IETF Logo Mail Archive

Re: [dmarc-ietf] UNCOL and Reversing modifications from mailing lists

Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 24 November 2021 22:18 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BEE73A0CA4 for <dmarc@ietfa.amsl.com>; Wed, 24 Nov 2021 14:18:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h7j6v1AAovu8 for <dmarc@ietfa.amsl.com>; Wed, 24 Nov 2021 14:18:48 -0800 (PST)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A63A53A0CA3 for <dmarc@ietf.org>; Wed, 24 Nov 2021 14:18:48 -0800 (PST)
Received: by mail-ot1-x333.google.com with SMTP id x19-20020a9d7053000000b0055c8b39420bso6535441otj.1 for <dmarc@ietf.org>; Wed, 24 Nov 2021 14:18:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=3jGZhIRDfHfQAME/Myh9dEfc08doCJ0Bz4/uF3PPRpg=; b=FQKmbJSrkpk4d64K4tC16qLG9jf8pn7CesXiAwvjmCpFSRwePmavlFGi6FlZKbd77o cpqPdiY6SPTmH0F7zaYaHpeKN7zHEj9PUiSaofnTuCD0BBLyGAPxIK2qxh73cVqzuXNI uYyMnOqDKK8aEZ30lwio9PZqiQSJzn61BqKEpzi0zFU0RO+B3M6aWjvD6L3x7N5xPvAA YKv64q2s0aDHN6imn9H+44ErREtB9uWibhUonhB26NAaoUDfwCv/+xbXw5yD5l09vexN w2WumC3QUJTY9wpHi91qN1k04vs/6hALYzmEJU3/eP0au8q88hwSBrSrYLHYvkvyfUev EKAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=3jGZhIRDfHfQAME/Myh9dEfc08doCJ0Bz4/uF3PPRpg=; b=QIHQNjW2ssE697eSA5XUmiyru3chmV4FucSZDL37l2Wuw5nlSly8Y4mqZ4zkL86Oi/ igcf9kXm07tzLD1VnO6ZcNgUbUwmQYjemor8OqVLXoKYXKfH/4FXtvOlhdQtn1Z4j4fW Q9Fn7wmE6FZ9qscefW6pnmgAU7LwBddpsyrzzR2pih1zr/QCM8fXbOhII2fHrvjAiaWX C4hkSA+3uff81QSqi2zIdxl/iZGVkHAPrjwW4W5TXXFGbf2UZSGFhTN31xNDRPYuQXdB JAYis0Ch0HgS+39RzaxINL8kXhYjFgI30iHfwQjH+Ng0OZW2yLZCZJvazG3Ohi+2lHn6 qlDQ==
X-Gm-Message-State: AOAM5320AhechBprsBpclkJvZw4r7OD/gZbQiwakcfEezXkXsCebI1/i AwQ2+1KGxUvBE2s0LhLA1LnZUZK4bv8vQuVFIcV1kPOg
X-Google-Smtp-Source: ABdhPJwV2xpJBjfNOLiPOuRgc5A+aZHbv5IIr90srxmDuGqVjUVNMQOZI9NNSJbn9sCxCCLXo/BqzSQx0suDosfuOIs=
X-Received: by 2002:a9d:f63:: with SMTP id 90mr16987922ott.268.1637792326966; Wed, 24 Nov 2021 14:18:46 -0800 (PST)
MIME-Version: 1.0
References: <20211123203406.73152307DA83@ary.qy> <cb57d32d-038d-61f6-528c-d86d529fac10@tana.it> <0328a88e-7dcc-f7c6-9cfb-8c4f90a9afd0@baptiste-carvello.net>
In-Reply-To: <0328a88e-7dcc-f7c6-9cfb-8c4f90a9afd0@baptiste-carvello.net>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 24 Nov 2021 17:18:36 -0500
Message-ID: <CAH48Zfx1ou_d3PSiPcEZufaJ50T5x_HG-OXzvC4Wsv0qzM+hiA@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dd61ea05d1903d2c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Xuy2gusiZNAXZnqkvWvj0l5-XEM>
Subject: Re: [dmarc-ietf] UNCOL and Reversing modifications from mailing lists
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Nov 2021 22:18:54 -0000

Have you noticed the ARC set on Alex Brotman's messages?   Microsoft
declares the message as having passed DMARC before the message leaves the
Office 365 environment.  Assume that the average attacker decides to do the
same, and applies a DMARC-PASS ARC Set to everything he sends.   At
minimum, the evaluator needs an algorithm to determine if the ARC Set was
applied before or after a meaningful point in the delivery chain.    Do we
have a defined algorithm for that?

You are correct that a single sender can be whitelisted with the help of
ARC, but a single sender can be whitelisted more easily without ARC.

ARC requires a global reputation system so that the appropriate disposition
is known in the general case of ANY message source.    Ale's assertion
stands.

Doug Foster


On Wed, Nov 24, 2021 at 3:55 PM Baptiste Carvello <
devel@baptiste-carvello.net> wrote:

> Hi,
>
> Le 24/11/2021 à 12:00, Alessandro Vesely a écrit :
> >
> > ARC implies a reliable global reputation system, which only giant
> > providers can afford.
>
> Not necessarily. It only imply that the evaluator has some reason to
> consider acceptable that this particular message be handled by this
> particular forwarder.
>
> If, for example, the evaluator can know for sure that the author
> designated in the From field really sent a message to the forwarder
> immediately before the forwarded message came in, the probability that
> the message is genuine is much higher [1].
>
> Beginning of this month, I proposed an idea to achieve just that.
>
> Cheers,
> Baptiste
>
>
> note [1]:
> indeed, the attack model then changes from "send a message with a faked
>  From header" (easy) to "somehow have your target send you a genuine
> message so you can modify and forward it" (possible, but much harder,
> needs a targeted attack). Only high profile targets need to care about
> the second type of attack.
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email