IETF Logo Mail Archive

Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help

Michael Thomas <mike@mtcc.com> Mon, 25 January 2021 17:48 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 798083A1627 for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 09:48:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.15
X-Spam-Level:
X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKbN9ucBw_dH for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 09:48:40 -0800 (PST)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D8DF3A160F for <dmarc@ietf.org>; Mon, 25 Jan 2021 09:48:40 -0800 (PST)
Received: by mail-pl1-x62e.google.com with SMTP id u11so8082686plg.13 for <dmarc@ietf.org>; Mon, 25 Jan 2021 09:48:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=kDVga8Si80Oz6emNYPxGLtgtUmTDlv+RFoLYrPRSSJM=; b=ehrYZXIA7r6uBffZ/dZOLlTmWKl+Kpgz/KbCttw34BtKWTI0sdl6HMSfNISCUIPqP/ awG5eGMJGsug4x8uZiQSbO4xtf7e7SIERUcmW+Z4EXCXFMIhBMH5iP5ZHpVC3b4VFC1O C6b2/xY6KAX8mCp5j5Rt1qLTlscC9f8ZJzQPFn6xLJAGpZKElKEZHrJbNESmeNrBtjow 6BAl5mC+25MiY0i+mAaNhET/G5Hk98HUq8juHF39CMrNnd1LvIfQOqHC7So9KY9jnAg/ B08YNreX2gIL6RwVRZAYXbNXBwH4LYGkFSjaIdJl54pFad9jHWkFpjo82Seg2+L4fiTA j3vA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=kDVga8Si80Oz6emNYPxGLtgtUmTDlv+RFoLYrPRSSJM=; b=kmOFgF8PWwEtXoqMDfNyd58qcsEk6hjrGepXWKpRXqSXdn3DejCIfteCXAIGRbml2J MCMrcVGgpVwzig/k0sjXDigI7kY6Kwh6A5/XBVJIPqsQOaLnzKTaHdWZS/F/cuBOiu82 aBWjPScWGDtE7KbA8mVvoX+jQXbwLOXNdppnKkmifrrJSjJqxgL1BOYeEufDpcZ/o2ts xyLNNqOc3Fu4kVfsrFiuJgxbSotw8v5jZNB7X/7TdNbHdvGNZiOAV8b0MeTWtXBm6zc9 iNEnyDzBuj4zqLU98ldOhY8+vPis/f0Qk0cjqaY5HXwu5EOyNm1ihWFOs2yuqqERLoCD sXcg==
X-Gm-Message-State: AOAM532RI7tt63QXIRlYov2eyvqjvCVJqsuIXgCx4YuIMQ3i5jj5JjA1 4pEjqLwG6uioNT6moUOaZ7VkOgk8f+Z4WQ==
X-Google-Smtp-Source: ABdhPJzVbEE3tv9YH9AhHsQwuR+Y46HP1YIoOycCPwObi2Fx1BYG1VWHgyX5IF7CJIGK+AzGUL3cdw==
X-Received: by 2002:a17:90a:4209:: with SMTP id o9mr1396869pjg.75.1611596919745; Mon, 25 Jan 2021 09:48:39 -0800 (PST)
Received: from mike-mac.lan (107-182-35-22.volcanocom.com. [107.182.35.22]) by smtp.gmail.com with ESMTPSA id g17sm18080660pgg.78.2021.01.25.09.48.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 Jan 2021 09:48:39 -0800 (PST)
To: Seth Blank <seth@valimail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>, Douglas Foster <dougfoster.emailstandards@gmail.com>
References: <34317129-8225-fb38-4ad3-e1b9ffed21fb@iecc.com> <9c84fa50-d23c-a794-fc62-09788ac383a9@mtcc.com> <CAHej_8mTaFo7aESFk4pHjbqbheriYPoAy6f+HhcE6ASVJSyViA@mail.gmail.com> <df867378-5da0-b912-2a0f-b2081d1f2437@mtcc.com> <CAHej_8kfCC1H89pRjgxXK=+BizJHFdKgnr7Gxh_2wWq8P7L-0Q@mail.gmail.com> <a94cb6c0-0a32-da8d-4bd5-9c7ab2866c82@mtcc.com> <CAH48ZfxkQ9g-gmBOPdDsxr4RDvXOi56EaX=aJVDbuL_g7kR+xQ@mail.gmail.com> <CAOZAAfOB93fpYRjwxgQNkG-ydVHLtvgUp0LLROvv-F-amJVy4w@mail.gmail.com> <b9e8da8e-f46a-49c0-4196-1d50ed94d526@mtcc.com> <CAOZAAfPh4kYq0yXhtP9BaPmtP_rc7L-0f=r3Ff_P3oxrhYqvtw@mail.gmail.com> <fd74120f-bfad-ef51-64d7-2f8ec4f00fab@mtcc.com> <CAOZAAfP7oMCtV_1E4+8kZS5Jb1C-nddR_QtLauF6shGY9z7Bqw@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <e27b3887-fb7f-6203-bbc3-9911b4bcb8ad@mtcc.com>
Date: Mon, 25 Jan 2021 09:48:37 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <CAOZAAfP7oMCtV_1E4+8kZS5Jb1C-nddR_QtLauF6shGY9z7Bqw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------321B764A515C7788CDAE896D"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/YPyzL49wbl4aeSuCwUobkNn1mYk>
Subject: Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2021 17:48:49 -0000

That text is not very clear to say the least. It's written in a very 
passive voice. What is wrong with the text I provided? It should be made 
very explicit like I did with what the responsibility of the sender and 
receiver is.

Mike

On 1/25/21 9:40 AM, Seth Blank wrote:
> Michael, as an individual, I don't disagree. What's not clear about 
> the current text?
>
> https://tools.ietf.org/html/rfc7489#section-7.2.1.1 
> <https://tools.ietf.org/html/rfc7489#section-7.2.1.1>
>
>     Email streams carrying DMARC feedback data MUST conform to the DMARC
>     mechanism, thereby resulting in an aligned "pass" (seeSection 3.1  <https://tools.ietf.org/html/rfc7489#section-3.1>).
>     This practice minimizes the risk of report consumers processing
>     fraudulent reports.
>
> On Mon, Jan 25, 2021 at 9:32 AM Michael Thomas <mike@mtcc.com 
> <mailto:mike@mtcc.com>> wrote:
>
>     Why is this controversial? Seriously. What is controversial about
>     saying that the a report should authenticate? The onus is on the
>     people who say it does not to lay out the case for why it's not a
>     problem, not me. #98 has a simple piece of text to remedy this.
>     it's 2021. You don't use unauthenticated data if you can possibly
>     help it.
>
>     Mike
>
>     On 1/25/21 9:25 AM, Seth Blank wrote:
>>     Mike, how do you believe DMARC reports are consumed and utilized?
>>     I think you have a misunderstanding here which is why you're
>>     going down this path and everyone else is pushing back.
>>
>>     On Mon, Jan 25, 2021 at 9:22 AM Michael Thomas <mike@mtcc.com
>>     <mailto:mike@mtcc.com>> wrote:
>>
>>         Taking in information from unauthenticated sources and acting
>>         on it is an operational problem per se. Have we learned
>>         nothing in the last 30 years?
>>
>>         Mike
>>
>>         On 1/25/21 9:19 AM, Seth Blank wrote:
>>>         What operational problem are we solving here? Absent
>>>         evidence of a problem and strong consensus on the solution,
>>>         let's close these tickets and move on.
>>>
>>>         On Mon, Jan 25, 2021 at 9:10 AM Douglas Foster
>>>         <dougfoster.emailstandards@gmail.com
>>>         <mailto:dougfoster.emailstandards@gmail.com>> wrote:
>>>
>>>             Since the status quo is unauthenticated, I wonder if
>>>             adding a signing requirement will help.
>>>             Will recipients discad unsigned messages, or accept
>>>             whatever is available to maximize their information
>>>             capture?  I suspect they will conrinye to accept everything.
>>>
>>>             I think we would need an identified threat before
>>>             recipients would be motivated to discard.
>>>
>>>             But what about John's problems with receiving reports
>>>             that should not have gone to him?   I did not understand
>>>             the root cause, but I would hope there is something that
>>>             can be done. Would signing help receiving sites, those
>>>             with less sophistication than he has, be able to sort
>>>             out noise more effectively?
>>>
>>>
>>>             On Mon, Jan 25, 2021, 11:51 AM Michael Thomas
>>>             <mike@mtcc.com <mailto:mike@mtcc.com>> wrote:
>>>
>>>
>>>                 On 1/25/21 8:44 AM, Todd Herr wrote:
>>>>                 On Mon, Jan 25, 2021 at 10:18 AM Michael Thomas
>>>>                 <mike@mtcc.com <mailto:mike@mtcc.com>> wrote:
>>>>
>>>>
>>>>                     The main thing I've learned over the years of
>>>>                     dealing with security is to not underestimate
>>>>                     what a motivated attacker can do. Your
>>>>                     imagination is not the same as their
>>>>                     imagination. Closing #98 in particular is
>>>>                     absolutely ridiculous: the report should
>>>>                     already have a DKIM signature or SPF so it's
>>>>                     just a matter of making sure its valid. Why
>>>>                     would you *not* want to insure that? The amount
>>>>                     of justification for *not* having the receiver
>>>>                     authenticate it is a mountain. The amount of
>>>>                     effort to authenticate it is trivial for mail.
>>>>                     Levine's dismissal of security concerns because
>>>>                     he has anecdotal "evidence" from a backwater
>>>>                     domain carries no weight at all.
>>>>
>>>>
>>>>                 That's all well and good, but you haven't answered
>>>>                 the question I asked.
>>>>
>>>>                 What threats do you have in mind? Put another way,
>>>>                 how do you envision an attacker exploiting the lack
>>>>                 of authentication in a DMARC report to his or her gain?
>>>>
>>>                 No, sorry, the onus is on the people who don't think
>>>                 it can be gamed. A bald assertion that it can't be
>>>                 gamed is very unconvincing. You need to lay out a
>>>                 miles long case for why it cannot be gamed. And to
>>>                 what end? #98 has a simple piece of text that should
>>>                 be added to DMARC to eliminate the possibility of
>>>                 forgery. You'd need a 10 page threat I-D to explain
>>>                 why it's not necessary. What is the point of that?
>>>                 For email, it's trivial to prevent forgeries. Why
>>>                 would anybody argue against that?
>>>
>>>                 Mike
>>>
>>>                 _______________________________________________
>>>                 dmarc mailing list
>>>                 dmarc@ietf.org <mailto:dmarc@ietf.org>
>>>                 https://www.ietf.org/mailman/listinfo/dmarc
>>>                 <https://www.ietf.org/mailman/listinfo/dmarc>
>>>
>>>             _______________________________________________
>>>             dmarc mailing list
>>>             dmarc@ietf.org <mailto:dmarc@ietf.org>
>>>             https://www.ietf.org/mailman/listinfo/dmarc
>>>             <https://www.ietf.org/mailman/listinfo/dmarc>
>>>
>>>
>>>
>>>         -- 
>>>         *Seth Blank*| VP, Standards and New Technologies
>>>         *e:*seth@valimail.com <mailto:seth@valimail.com>
>>>         *p:*415.273.8818
>>>
>>>
>>>         This email and all data transmitted with it contains
>>>         confidential and/or proprietary information intended solely
>>>         for the use of individual(s) authorized to receive it. If
>>>         you are not an intended and authorized recipient you are
>>>         hereby notified of any use, disclosure, copying or
>>>         distribution of the information included in this
>>>         transmission is prohibited and may be unlawful. Please
>>>         immediately notify the sender by replying to this email and
>>>         then delete it from your system.
>>>
>>
>>
>>     -- 
>>     *Seth Blank*| VP, Standards and New Technologies
>>     *e:*seth@valimail.com <mailto:seth@valimail.com>
>>     *p:*415.273.8818
>>
>>
>>     This email and all data transmitted with it contains confidential
>>     and/or proprietary information intended solely for the use of
>>     individual(s) authorized to receive it. If you are not an
>>     intended and authorized recipient you are hereby notified of any
>>     use, disclosure, copying or distribution of the information
>>     included in this transmission is prohibited and may be unlawful.
>>     Please immediately notify the sender by replying to this email
>>     and then delete it from your system.
>>
>
>
> -- 
> *Seth Blank*| VP, Standards and New Technologies
> *e:*seth@valimail.com <mailto:seth@valimail.com>
> *p:*415.273.8818
>
>
> This email and all data transmitted with it contains confidential 
> and/or proprietary information intended solely for the use of 
> individual(s) authorized to receive it. If you are not an intended and 
> authorized recipient you are hereby notified of any use, disclosure, 
> copying or distribution of the information included in this 
> transmission is prohibited and may be unlawful. Please immediately 
> notify the sender by replying to this email and then delete it from 
> your system.
>

v2.23.0 | Report a Bug | By Email