IETF Logo Mail Archive

Re: [dmarc-ietf] Issue submission - Mailing list security and potential solutions using DMARC

Joseph Brennan <brennan@columbia.edu> Wed, 16 September 2020 15:03 UTC

Return-Path: <jb51@columbia.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB5C33A0597 for <dmarc@ietfa.amsl.com>; Wed, 16 Sep 2020 08:03:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=columbia.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CV56thJFsvDO for <dmarc@ietfa.amsl.com>; Wed, 16 Sep 2020 08:03:30 -0700 (PDT)
Received: from mx0a-00364e01.pphosted.com (mx0a-00364e01.pphosted.com [148.163.135.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 749573A041B for <dmarc@ietf.org>; Wed, 16 Sep 2020 08:03:30 -0700 (PDT)
Received: from pps.filterd (m0167068.ppops.net [127.0.0.1]) by mx0a-00364e01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 08GEeiIb018613 for <dmarc@ietf.org>; Wed, 16 Sep 2020 11:03:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=columbia.edu; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : content-type; s=pps01; bh=fgz6t2HukCw3/3e9hD8E/Kkb4omr5r6wIRG2ZSQ4g0o=; b=O8L2oFC6jxIlpXFonr3C/NLcBC0sA5x4edDW32ReDQ8PdbksPX8n0qxX0KjQiqTRhTTI JaUW+geOucMsN1GL8ue5EDfQ8cfYjxLjiBaj+3BV7XmGk94KBzrdWZIQWQ+wqOSW+L3a CxuKv11DQ5s4hmS5Uu1vAiDTQBNQwcS5noSSQugNInxrXOqxPUwJSnpmg7Vusn9pI5Rt rmONmUQLKmDMvuffSTW/gkrReXkdHCqdYGo39b7NfUbf4V9kPJMWQmdbIxVpQE9rk9n+ o2qk3Mr77X/SRxrc/S0giyTWFkKH4aMjlb0PUsiebI7Fh1ZKKvQ4UXgemCMO3TgXveNY Mw==
Received: from sendprodmail11.cc.columbia.edu (sendprodmail11.cc.columbia.edu [128.59.72.19]) by mx0a-00364e01.pphosted.com with ESMTP id 33k66t42tv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dmarc@ietf.org>; Wed, 16 Sep 2020 11:03:29 -0400
Received: from mail-il1-f199.google.com (mail-il1-f199.google.com [209.85.166.199]) by sendprodmail11.cc.columbia.edu (8.14.4/8.14.4) with ESMTP id 08GF3RZd027672 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <dmarc@ietf.org>; Wed, 16 Sep 2020 11:03:27 -0400
Received: by mail-il1-f199.google.com with SMTP id c8so5800339ila.20 for <dmarc@ietf.org>; Wed, 16 Sep 2020 08:03:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=fgz6t2HukCw3/3e9hD8E/Kkb4omr5r6wIRG2ZSQ4g0o=; b=T2mq8726AXQMqFj+eVSoQhn17t58s79A7bhSN1a6hDrVSv5mwTqHBv54uH1M0fa2kf wJLIN3B9O0Og6IOdVh7Dy2H5kO7tzXqiJTJhhf2vDqSaLD9QR6+YRm7b/kQisKDq64tq wxuEVbswhbwKb7voTy5g2YLdGzMP/a87T9G0aIJRcDXlGemQp6ORAqagdoIbHuWFNC0K GC0fgW0WuwNczTHWbCE4PfIOrgK77S5sqB91mKhRyApPBiknV2aTXCbdc7go/+6Z9nXJ TaBo3qcpIaqcWVo904yxUhKm5QXMMzVopWCkXCtJe7XAARauO90Wd1oNr+1zikK3e9rJ zFTQ==
X-Gm-Message-State: AOAM531TEIaL5uD5tuMpYOT+1KseXIbwJddwYfTWTuLbondO2RAPtS0O vda3m3zPGnmjNMT9+4hi9bNKunCBBK9uwrW/RGTP3VAZFhzCFUBxqKzTK8YjuijXlPm131FAbHm fE80BNnoJ3ijWDAW0gl+Aghm8j/IsCQ==
X-Received: by 2002:a92:d34f:: with SMTP id a15mr9185262ilh.226.1600268606968; Wed, 16 Sep 2020 08:03:26 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzthhgneEpbNy7H9YagpvemJIkvactdmxLMyYBAfR3NBNBEjhuH5Fes0ysFfMqcDiCPIp5evdxaiNXQxpxkIDQ=
X-Received: by 2002:a92:d34f:: with SMTP id a15mr9185233ilh.226.1600268606547; Wed, 16 Sep 2020 08:03:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwZEDNT+LZDMrzecSuTD794jn0CoXRA5FG=rk6QJXO5Hyg@mail.gmail.com> <20200913025842.1BBDD208C94C@ary.qy> <CAMSGcLDKRMbJ_30jZdKE_6hkKaktwBxU6_E=E=bnK2_CKMNEXw@mail.gmail.com> <rjqo4u$114c$2@gal.iecc.com> <CAMSGcLDs8Rh5hBvtNWU34e4aTT0xnjEMGYdgC322Jfg-tsMGLg@mail.gmail.com> <CAJ4XoYd5axJEhy9D+0ZVzd_P+tKntLHF57spAhWtrFa2j8=_jQ@mail.gmail.com>
In-Reply-To: <CAJ4XoYd5axJEhy9D+0ZVzd_P+tKntLHF57spAhWtrFa2j8=_jQ@mail.gmail.com>
From: Joseph Brennan <brennan@columbia.edu>
Date: Wed, 16 Sep 2020 11:03:15 -0400
Message-ID: <CAMSGcLAgMKC_5XzDc1YGCrrKNF2D6t2OyfMGox0XWU_nKxRUzQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
X-CU-OB: Yes
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-16_10:2020-09-16, 2020-09-16 signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 adultscore=0 impostorscore=10 mlxscore=0 malwarescore=0 bulkscore=10 suspectscore=1 mlxlogscore=999 priorityscore=1501 lowpriorityscore=10 phishscore=0 spamscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2009160110
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/VGjIe1Ni6l3TrK4kzE9nZXAu-48>
Subject: Re: [dmarc-ietf] Issue submission - Mailing list security and potential solutions using DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2020 15:03:32 -0000

What I mean is that mailing list software developers were obliged to
find a variety of ways to evade dmarc enforcement, for the sake of
delivering legitimate mail, and mailbox server developers learned to
allow mangled mail for the same reason. Widespread acceptance of email
that evades an authentication method diminishes its effectiveness.



On Wed, Sep 16, 2020 at 10:46 AM Dotzero <dotzero@gmail.com> wrote:
>
>
>
> On Tue, Sep 15, 2020 at 12:02 PM Joseph Brennan <brennan@columbia.edu> wrote:
>>
>>
>>
>> On Tue, Sep 15, 2020 at 11:55 AM John Levine <johnl@taugh.com> wrote:
>>>
>>> In article <CAMSGcLDKRMbJ_30jZdKE_6hkKaktwBxU6_E=E=bnK2_CKMNEXw@mail.gmail.com>,
>>> Joseph Brennan  <brennan@columbia.edu> wrote:
>>> >"Domain administrators must not apply dmarc authentication to domains
>>> >from which end users send mail that may be re-sent via lists or
>>> >automatic forwarding."  -- done. Then dmarc will be simple and
>>> >reliable, and bank statements and similar messages are protected as
>>> >intended. Building in a standard workaround significantly weakens the
>>> >whole concept, doesn't it?
>>>
>>> Unfortunately, we have ample evidence that domain operators will
>>> ignore that advice.
>>>
>>> According to someone who was in the room when Yahoo flipped the
>>> switch, the person in charge said words to the effect that I know this
>>> will screw up everyone's mailing lists and I don't care.
>>>
>>
>> The irony is, the result being to diminish the effectiveness of dmarc for everybody.
>>
>>
>> Joseph Brennan
>> Lead, Email and Systems Applications
>> Columbia University Information Technology
>>
>>
>
> Can you support your assertion with data? There was zero change post-yahoo/AOL implementation vs pre-yahoo/AOL implementation for the organization I worked for at the time.
>
> Michael Hammer



-- 
Joseph Brennan
Lead, Email and Systems Applications
Columbia University Information Technology

v2.46.0 | Report a Bug | By Email | System Status