IETF Logo Mail Archive

Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99

Douglas Foster <dougfoster.emailstandards@gmail.com> Mon, 19 July 2021 10:59 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23D913A2F41 for <dmarc@ietfa.amsl.com>; Mon, 19 Jul 2021 03:59:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kbvWZF-I2nGZ for <dmarc@ietfa.amsl.com>; Mon, 19 Jul 2021 03:59:19 -0700 (PDT)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2DEE3A2F3A for <dmarc@ietf.org>; Mon, 19 Jul 2021 03:59:19 -0700 (PDT)
Received: by mail-oi1-x229.google.com with SMTP id c197so20194223oib.11 for <dmarc@ietf.org>; Mon, 19 Jul 2021 03:59:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LXl4IW0/BeIuCsVwGj4aRzNHXdR7G4HZDpj3yM6kyhs=; b=Crgdpu5fAFNMt6/kvS7KTzM3eog2KAaBciYyJX+qZE6tMg+YFrfoB9seYfOffer7fN jba51o629q62+3OEEb79TMU9Y5c6wb3z0SW50uo/DDypXv5Mpc66as2SBntQgFqDGlVb 0f6EOwaHztI9awePEV8E61RZB34vJnG3AI+V55zPUPepfy1RbOjup0UPcq6wOKmX8vfH dYpreUcqF5Y2Uh6IE2AAEWzw6B0du6vRhjwMY3EIiGhW9my7V+rBlGiNZQYqNKIE3VUz GsTzwRIz2/DSlEERlQqpBznh6P+2Ki2qabgUhnv5FtbCZUCeVBk22lPHfDDuVjhpJOZ1 3b4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LXl4IW0/BeIuCsVwGj4aRzNHXdR7G4HZDpj3yM6kyhs=; b=JIFJlEQsBFRRv60yNbBApat7MHsdjOVBNqSWM/5kPhz698MEMPl2pT7j1DHnXlzAeT x1rjJvco6rRAAmFKwCgT01Sn0G8mretCRX1kLPiUbIhr24muM7YoXlCSSTpJOPCh8wTM GP4JroMxm5Dny+AREc1YcAqnPzYxqAeuE8RHa6STWSPK1e9JlPiksVpdu3tFkAAHG2lr SU0rZ4yhkSRlJ1vm3Z3OT0XoDrgWmm9eykA9gqJgGpg7xQT3YiBgJ1yzAjOEh0naUsjA M6jmOUk3GI4FgNNyKAlXejDB4tJeXkhR9foeHAQ9vzdXP1ZeRh17ve7PTzT6CCUZ0q7I sWiQ==
X-Gm-Message-State: AOAM532A53yytkTdMzOWLdl3L9R7HmZ2RMkbP9/UlX7I9oh6hLatKs2k T/93PYx6q+7Xth84bKHWoJV0zgHnNwyuX1WDSms=
X-Google-Smtp-Source: ABdhPJyIXD619+0KnywrIeFSjDdMonSHtsfqtX/xfS9v1s0U4iHK8qgJZjd0prPaF2Ge4bby3jqhXQ2DQzbFLMQXY/4=
X-Received: by 2002:a05:6808:1153:: with SMTP id u19mr21664648oiu.20.1626692357900; Mon, 19 Jul 2021 03:59:17 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8=yvgXP2WgHayhGU2Hg2E0RcNgZBFjfw1cM-qKWkTG-+w@mail.gmail.com> <CAH48Zfys9cwTskjjdeJ14Y-wDBuqLseDEEiNvwC9BonLAwMyVw@mail.gmail.com> <CAHej_8mTF7DFwDiCHBq_mK40E+vuFS6iB+MQ3Co3pS=ZdqXkcg@mail.gmail.com>
In-Reply-To: <CAHej_8mTF7DFwDiCHBq_mK40E+vuFS6iB+MQ3Co3pS=ZdqXkcg@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 19 Jul 2021 06:59:07 -0400
Message-ID: <CAH48ZfwUAfwG93ZOoFp+Xbor-chZ-X0Pbd9OGdAs3mxsTFHxEw@mail.gmail.com>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000026cd0a05c777d4a8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ZUeM79gEgQqChuHek9u9jLn-yRc>
Subject: Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2021 10:59:24 -0000

Todd, the new language has addressed my concerns about PCT.

As a message evaluator, PCT is an unreasonable request.   If I follow the
requested approach, it pretty much guarantees that I will block wanted
messages and allow unwanted messages.    I don't want to explain to a
C-level executive that a message was mishandled because "the random number
generator told me to do it."

PCT is also a significant data collection effort.   That collection effort
may represent a significant processing load, since every
non-authenticated record requires looking back over all received messages
in a chosen time period.   Obviously, that algorithm can be tuned, but the
tuning process is costly in time, labor, and stability risk.

I suppose that the issue here is that domain owners are concerned about the
message recipients who never send RUA reports.   Once enforcement is turned
on, SMTP reject and non-delivery reports provide feedback from more sources
(any source that does not discard silently).   The domain owner is unlikely
to get non-delivery reports from spam sources, so any notification about
messages that are blocked for DMARC-related reasons will be indications of
legitimate messages that were handled contrary to domain owner
preferences.   I understand the concern, I just don't see it as compatible
with my own security needs.

A partial solution lies in my proposal for an intermediate enforcement
option.   This option should be called "relaxed" mode, for consistency with
other standards.     The domain owner chooses whether
- SPF policy record is required in DNS,
- DKIM public key is required in DNS,
- From "existence" indicator is required in DNS, or
a domain-owner ARC Set is required in the message.
These are independently selectable enforcements; and they provide a domain
owner the opportunity to get reject and NDR information on a limited scale,
based on the feature selected and the weak nature of the test.

Domain owners who want to tolerate mailing list messages will stay in
relaxed mode permanently, and it provides more security than P=NONE.
Domain owners that want to block mailing list messages would eventually
switch to "strict", which is the same as our current P=REJECT.

Doug Foster




On Tue, Jul 13, 2021 at 2:10 PM Todd Herr <todd.herr=
40valimail.com@dmarc.ietf.org> wrote:

> On Tue, Jul 13, 2021 at 7:03 AM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> I understand that under the current specification, PCT has been useful
>> because P=NONE with PCT=100 produces different results than QUARANTINE with
>> PCT=0.   This is an anomaly that I would hope we can fix, but if not, we
>> need to specify that the only valid settings are PCT=0 or PCT=100.   The
>> specification should force numbers between 1 and 99 to be interpreted as
>> either 0 or 100.
>>
>> The current PCT specification is fatally flawed because the denominator
>> is undefined and unstable.  Suppose that a domain owner concludes that most
>> but not all of his traffic will produce DMARC PASS.   Should the percentage
>> be based on message volume or Source IP counts?    Either way, the volume
>> distribution received by any single evaluator will be different than the
>> volume distribution sent out.
>>
>> But the larger problem is that the evaluator is performing a conditional
>> probability, because the policy is only applied to messages that produce
>> DMARC FAIL.    If there is no impersonation, an unauthenticated message has
>> a 100% probability of being legitimate.    The denominator is determined by
>> the volume of impersonation messages, not by the volume of legitimate
>> messages.   The percentage offered by the sending domain owner is useless.
>>
>> Next, assume that an accurate probability can be determined, and that 80%
>> of unauthenticated messages are legitimate and 20% are impersonations.
>> Does it make sense to apply that probability rule to
>> message disposition?    It will produce these results:
>>
>> Legitimate and DMARC ignored, message accepted = 80%*80% = 64% of total
>>
>> Legitimate and DMARC enforced, message blocked = 80%*20% = 16% of total
>>
>> Impersonation and DMARC ignored, message accepted = 20%*80% = 16% of total
>>
>> Impersonation and DMARC enforced, message blocked = 20%*20% = 4% of total
>>
>> Therefore, the correct decision is applied only 68% of the time, and the
>> wrong decision is applied 32% of the time.   This is unsatisfactory for
>> protecting against ransomware, and also unsatisfactory for reliably
>> delivering wanted messages.
>>
>> The actual volume of impersonating messages will be determined by the
>> spammer, not by the domain owner, so the whole notion of choosing a
>> percentage is flawed.    The domain owner does not have the information
>> needed to provide a usable percentage.   The message evaluator can only
>> determine the percentage by carefully examining many messages and
>> categorizing the source.  Once the source is categorized, guessing is no
>> longer necessary and the percentage is irrelevant.
>>
>>
>>
> I believe you'll find that your ideas, or at least sentiments quite
> similar to them, are captured in draft-ietf-dmarc-dmarcbis-02
>
> First, draft-ietf-dmarc-dmarcbis-02 makes a small but substantial change
> to the definition of the pct tag from what's currently in RFC 7489. Where
> RFC 7489 reads:
>
>    pct:  (plain-text integer between 0 and 100, inclusive; OPTIONAL;
>       default is 100).  Percentage of messages from the Domain Owner's
>       mail stream to which the DMARC policy is to be applied.
>
>
> draft-ietf-dmarc-dmarcbis-02 instead starts with this text:
>
>    pct:  (plain-text integer between 0 and 100, inclusive; OPTIONAL;
>
>       default is 100).  For the RFC5322.From domain to which the DMARC
>
>       record applies, the "pct" tag is the percentage of messages
>
>       producing a DMARC result of "fail" to which the Domain Owner
>       wishes its preferred handling policy be applied.
>
> Since the concept of applying DMARC policy to messages that produce a
> DMARC result of "pass" doesn't exist, it doesn't make sense to claim that
> "pct" applies to the entire mailstream.
>
> Next, draft-ietf-dmarc-dmarcbis-02 contains a substantial rewrite of the
> Message Sampling section (now section 6.7.4) that goes to great lengths to
> attempt to show that the desired pct value really can't be counted on to be
> applied as asked for, and what might actually happen could vary widely from
> what's desired.
>
> https://datatracker.ietf.org/doc/draft-ietf-dmarc-dmarcbis/
>
>
> --
>
> *Todd Herr* | Technical Director, Standards and Ecosystem
> *e:* todd.herr@valimail.com
> *m:* 703.220.4153
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email