Re: [dmarc-ietf] Working group next steps

Ian Levy <ian.levy@ncsc.gov.uk> Sun, 31 March 2019 19:07 UTC

Return-Path: <ian.levy@ncsc.gov.uk>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 958A9120021 for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2019 12:07:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQgO1wLMadPL for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2019 12:07:20 -0700 (PDT)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-eopbgr110124.outbound.protection.outlook.com [40.107.11.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D926120003 for <dmarc@ietf.org>; Sun, 31 Mar 2019 12:07:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+74NERd5Bl/8YrDCqy7t+3M/NUKBqfW19CJ3IK/Wr7w=; b=KnLuqa1BeezrNz12HQ0ZcvLqioIeK4CQvP8lfgt1/zJIyTqJ8HLgXyOz0YToslpLuHnBNGClDUpJFppUOxdvIPIQaju91sqOLBhFESdsyV64hucR26SDV7Pns1Iyt09XLlLyDiGwarn84sFz2B6JV35Jk7oLweCINP0zou+gSTM=
Received: from LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM (20.176.157.151) by LO2P123MB1824.GBRP123.PROD.OUTLOOK.COM (20.176.157.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.17; Sun, 31 Mar 2019 19:07:16 +0000
Received: from LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM ([fe80::41ac:f60c:6d07:7769]) by LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM ([fe80::41ac:f60c:6d07:7769%6]) with mapi id 15.20.1750.017; Sun, 31 Mar 2019 19:07:16 +0000
From: Ian Levy <ian.levy@ncsc.gov.uk>
To: "fosterd@bayviewphysicians.com" <fosterd@bayviewphysicians.com>, Scott Kitterman <sklist@kitterman.com>, IETF DMARC WG <dmarc@ietf.org>, Ian Levy <ian.levy=40ncsc.gov.uk@dmarc.ietf.org>
Thread-Topic: [dmarc-ietf] Working group next steps
Thread-Index: AQHU4/UzfZiqOr8RXUGmzJ8BTa45jqYi2lBAgAAEtYCAAq6HsIAAJ+QAgABqa6Q=
Date: Sun, 31 Mar 2019 19:07:16 +0000
Message-ID: <LO2P123MB22851ED31D070E83A9CE2762C9540@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM>
References: <CAL0qLwaPG+CcuMGsJjdJM=x4bigSXvRAHxAf3nk9krknJbtUqw@mail.gmail.com> <LO2P123MB22857A6A1EDD9D54A817C4F5C95A0@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM> <3802074.4RGYGbXOYh@kitterma-e6430> <LO2P123MB2285E7ED4CD46A11BD9F4676C9540@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM>, <641c4907897e4a81b12847a29bfcd3b8@bayviewphysicians.com>
In-Reply-To: <641c4907897e4a81b12847a29bfcd3b8@bayviewphysicians.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.levy@ncsc.gov.uk;
x-originating-ip: [51.140.114.144]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d17c74e4-8406-4ede-e60f-08d6b60c1728
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:LO2P123MB1824;
x-ms-traffictypediagnostic: LO2P123MB1824:
x-microsoft-antispam-prvs: <LO2P123MB182422C5EBA651F4EC2019E7C9540@LO2P123MB1824.GBRP123.PROD.OUTLOOK.COM>
x-forefront-prvs: 0993689CD1
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(136003)(39840400004)(376002)(396003)(189003)(199004)(55016002)(476003)(81166006)(25786009)(5660300002)(106356001)(14454004)(97736004)(93886005)(44832011)(52536014)(8936002)(186003)(14444005)(74316002)(6116002)(316002)(110136005)(11346002)(105586002)(2501003)(86362001)(81156014)(75922002)(9686003)(6436002)(229853002)(53546011)(478600001)(66066001)(256004)(3846002)(26005)(99286004)(446003)(68736007)(74482002)(7736002)(6506007)(966005)(6306002)(54896002)(6246003)(66574012)(53936002)(102836004)(33656002)(486006)(8676002)(7696005)(76176011)(55236004)(2906002)(71190400001)(71200400001); DIR:OUT; SFP:1102; SCL:1; SRVR:LO2P123MB1824; H:LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 4+eeWrDu/Xx5EwVrkMMdzGELFf8Bdt/T7kdQ5tOs1YFjnislmMqZ61zpOH3l+OchwqWG3C/Si3y6O+ynfK2B18oN5mRqMs43ZBmXMv8H/9e3fkfQfgIoQogTm3Wxmr+Ir962EjOwD2mDzT4L1yqdAXqPtUozyDNatPayNjc3cIlJPZEfY45Bni2ARVxr0vP2NgDYEvHwDYCFExdW8HaEcGqCyg7manBgu7hv3mIgC++RHMdqyvLFEyZPJ3ek9QDmQ1xaYxS70sXUCo4b/enpakyT7ZEstdzyAopkyeyVVM77f+5ZB6miNjXh1Nn2X/4TAoEMR9PklHvottvTpaCLfE1qs5Y9EfJ9N4YyQ4LM8fX0YWz9YDYm6kYaUPxYWGTx9qWxVKG10398pR1WiLLVEQWBAmlxIvHd4B4hVVuKti0=
Content-Type: multipart/alternative; boundary="_000_LO2P123MB22851ED31D070E83A9CE2762C9540LO2P123MB2285GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: d17c74e4-8406-4ede-e60f-08d6b60c1728
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Mar 2019 19:07:16.3142 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P123MB1824
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9UdVb7tJOx3QQ331qtYsJunNG4I>
Subject: Re: [dmarc-ietf] Working group next steps
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2019 19:07:24 -0000

The existing defences aren’t 100% even before the evil kludge we’ve put up for non existent subdomains, which certainly is not working everywhere. The PSD draft, when implemented, will help scale existing defences to make evolution of criminal behaviour harder and do it in a standardised way so that it’s more likely to be consistently implemented.  That’s worth us collectively doing some work and me taking some risk to help early testing.

Nothing is 100% in security. Except possibly the existence of a preponderance of marketing hype :-).

Ta.

I.

—
Dr Ian Levy
Technical Director
National Cyber Security Centre
ian@ncsc.gov.uk

(I work stupid hours and weird times – that doesn’t mean you have to. If this arrives outside your normal working hours, don’t feel compelled to respond immediately!)
________________________________
From: dmarc <dmarc-bounces@ietf.org> on behalf of Douglas E. Foster <fosterd@bayviewphysicians.com>
Sent: Sunday, March 31, 2019 7:31 pm
To: Scott Kitterman; IETF DMARC WG; Ian Levy
Subject: Re: [dmarc-ietf] Working group next steps

Certainly not.

You cannot drop existing defenses until the new standard is 100% deployed on the Internet, which means probably never.    Your experimental implementation will need to prioritize the new test over the SPF test, to prove that it is working and to show that it is good at intercepting any subdomains that have been newly imagined by the attackers

To speed up the deployment process for existing or new standards, IETF would meed to embrace the idea of defining required features of a spam filter.

Doug Fosterd

________________________________
From: "Ian Levy" <ian.levy=40ncsc.gov.uk@dmarc.ietf.org>
Sent: Sunday, March 31, 2019 6:18 AM
To: "Scott Kitterman" <sklist@kitterman.com>om>, "IETF DMARC WG" <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] Working group next steps

>> I’ll also offer gov.uk as an experimental ground (within reason!).

> Excellent. I've listed it in the experimental registry at psddmarc.org..
> Since you already had a live DMARC record for that domain, people can experiment with this now.

I guess at some point we'll have to stop generating SPF and DMARC records for the non-existent subdomains of gov.uk so we can test the new stuff properly. When we're at that point, let me know.

Ta.

I.

--
Dr Ian Levy
Technical Director
National Cyber Security Centre
ian@ncsc.gov.uk

Staff Officer : Kate Atkins, kate.a@ncsc.gov.uk

(I work stupid hours and weird times – that doesn’t mean you have to. If this arrives outside your normal working hours, don’t feel compelled to respond immediately!)


This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk