcLn1mGxNOTPpe3t4lWNttP6InmvjdSN8F9s8uPEZS1M9OY6WQ5gLWUwDlDFA8yTAP3o9/Kw==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 24 Nov 2020 17:06:22 -0000
Received: by ary.qy (Postfix, from userid 501) id 4A1C127DFEF1; Tue, 24 Nov 2020 12:06:21 -0500 (EST)
Date: 24 Nov 2020 12:06:21 -0500
Message-Id: <20201124170622.4A1C127DFEF1@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dmarc@ietf.org
Cc: vesely@tana.it
In-Reply-To: <a471cfd8-e651-a275-9db7-f88728ff90aa@tana.it>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/PaVmgPQLaGWsrb4iclP5QDLt4Qc>
Subject: Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2020 17:07:10 -0000

In article <a471cfd8-e651-a275-9db7-f88728ff90aa@tana.it> you write:
>On Tue 24/Nov/2020 13:52:43 +0100 Brotman, Alex wrote:
>> I had one spam message that had 13 parts.  It included both "_mta-sts" and "mta-sts" in there, as well as
>"mail" nine times.  The last two parts were the org domain.
>
>If the message happened to authenticate, negative reputation is better added to 
>that org domain rather than to .com or to some random mta-sts.mail.something.

Why would you think that spam was sent by the actual holder of that
org domain? Since the address contained an underscore, it's invalid
anyway so you could probably reject the message without a lot of extra
checks.

>IOW, if we need the OD anyway for alignment, there's no point in discovery 
>DMARC records by tree walk.

My plan is that whatever you discover by the tree walk replaces the OD.  In the likely
common case that the tree walk ends at _dmarc.<orgdomain> you get the same result either
way.

R's,
John