IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC threat analysis needed

Alessandro Vesely <vesely@tana.it> Sun, 19 July 2020 10:14 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80CD53A07CB for <dmarc@ietfa.amsl.com>; Sun, 19 Jul 2020 03:14:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6KV_KNGnyKei for <dmarc@ietfa.amsl.com>; Sun, 19 Jul 2020 03:14:40 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 225AA3A07C8 for <dmarc@ietf.org>; Sun, 19 Jul 2020 03:14:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1595153676; bh=Yuywzf9DtM55cntLocwJbztdMI/PVvhnAPaKBIfME3w=; l=1805; h=To:References:From:Date:In-Reply-To; b=A4Z9k9LoKVEGsgdtR8OmTUuGc7F2irP4+oOIYcahPTbTnoE5RKuF3S7tIkqkX/zoI lLrqGY2oDQfC7K57eUrpqaeJw2OnR/d8PCdAS+lM3/KQbkrcuZckF/ddHdIrJUfWGk /cLOyDLeFUIhDw3O1GEEanTIRfXKR7E/iMpmEnWBZbevUiw2w5xIRoB1fxQZ1
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC053.000000005F141D0C.0000141B; Sun, 19 Jul 2020 12:14:36 +0200
To: dmarc@ietf.org
References: <ab2296fb-201a-3bfb-f61c-27848ac5acf3@bluepopcorn.net> <CAJ4XoYdU1==PJOKKuG+WFv1sSYD=rudPsoDpEPrbY8+f0FmMXA@mail.gmail.com> <f774bb8f-d586-4368-05ff-d277e8645d54@bluepopcorn.net> <CAL0qLwbq7pZE4TLPK6A9JspKy0XneK36hxAdrhiLb1Y-AcodOA@mail.gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <108ffa74-4cf5-5348-5a7d-713e0413ae29@tana.it>
Date: Sun, 19 Jul 2020 12:14:36 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAL0qLwbq7pZE4TLPK6A9JspKy0XneK36hxAdrhiLb1Y-AcodOA@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/RX6BUU6Whmkc729d4Uow-OP0mRw>
Subject: Re: [dmarc-ietf] DMARC threat analysis needed
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2020 10:14:42 -0000

On Sun 19/Jul/2020 02:13:53 +0200 Murray S. Kucherawy wrote:
> On Sat, Jul 18, 2020 at 10:17 AM Jim Fenton <fenton@bluepopcorn.net> wrote:
> 
>> Yes, the issues of cousin domains, homoglyphs, etc. are thrown out there
>> as reasons why DMARC is "irrelevant" to solving problems such as spam or
>> phishing. [...]
>>
>> It's not that DMARC isn't useful. We need to consider (and document) the
>> threats that it is effective against (unauthenticated mail claiming to come
>> from a domain from which it should have been authenticated) and those it is
>> not effective against (homoglyphs, display name misuse, etc.). [...]
>>
> 
> DMARC did attempt to document these shortcomings itself, for example in
> Section 12.4 of RFC 7489 which covers display name attacks.  I imagine this
> would be carried forward into the standards track version, unless the
> working group wants to entertain the idea of breaking it all out and
> re-hashing it first.


I think the WG charter is clear enough.


> Still unresolved, IMHO, is Dave's point about whether the RFC5322.From
> domain truly matters.


While the opinions of big players are relevant, you yourself mentioned that 
they tend to follow DMARC design.  Perhaps, some years ago, it was the 
importance of From: domain which inspired DMARC design.  Now, it's DMARC which 
determines the importance of From: domain.

Filtering at MX level followed DMARC development rather closely.  MUA behavior 
lags behind, but seems to be plodding through.  We might suggest guidelines 
(for example, bewaring of at signs in display names), but it is their task to 
find out how to highlight domain misalignment.  The more dependable is DMARC 
filtering, the greater are MUA's motivations to follow suit.  Not the other way 
around.


Best
Ale
--

v2.23.0 | Report a Bug | By Email