Re: [dmarc-ietf] DMARC threat analysis needed
Alessandro Vesely <vesely@tana.it> Sun, 19 July 2020 10:14 UTC
Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80CD53A07CB for <dmarc@ietfa.amsl.com>; Sun, 19 Jul 2020 03:14:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6KV_KNGnyKei for <dmarc@ietfa.amsl.com>; Sun, 19 Jul 2020 03:14:40 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 225AA3A07C8 for <dmarc@ietf.org>; Sun, 19 Jul 2020 03:14:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1595153676; bh=Yuywzf9DtM55cntLocwJbztdMI/PVvhnAPaKBIfME3w=; l=1805; h=To:References:From:Date:In-Reply-To; b=A4Z9k9LoKVEGsgdtR8OmTUuGc7F2irP4+oOIYcahPTbTnoE5RKuF3S7tIkqkX/zoI lLrqGY2oDQfC7K57eUrpqaeJw2OnR/d8PCdAS+lM3/KQbkrcuZckF/ddHdIrJUfWGk /cLOyDLeFUIhDw3O1GEEanTIRfXKR7E/iMpmEnWBZbevUiw2w5xIRoB1fxQZ1
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC053.000000005F141D0C.0000141B; Sun, 19 Jul 2020 12:14:36 +0200
To: dmarc@ietf.org
References: <ab2296fb-201a-3bfb-f61c-27848ac5acf3@bluepopcorn.net> <CAJ4XoYdU1==PJOKKuG+WFv1sSYD=rudPsoDpEPrbY8+f0FmMXA@mail.gmail.com> <f774bb8f-d586-4368-05ff-d277e8645d54@bluepopcorn.net> <CAL0qLwbq7pZE4TLPK6A9JspKy0XneK36hxAdrhiLb1Y-AcodOA@mail.gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <108ffa74-4cf5-5348-5a7d-713e0413ae29@tana.it>
Date: Sun, 19 Jul 2020 12:14:36 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAL0qLwbq7pZE4TLPK6A9JspKy0XneK36hxAdrhiLb1Y-AcodOA@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/RX6BUU6Whmkc729d4Uow-OP0mRw>
Subject: Re: [dmarc-ietf] DMARC threat analysis needed
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2020 10:14:42 -0000
On Sun 19/Jul/2020 02:13:53 +0200 Murray S. Kucherawy wrote: > On Sat, Jul 18, 2020 at 10:17 AM Jim Fenton <fenton@bluepopcorn.net> wrote: > >> Yes, the issues of cousin domains, homoglyphs, etc. are thrown out there >> as reasons why DMARC is "irrelevant" to solving problems such as spam or >> phishing. [...] >> >> It's not that DMARC isn't useful. We need to consider (and document) the >> threats that it is effective against (unauthenticated mail claiming to come >> from a domain from which it should have been authenticated) and those it is >> not effective against (homoglyphs, display name misuse, etc.). [...] >> > > DMARC did attempt to document these shortcomings itself, for example in > Section 12.4 of RFC 7489 which covers display name attacks. I imagine this > would be carried forward into the standards track version, unless the > working group wants to entertain the idea of breaking it all out and > re-hashing it first. I think the WG charter is clear enough. > Still unresolved, IMHO, is Dave's point about whether the RFC5322.From > domain truly matters. While the opinions of big players are relevant, you yourself mentioned that they tend to follow DMARC design. Perhaps, some years ago, it was the importance of From: domain which inspired DMARC design. Now, it's DMARC which determines the importance of From: domain. Filtering at MX level followed DMARC development rather closely. MUA behavior lags behind, but seems to be plodding through. We might suggest guidelines (for example, bewaring of at signs in display names), but it is their task to find out how to highlight domain misalignment. The more dependable is DMARC filtering, the greater are MUA's motivations to follow suit. Not the other way around. Best Ale --
- Re: [dmarc-ietf] DMARC threat analysis needed Doug Foster
- [dmarc-ietf] DMARC threat analysis needed Jim Fenton
- Re: [dmarc-ietf] DMARC threat analysis needed Dotzero
- Re: [dmarc-ietf] DMARC threat analysis needed Hector Santos
- Re: [dmarc-ietf] DMARC threat analysis needed Jim Fenton
- Re: [dmarc-ietf] DMARC threat analysis needed Jim Fenton
- Re: [dmarc-ietf] DMARC threat analysis needed Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC threat analysis needed Alessandro Vesely
- Re: [dmarc-ietf] DMARC threat analysis needed Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC threat analysis needed Alessandro Vesely
- Re: [dmarc-ietf] DMARC threat analysis needed Brandon Long
- Re: [dmarc-ietf] DMARC threat analysis needed Murray S. Kucherawy