IETF Logo Mail Archive

Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help

Michael Thomas <mike@mtcc.com> Mon, 25 January 2021 17:53 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FD813A15FE for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 09:53:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.15
X-Spam-Level:
X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TblJs1S_Hf37 for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 09:53:36 -0800 (PST)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4453A1602 for <dmarc@ietf.org>; Mon, 25 Jan 2021 09:53:36 -0800 (PST)
Received: by mail-pl1-x632.google.com with SMTP id j21so3507798pls.7 for <dmarc@ietf.org>; Mon, 25 Jan 2021 09:53:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=ZDTxfqhVlBE/CiOViaccH4vSzqTTZ2VcmbIqAD7Wa5U=; b=G2J/X7ZGZKJnT9m/ob7VD4shlNh1gereWd3gL3azbCbGbZGbUsiFo7kld/lm7PxFNo i6rZ0bps9q1NYJmk3YA7M+ZzbcKj+Vd20aaWOwxCeiO65iolRIMuJ5svBDLKwN51Ex2x XWodPA5QltGqGp28WTRvxmkjZCgu62Q0N2kdoFC4RlwwLS1U/KinAlhHv4EO7FXipn1/ yM0heYeTGxQ3+nm+wpI3Z49E5R9ivAJKoNte0pVuH0ccQXE0KXHyspdEqSUNXV0u1nx0 ziEQEszYeCTh6LmOVgHnH40qMTXUz9k9uSPfRl85qXrwFEt3DDbjf43OqeG1GG9yD01s EcVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ZDTxfqhVlBE/CiOViaccH4vSzqTTZ2VcmbIqAD7Wa5U=; b=gWNNJAa3uQL2UFPb4Kr/agCvkMQNrvsa3yzHFN88FI2JqcCExdaIAAB+xme/Jnb2Yz WaCsP8dFQQt7DCzOGX5jv+XpvLBcLM+YTfVa5c0QVgRJlakhVz7R/lK3KyiDzz2oI+cM PC5+y14GQ4m6GS5fN8WVUUBecUp5MPyDt55nHhJbo02TRBD+4HBMSNwJAM1zvquYLRv2 HWjHNif5trq/M3r5oW57uHZeJcF3cGK7/JqIH9xUll8yvqAcd9ZI8teIlP6RyWZ3IuX/ 4bHB5c8UB+CdRwQtey9QZp1YyKQgfRTtFhG/69vKPqDAQv3B48Y6IUcWZ7wLxeB51Auh js0w==
X-Gm-Message-State: AOAM5303Ghk5Mc1uPtuhMBilrfzYBZfUMmxGL9GTkLch/O4GBLTMFO4F SF5GxMnm+BwiaPCLu0i4X33Btw==
X-Google-Smtp-Source: ABdhPJzR+g86Xtip1LZMpsn3ScNZQy4Up1kwePMXQ3kOSwgzlmQ8Plip4/hXd+CkdEt/0LZ4OplT6w==
X-Received: by 2002:a17:902:694c:b029:da:afba:beab with SMTP id k12-20020a170902694cb02900daafbabeabmr1660054plt.32.1611597216004; Mon, 25 Jan 2021 09:53:36 -0800 (PST)
Received: from mike-mac.lan (107-182-35-22.volcanocom.com. [107.182.35.22]) by smtp.gmail.com with ESMTPSA id b65sm18676006pga.54.2021.01.25.09.53.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 Jan 2021 09:53:35 -0800 (PST)
To: Seth Blank <seth@valimail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>, Douglas Foster <dougfoster.emailstandards@gmail.com>
References: <34317129-8225-fb38-4ad3-e1b9ffed21fb@iecc.com> <9c84fa50-d23c-a794-fc62-09788ac383a9@mtcc.com> <CAHej_8mTaFo7aESFk4pHjbqbheriYPoAy6f+HhcE6ASVJSyViA@mail.gmail.com> <df867378-5da0-b912-2a0f-b2081d1f2437@mtcc.com> <CAHej_8kfCC1H89pRjgxXK=+BizJHFdKgnr7Gxh_2wWq8P7L-0Q@mail.gmail.com> <a94cb6c0-0a32-da8d-4bd5-9c7ab2866c82@mtcc.com> <CAH48ZfxkQ9g-gmBOPdDsxr4RDvXOi56EaX=aJVDbuL_g7kR+xQ@mail.gmail.com> <CAOZAAfOB93fpYRjwxgQNkG-ydVHLtvgUp0LLROvv-F-amJVy4w@mail.gmail.com> <b9e8da8e-f46a-49c0-4196-1d50ed94d526@mtcc.com> <CAOZAAfPh4kYq0yXhtP9BaPmtP_rc7L-0f=r3Ff_P3oxrhYqvtw@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <dd98f7ca-1088-8a1a-c69d-e2b723543cb1@mtcc.com>
Date: Mon, 25 Jan 2021 09:53:33 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <CAOZAAfPh4kYq0yXhtP9BaPmtP_rc7L-0f=r3Ff_P3oxrhYqvtw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------D2A21DE13B0E8B6F4CEAE395"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Wxqc-T4CgQ0qbIcMH4uy8Jum4nM>
Subject: Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2021 17:53:38 -0000

But just as an example, suppose I'm trying to get to a position to use 
p=reject, but some bad actor doesn't want me to do that so they can keep 
phishing me. All they have to do is keep sending forged message reports 
from gmail which makes me think I've got a problem. Seriously, this is 
not rocket science.

Mike

On 1/25/21 9:25 AM, Seth Blank wrote:
> Mike, how do you believe DMARC reports are consumed and utilized? I 
> think you have a misunderstanding here which is why you're going down 
> this path and everyone else is pushing back.
>
> On Mon, Jan 25, 2021 at 9:22 AM Michael Thomas <mike@mtcc.com 
> <mailto:mike@mtcc.com>> wrote:
>
>     Taking in information from unauthenticated sources and acting on
>     it is an operational problem per se. Have we learned nothing in
>     the last 30 years?
>
>     Mike
>
>     On 1/25/21 9:19 AM, Seth Blank wrote:
>>     What operational problem are we solving here? Absent evidence of
>>     a problem and strong consensus on the solution, let's close these
>>     tickets and move on.
>>
>>     On Mon, Jan 25, 2021 at 9:10 AM Douglas Foster
>>     <dougfoster.emailstandards@gmail.com
>>     <mailto:dougfoster.emailstandards@gmail.com>> wrote:
>>
>>         Since the status quo is unauthenticated, I wonder if adding a
>>         signing requirement will help.
>>         Will recipients discad unsigned messages, or accept whatever
>>         is available to maximize their information capture?  I
>>         suspect they will conrinye to accept everything.
>>
>>         I think we would need an identified threat before recipients
>>         would be motivated to discard.
>>
>>         But what about John's problems with receiving reports that
>>         should not have gone to him?   I did not understand the root
>>         cause, but I would hope there is something that can be done.
>>         Would signing help receiving sites, those with less
>>         sophistication than he has, be able to sort out noise more
>>         effectively?
>>
>>
>>         On Mon, Jan 25, 2021, 11:51 AM Michael Thomas <mike@mtcc.com
>>         <mailto:mike@mtcc.com>> wrote:
>>
>>
>>             On 1/25/21 8:44 AM, Todd Herr wrote:
>>>             On Mon, Jan 25, 2021 at 10:18 AM Michael Thomas
>>>             <mike@mtcc.com <mailto:mike@mtcc.com>> wrote:
>>>
>>>
>>>                 The main thing I've learned over the years of
>>>                 dealing with security is to not underestimate what a
>>>                 motivated attacker can do. Your imagination is not
>>>                 the same as their imagination. Closing #98 in
>>>                 particular is absolutely ridiculous: the report
>>>                 should already have a DKIM signature or SPF so it's
>>>                 just a matter of making sure its valid. Why would
>>>                 you *not* want to insure that? The amount of
>>>                 justification for *not* having the receiver
>>>                 authenticate it is a mountain. The amount of effort
>>>                 to authenticate it is trivial for mail. Levine's
>>>                 dismissal of security concerns because he has
>>>                 anecdotal "evidence" from a backwater domain carries
>>>                 no weight at all.
>>>
>>>
>>>             That's all well and good, but you haven't answered the
>>>             question I asked.
>>>
>>>             What threats do you have in mind? Put another way, how
>>>             do you envision an attacker exploiting the lack of
>>>             authentication in a DMARC report to his or her gain?
>>>
>>             No, sorry, the onus is on the people who don't think it
>>             can be gamed. A bald assertion that it can't be gamed is
>>             very unconvincing. You need to lay out a miles long case
>>             for why it cannot be gamed. And to what end? #98 has a
>>             simple piece of text that should be added to DMARC to
>>             eliminate the possibility of forgery. You'd need a 10
>>             page threat I-D to explain why it's not necessary. What
>>             is the point of that? For email, it's trivial to prevent
>>             forgeries. Why would anybody argue against that?
>>
>>             Mike
>>
>>             _______________________________________________
>>             dmarc mailing list
>>             dmarc@ietf.org <mailto:dmarc@ietf.org>
>>             https://www.ietf.org/mailman/listinfo/dmarc
>>             <https://www.ietf.org/mailman/listinfo/dmarc>
>>
>>         _______________________________________________
>>         dmarc mailing list
>>         dmarc@ietf.org <mailto:dmarc@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/dmarc
>>         <https://www.ietf.org/mailman/listinfo/dmarc>
>>
>>
>>
>>     -- 
>>     *Seth Blank*| VP, Standards and New Technologies
>>     *e:*seth@valimail.com <mailto:seth@valimail.com>
>>     *p:*415.273.8818
>>
>>
>>     This email and all data transmitted with it contains confidential
>>     and/or proprietary information intended solely for the use of
>>     individual(s) authorized to receive it. If you are not an
>>     intended and authorized recipient you are hereby notified of any
>>     use, disclosure, copying or distribution of the information
>>     included in this transmission is prohibited and may be unlawful.
>>     Please immediately notify the sender by replying to this email
>>     and then delete it from your system.
>>
>
>
> -- 
> *Seth Blank*| VP, Standards and New Technologies
> *e:*seth@valimail.com <mailto:seth@valimail.com>
> *p:*415.273.8818
>
>
> This email and all data transmitted with it contains confidential 
> and/or proprietary information intended solely for the use of 
> individual(s) authorized to receive it. If you are not an intended and 
> authorized recipient you are hereby notified of any use, disclosure, 
> copying or distribution of the information included in this 
> transmission is prohibited and may be unlawful. Please immediately 
> notify the sender by replying to this email and then delete it from 
> your system.
>

v2.23.0 | Report a Bug | By Email