IETF Logo Mail Archive

Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help

Seth Blank <seth@valimail.com> Mon, 25 January 2021 17:40 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 934193A15FB for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 09:40:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AdGvbssZg1Hr for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 09:40:34 -0800 (PST)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11C993A15F7 for <dmarc@ietf.org>; Mon, 25 Jan 2021 09:40:33 -0800 (PST)
Received: by mail-vs1-xe2e.google.com with SMTP id h11so7597057vsa.10 for <dmarc@ietf.org>; Mon, 25 Jan 2021 09:40:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vJNoIaqOCOrMCaf/sJMZSgzmiI6OKL40+iNnTFgAjfQ=; b=Gs13rxf0Qa0p//LSFmO2F6Ay7hNsH5qK99xHf8/HkDFnWSKQh/EMsFuLsHwq3cgFKv +3r+J9SCFZXGgrES5XaEjKvjjyDgNCzBaCJDEfpz+QckuO4TTMliUplR7aST5PlgUA1J nXdWaGRNA1jA27eHyRf748m1hwI5vEjbwppoaOWWMyFyRzmtnf8/vd46yqccKxIGHi+3 15m5yIbE0yoyzo31MLclgaPQTKYjr3T/r7dQyBYOZaArWttBAeMdPeQNSSfPGqTNOggO U7lxO71t/1XQruIimnC9g2GkboWQiwtcT8NuXA1hyGp0gEV0R/FLA0dyBu8DGRe6BC/B 8gxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vJNoIaqOCOrMCaf/sJMZSgzmiI6OKL40+iNnTFgAjfQ=; b=Co4TFW2cKeJzzXI9eEX2aiN/+qJ16Ykau8n7rm0t2vK6zctRloQxk+9tz784SEsrdA 0XkAMPmm4lHlJtRZICjumidzPmoiQMyGolL7q4HyzyjFfdMm/W9OKiMXoJ21lx9K9Z7x CFFrbwCLRyOv3rNA3IPn6fMiPUivOy+kZcTTT5piaIVn92m0ceUZT1EkLZuQsiIGfDTz WihBM+wR3HPhJYpcqZNjLaAeOmO9lSo20k9fMgrmGMkoQBklzruCeiUXFaFBhZSQ9V0t b/2PzYj4ITSkVgmVfvMBQ6GbYvvpcVl/rMypowNBOwhPY490W5Ryoi5LAV24On5S6wxA lgPA==
X-Gm-Message-State: AOAM532alMvbZRGb25FNqsogDR9TczCR/sNQXKnhw7Ss+n/C13vTUs4N NnYfGYNwGTLxIpSRJ5PvS6w4Dlzzt/TZu4WrRqMKmg==
X-Google-Smtp-Source: ABdhPJxelFGc51cJKNNM3tw6hKLVROQEct9Z8XMMwdbc3LgHXWXVBN5L8NDd2Bt1kfAOdTHAbGSunZ8otC1RaQHC3y8=
X-Received: by 2002:a67:62c4:: with SMTP id w187mr1759286vsb.43.1611596432970; Mon, 25 Jan 2021 09:40:32 -0800 (PST)
MIME-Version: 1.0
References: <34317129-8225-fb38-4ad3-e1b9ffed21fb@iecc.com> <9c84fa50-d23c-a794-fc62-09788ac383a9@mtcc.com> <CAHej_8mTaFo7aESFk4pHjbqbheriYPoAy6f+HhcE6ASVJSyViA@mail.gmail.com> <df867378-5da0-b912-2a0f-b2081d1f2437@mtcc.com> <CAHej_8kfCC1H89pRjgxXK=+BizJHFdKgnr7Gxh_2wWq8P7L-0Q@mail.gmail.com> <a94cb6c0-0a32-da8d-4bd5-9c7ab2866c82@mtcc.com> <CAH48ZfxkQ9g-gmBOPdDsxr4RDvXOi56EaX=aJVDbuL_g7kR+xQ@mail.gmail.com> <CAOZAAfOB93fpYRjwxgQNkG-ydVHLtvgUp0LLROvv-F-amJVy4w@mail.gmail.com> <b9e8da8e-f46a-49c0-4196-1d50ed94d526@mtcc.com> <CAOZAAfPh4kYq0yXhtP9BaPmtP_rc7L-0f=r3Ff_P3oxrhYqvtw@mail.gmail.com> <fd74120f-bfad-ef51-64d7-2f8ec4f00fab@mtcc.com>
In-Reply-To: <fd74120f-bfad-ef51-64d7-2f8ec4f00fab@mtcc.com>
From: Seth Blank <seth@valimail.com>
Date: Mon, 25 Jan 2021 09:40:22 -0800
Message-ID: <CAOZAAfP7oMCtV_1E4+8kZS5Jb1C-nddR_QtLauF6shGY9z7Bqw@mail.gmail.com>
To: Michael Thomas <mike@mtcc.com>
Cc: IETF DMARC WG <dmarc@ietf.org>, Douglas Foster <dougfoster.emailstandards@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000e8a96905b9bd081f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/VLZ7MdJQXA41xbqf-5nNaVwNVVY>
Subject: Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2021 17:40:37 -0000

Michael, as an individual, I don't disagree. What's not clear about the
current text?

https://tools.ietf.org/html/rfc7489#section-7.2.1.1

   Email streams carrying DMARC feedback data MUST conform to the DMARC
   mechanism, thereby resulting in an aligned "pass" (see Section 3.1
<https://tools.ietf.org/html/rfc7489#section-3.1>).
   This practice minimizes the risk of report consumers processing
   fraudulent reports.


On Mon, Jan 25, 2021 at 9:32 AM Michael Thomas <mike@mtcc.com> wrote:

> Why is this controversial? Seriously. What is controversial about saying
> that the a report should authenticate? The onus is on the people who say it
> does not to lay out the case for why it's not a problem, not me. #98 has a
> simple piece of text to remedy this. it's 2021. You don't use
> unauthenticated data if you can possibly help it.
>
> Mike
> On 1/25/21 9:25 AM, Seth Blank wrote:
>
> Mike, how do you believe DMARC reports are consumed and utilized? I think
> you have a misunderstanding here which is why you're going down this path
> and everyone else is pushing back.
>
> On Mon, Jan 25, 2021 at 9:22 AM Michael Thomas <mike@mtcc.com> wrote:
>
>> Taking in information from unauthenticated sources and acting on it is an
>> operational problem per se. Have we learned nothing in the last 30 years?
>>
>> Mike
>> On 1/25/21 9:19 AM, Seth Blank wrote:
>>
>> What operational problem are we solving here? Absent evidence of a
>> problem and strong consensus on the solution, let's close these tickets and
>> move on.
>>
>> On Mon, Jan 25, 2021 at 9:10 AM Douglas Foster <
>> dougfoster.emailstandards@gmail.com> wrote:
>>
>>> Since the status quo is unauthenticated, I wonder if adding a signing
>>> requirement will help.
>>> Will recipients discad unsigned messages, or accept whatever is
>>> available to maximize their information capture?  I suspect they will
>>> conrinye to accept everything.
>>>
>>> I think we would need an identified threat before recipients would be
>>> motivated to discard.
>>>
>>> But what about John's problems with receiving reports that should not
>>> have gone to him?   I did not understand the root cause, but I would hope
>>> there is something that can be done.  Would signing help receiving sites,
>>> those with less sophistication than he has, be able to sort out noise more
>>> effectively?
>>>
>>>
>>> On Mon, Jan 25, 2021, 11:51 AM Michael Thomas <mike@mtcc.com> wrote:
>>>
>>>>
>>>> On 1/25/21 8:44 AM, Todd Herr wrote:
>>>>
>>>> On Mon, Jan 25, 2021 at 10:18 AM Michael Thomas <mike@mtcc.com> wrote:
>>>>
>>>>>
>>>>> The main thing I've learned over the years of dealing with security is
>>>>> to not underestimate what a motivated attacker can do. Your imagination is
>>>>> not the same as their imagination. Closing #98 in particular is absolutely
>>>>> ridiculous: the report should already have a DKIM signature or SPF so it's
>>>>> just a matter of making sure its valid. Why would you *not* want to insure
>>>>> that? The amount of justification for *not* having the receiver
>>>>> authenticate it is a mountain. The amount of effort to authenticate it is
>>>>> trivial for mail. Levine's dismissal of security concerns because he has
>>>>> anecdotal "evidence" from a backwater domain carries no weight at all.
>>>>>
>>>>
>>>> That's all well and good, but you haven't answered the question I asked.
>>>>
>>>> What threats do you have in mind? Put another way, how do you envision
>>>> an attacker exploiting the lack of authentication in a DMARC report to his
>>>> or her gain?
>>>>
>>>> No, sorry, the onus is on the people who don't think it can be gamed. A
>>>> bald assertion that it can't be gamed is very unconvincing. You need to lay
>>>> out a miles long case for why it cannot be gamed. And to what end? #98 has
>>>> a simple piece of text that should be added to DMARC to eliminate the
>>>> possibility of forgery. You'd need a 10 page threat I-D to explain why it's
>>>> not necessary. What is the point of that? For email, it's trivial to
>>>> prevent forgeries. Why would anybody argue against that?
>>>>
>>>> Mike
>>>> _______________________________________________
>>>> dmarc mailing list
>>>> dmarc@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>>
>>> _______________________________________________
>>> dmarc mailing list
>>> dmarc@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>
>>
>>
>> --
>> *Seth Blank* | VP, Standards and New Technologies
>> *e:* seth@valimail.com
>> *p:* 415.273.8818
>>
>>
>> This email and all data transmitted with it contains confidential and/or
>> proprietary information intended solely for the use of individual(s)
>> authorized to receive it. If you are not an intended and authorized
>> recipient you are hereby notified of any use, disclosure, copying or
>> distribution of the information included in this transmission is prohibited
>> and may be unlawful. Please immediately notify the sender by replying to
>> this email and then delete it from your system.
>>
>>
>
> --
> *Seth Blank* | VP, Standards and New Technologies
> *e:* seth@valimail.com
> *p:* 415.273.8818
>
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
>
>

-- 

*Seth Blank* | VP, Standards and New Technologies
*e:* seth@valimail.com
*p:* 415.273.8818


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email