Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help
Michael Thomas <mike@mtcc.com> Mon, 25 January 2021 17:48 UTC
Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 798083A1627 for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 09:48:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.15
X-Spam-Level:
X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKbN9ucBw_dH for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 09:48:40 -0800 (PST)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D8DF3A160F for <dmarc@ietf.org>; Mon, 25 Jan 2021 09:48:40 -0800 (PST)
Received: by mail-pl1-x62e.google.com with SMTP id u11so8082686plg.13 for <dmarc@ietf.org>; Mon, 25 Jan 2021 09:48:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=kDVga8Si80Oz6emNYPxGLtgtUmTDlv+RFoLYrPRSSJM=; b=ehrYZXIA7r6uBffZ/dZOLlTmWKl+Kpgz/KbCttw34BtKWTI0sdl6HMSfNISCUIPqP/ awG5eGMJGsug4x8uZiQSbO4xtf7e7SIERUcmW+Z4EXCXFMIhBMH5iP5ZHpVC3b4VFC1O C6b2/xY6KAX8mCp5j5Rt1qLTlscC9f8ZJzQPFn6xLJAGpZKElKEZHrJbNESmeNrBtjow 6BAl5mC+25MiY0i+mAaNhET/G5Hk98HUq8juHF39CMrNnd1LvIfQOqHC7So9KY9jnAg/ B08YNreX2gIL6RwVRZAYXbNXBwH4LYGkFSjaIdJl54pFad9jHWkFpjo82Seg2+L4fiTA j3vA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=kDVga8Si80Oz6emNYPxGLtgtUmTDlv+RFoLYrPRSSJM=; b=kmOFgF8PWwEtXoqMDfNyd58qcsEk6hjrGepXWKpRXqSXdn3DejCIfteCXAIGRbml2J MCMrcVGgpVwzig/k0sjXDigI7kY6Kwh6A5/XBVJIPqsQOaLnzKTaHdWZS/F/cuBOiu82 aBWjPScWGDtE7KbA8mVvoX+jQXbwLOXNdppnKkmifrrJSjJqxgL1BOYeEufDpcZ/o2ts xyLNNqOc3Fu4kVfsrFiuJgxbSotw8v5jZNB7X/7TdNbHdvGNZiOAV8b0MeTWtXBm6zc9 iNEnyDzBuj4zqLU98ldOhY8+vPis/f0Qk0cjqaY5HXwu5EOyNm1ihWFOs2yuqqERLoCD sXcg==
X-Gm-Message-State: AOAM532RI7tt63QXIRlYov2eyvqjvCVJqsuIXgCx4YuIMQ3i5jj5JjA1 4pEjqLwG6uioNT6moUOaZ7VkOgk8f+Z4WQ==
X-Google-Smtp-Source: ABdhPJzVbEE3tv9YH9AhHsQwuR+Y46HP1YIoOycCPwObi2Fx1BYG1VWHgyX5IF7CJIGK+AzGUL3cdw==
X-Received: by 2002:a17:90a:4209:: with SMTP id o9mr1396869pjg.75.1611596919745; Mon, 25 Jan 2021 09:48:39 -0800 (PST)
Received: from mike-mac.lan (107-182-35-22.volcanocom.com. [107.182.35.22]) by smtp.gmail.com with ESMTPSA id g17sm18080660pgg.78.2021.01.25.09.48.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 Jan 2021 09:48:39 -0800 (PST)
To: Seth Blank <seth@valimail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>, Douglas Foster <dougfoster.emailstandards@gmail.com>
References: <34317129-8225-fb38-4ad3-e1b9ffed21fb@iecc.com> <9c84fa50-d23c-a794-fc62-09788ac383a9@mtcc.com> <CAHej_8mTaFo7aESFk4pHjbqbheriYPoAy6f+HhcE6ASVJSyViA@mail.gmail.com> <df867378-5da0-b912-2a0f-b2081d1f2437@mtcc.com> <CAHej_8kfCC1H89pRjgxXK=+BizJHFdKgnr7Gxh_2wWq8P7L-0Q@mail.gmail.com> <a94cb6c0-0a32-da8d-4bd5-9c7ab2866c82@mtcc.com> <CAH48ZfxkQ9g-gmBOPdDsxr4RDvXOi56EaX=aJVDbuL_g7kR+xQ@mail.gmail.com> <CAOZAAfOB93fpYRjwxgQNkG-ydVHLtvgUp0LLROvv-F-amJVy4w@mail.gmail.com> <b9e8da8e-f46a-49c0-4196-1d50ed94d526@mtcc.com> <CAOZAAfPh4kYq0yXhtP9BaPmtP_rc7L-0f=r3Ff_P3oxrhYqvtw@mail.gmail.com> <fd74120f-bfad-ef51-64d7-2f8ec4f00fab@mtcc.com> <CAOZAAfP7oMCtV_1E4+8kZS5Jb1C-nddR_QtLauF6shGY9z7Bqw@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <e27b3887-fb7f-6203-bbc3-9911b4bcb8ad@mtcc.com>
Date: Mon, 25 Jan 2021 09:48:37 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <CAOZAAfP7oMCtV_1E4+8kZS5Jb1C-nddR_QtLauF6shGY9z7Bqw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------321B764A515C7788CDAE896D"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/YPyzL49wbl4aeSuCwUobkNn1mYk>
Subject: Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2021 17:48:49 -0000
That text is not very clear to say the least. It's written in a very passive voice. What is wrong with the text I provided? It should be made very explicit like I did with what the responsibility of the sender and receiver is. Mike On 1/25/21 9:40 AM, Seth Blank wrote: > Michael, as an individual, I don't disagree. What's not clear about > the current text? > > https://tools.ietf.org/html/rfc7489#section-7.2.1.1 > <https://tools.ietf.org/html/rfc7489#section-7.2.1.1> > > Email streams carrying DMARC feedback data MUST conform to the DMARC > mechanism, thereby resulting in an aligned "pass" (seeSection 3.1 <https://tools.ietf.org/html/rfc7489#section-3.1>). > This practice minimizes the risk of report consumers processing > fraudulent reports. > > On Mon, Jan 25, 2021 at 9:32 AM Michael Thomas <mike@mtcc.com > <mailto:mike@mtcc.com>> wrote: > > Why is this controversial? Seriously. What is controversial about > saying that the a report should authenticate? The onus is on the > people who say it does not to lay out the case for why it's not a > problem, not me. #98 has a simple piece of text to remedy this. > it's 2021. You don't use unauthenticated data if you can possibly > help it. > > Mike > > On 1/25/21 9:25 AM, Seth Blank wrote: >> Mike, how do you believe DMARC reports are consumed and utilized? >> I think you have a misunderstanding here which is why you're >> going down this path and everyone else is pushing back. >> >> On Mon, Jan 25, 2021 at 9:22 AM Michael Thomas <mike@mtcc.com >> <mailto:mike@mtcc.com>> wrote: >> >> Taking in information from unauthenticated sources and acting >> on it is an operational problem per se. Have we learned >> nothing in the last 30 years? >> >> Mike >> >> On 1/25/21 9:19 AM, Seth Blank wrote: >>> What operational problem are we solving here? Absent >>> evidence of a problem and strong consensus on the solution, >>> let's close these tickets and move on. >>> >>> On Mon, Jan 25, 2021 at 9:10 AM Douglas Foster >>> <dougfoster.emailstandards@gmail.com >>> <mailto:dougfoster.emailstandards@gmail.com>> wrote: >>> >>> Since the status quo is unauthenticated, I wonder if >>> adding a signing requirement will help. >>> Will recipients discad unsigned messages, or accept >>> whatever is available to maximize their information >>> capture? I suspect they will conrinye to accept everything. >>> >>> I think we would need an identified threat before >>> recipients would be motivated to discard. >>> >>> But what about John's problems with receiving reports >>> that should not have gone to him? I did not understand >>> the root cause, but I would hope there is something that >>> can be done. Would signing help receiving sites, those >>> with less sophistication than he has, be able to sort >>> out noise more effectively? >>> >>> >>> On Mon, Jan 25, 2021, 11:51 AM Michael Thomas >>> <mike@mtcc.com <mailto:mike@mtcc.com>> wrote: >>> >>> >>> On 1/25/21 8:44 AM, Todd Herr wrote: >>>> On Mon, Jan 25, 2021 at 10:18 AM Michael Thomas >>>> <mike@mtcc.com <mailto:mike@mtcc.com>> wrote: >>>> >>>> >>>> The main thing I've learned over the years of >>>> dealing with security is to not underestimate >>>> what a motivated attacker can do. Your >>>> imagination is not the same as their >>>> imagination. Closing #98 in particular is >>>> absolutely ridiculous: the report should >>>> already have a DKIM signature or SPF so it's >>>> just a matter of making sure its valid. Why >>>> would you *not* want to insure that? The amount >>>> of justification for *not* having the receiver >>>> authenticate it is a mountain. The amount of >>>> effort to authenticate it is trivial for mail. >>>> Levine's dismissal of security concerns because >>>> he has anecdotal "evidence" from a backwater >>>> domain carries no weight at all. >>>> >>>> >>>> That's all well and good, but you haven't answered >>>> the question I asked. >>>> >>>> What threats do you have in mind? Put another way, >>>> how do you envision an attacker exploiting the lack >>>> of authentication in a DMARC report to his or her gain? >>>> >>> No, sorry, the onus is on the people who don't think >>> it can be gamed. A bald assertion that it can't be >>> gamed is very unconvincing. You need to lay out a >>> miles long case for why it cannot be gamed. And to >>> what end? #98 has a simple piece of text that should >>> be added to DMARC to eliminate the possibility of >>> forgery. You'd need a 10 page threat I-D to explain >>> why it's not necessary. What is the point of that? >>> For email, it's trivial to prevent forgeries. Why >>> would anybody argue against that? >>> >>> Mike >>> >>> _______________________________________________ >>> dmarc mailing list >>> dmarc@ietf.org <mailto:dmarc@ietf.org> >>> https://www.ietf.org/mailman/listinfo/dmarc >>> <https://www.ietf.org/mailman/listinfo/dmarc> >>> >>> _______________________________________________ >>> dmarc mailing list >>> dmarc@ietf.org <mailto:dmarc@ietf.org> >>> https://www.ietf.org/mailman/listinfo/dmarc >>> <https://www.ietf.org/mailman/listinfo/dmarc> >>> >>> >>> >>> -- >>> *Seth Blank*| VP, Standards and New Technologies >>> *e:*seth@valimail.com <mailto:seth@valimail.com> >>> *p:*415.273.8818 >>> >>> >>> This email and all data transmitted with it contains >>> confidential and/or proprietary information intended solely >>> for the use of individual(s) authorized to receive it. If >>> you are not an intended and authorized recipient you are >>> hereby notified of any use, disclosure, copying or >>> distribution of the information included in this >>> transmission is prohibited and may be unlawful. Please >>> immediately notify the sender by replying to this email and >>> then delete it from your system. >>> >> >> >> -- >> *Seth Blank*| VP, Standards and New Technologies >> *e:*seth@valimail.com <mailto:seth@valimail.com> >> *p:*415.273.8818 >> >> >> This email and all data transmitted with it contains confidential >> and/or proprietary information intended solely for the use of >> individual(s) authorized to receive it. If you are not an >> intended and authorized recipient you are hereby notified of any >> use, disclosure, copying or distribution of the information >> included in this transmission is prohibited and may be unlawful. >> Please immediately notify the sender by replying to this email >> and then delete it from your system. >> > > > -- > *Seth Blank*| VP, Standards and New Technologies > *e:*seth@valimail.com <mailto:seth@valimail.com> > *p:*415.273.8818 > > > This email and all data transmitted with it contains confidential > and/or proprietary information intended solely for the use of > individual(s) authorized to receive it. If you are not an intended and > authorized recipient you are hereby notified of any use, disclosure, > copying or distribution of the information included in this > transmission is prohibited and may be unlawful. Please immediately > notify the sender by replying to this email and then delete it from > your system. >
- [dmarc-ietf] Tickets 98 and 99 -- fake reports ar… John R. Levine
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Todd Herr
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Todd Herr
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Douglas Foster
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Murray S. Kucherawy
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Todd Herr
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… John Levine
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… John Levine
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Douglas Foster
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Douglas Foster
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… John Levine
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Todd Herr
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Alessandro Vesely
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Alessandro Vesely
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… John R Levine
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Alessandro Vesely
- [dmarc-ietf] reporting security requirements Michael Thomas
- Re: [dmarc-ietf] reporting security requirements Seth Blank
- Re: [dmarc-ietf] reporting security requirements Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Todd Herr
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Steven M Jones
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank