IETF Logo Mail Archive

Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

Dotzero <dotzero@gmail.com> Mon, 17 August 2020 13:19 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF14B3A1518 for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 06:19:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYcufi3OxP1w for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 06:19:02 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11F053A14E7 for <dmarc@ietf.org>; Mon, 17 Aug 2020 06:19:01 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id n129so14863805qkd.6 for <dmarc@ietf.org>; Mon, 17 Aug 2020 06:19:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/xmjlRSY0ECSmpsazv61UGKuAZq5dR/kBQIIOp3N9QI=; b=b8toshMq/3VgswzQIfu5bSUb0n7JG9nKGwaaafXd0557cQ6IAt3CKnNTg3SKpkV622 m2b1BSxviUUxqgMDJbATj0Qa6ubU5O/r/BJNpmdoRECWdZGFIVpmzMx3kIUVC0NDBlFf f8S9KVu8BW7/rB/wmwOfV57FCtZbXpaI9jJ1Q1lv3jVK0z8oj78nVXNSVWk0hymuJE6e +XazPpxjlGwzYxGMWlB5UM6xS1mf1G9qI8MUmZxYklARxg79eZcwiNh/X49Z6EtZAjNI P/w1k57mP+UwuZjClMrrlYs0DOawIAOQuY0c/ouI7MfBrSosCuQ3oWBywfHmONYoOUjO RDkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/xmjlRSY0ECSmpsazv61UGKuAZq5dR/kBQIIOp3N9QI=; b=dVwmlPsbGAMwaOdE512YKKsJAHPocEyXTxBl3O9AZXF2AXTU8NO2LGr2oL7y08VoV7 B83oBq9ZrTF//NunfNZH63aSbKFubHQlGuP4SjTnyNFRYq4K1RGkSO57j+hYDic4XvTs SrxDFVK5mYQ6rW/hT3l0a+MrbI69qYQMKUWNPNgAoMCtSZsS5eBEwSMACt0ujurOo08T YicEJN7r4hjWovhwWxDMFJfjAg8tQzGk0Q5qSBTf5p0c7GGFEfEVW0Nai+pHXFhPEt5z JzefYgVSN93uoz8Z9KsalAUgO5AmpwWQ6HGibkE0CFeDLt5RvHN9+uW1YV8K1+omVyyF tRtw==
X-Gm-Message-State: AOAM533Br81uaMiOV5zGzefVIuh4RQ1t63aQvbIPtMFhvRmHiUaiLHsA dsLO5AILG81NXLxAqqmhtaMZt7auZwts2fuSGVB7L4NS
X-Google-Smtp-Source: ABdhPJwDbmaCcmlYETP4m6Ca1gdTjVUQXWphXJ8Sp6RsXQlvXtBC5BZwsPUftEWGUdJWNSGnZ9+FqXE5Iix1aPvfoJo=
X-Received: by 2002:a05:620a:545:: with SMTP id o5mr12242274qko.187.1597670341048; Mon, 17 Aug 2020 06:19:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAJ4XoYcFbh8-nAxjxzzRgUahFfhcgcZQ2yMF2ewv_-DgUmhL=g@mail.gmail.com> <20200814164237.313071E971DB@ary.local> <CAJ4XoYeqj_5mpZu1PZP4rNfrWRyC5gC-2dfK7oX9xQHiR24QeA@mail.gmail.com> <085c6a5f-5451-ae8c-4873-133673ba1754@tana.it> <CAL0qLwaVUi9QtV4zcCwncuy4N3YPwsGZPzFfd1q19io79UG2VQ@mail.gmail.com> <c1844590-4b12-9763-21c5-6ac5b730321b@tana.it> <6358f3da-806b-f4eb-b9a0-8ee8ce4121d7@dcrocker.net> <4e549ca6-6047-6ff2-325c-fe8d7247e157@tana.it> <c972e0af-b589-1780-47b3-8cb2a2024ec2@dcrocker.net> <13a0ed72-2c5a-8ba6-84ab-b857e29403f1@tana.it> <b5935bde-e8-78ef-ed17-90a1d730aa9d@taugh.com> <8CCCBF0C-8651-4298-BB29-457381655D1D@wordtothewise.com> <beba49bc-e599-4f5b-72ad-2328938af9da@tana.it> <7FC8E909-1A13-4682-B3D8-EAD76F2B02BB@wordtothewise.com>
In-Reply-To: <7FC8E909-1A13-4682-B3D8-EAD76F2B02BB@wordtothewise.com>
From: Dotzero <dotzero@gmail.com>
Date: Mon, 17 Aug 2020 09:18:50 -0400
Message-ID: <CAJ4XoYcx=doEfrN2M=X8OZQF0Nq+AFRLYqTgrsr1zMFSJVwziw@mail.gmail.com>
To: Laura Atkins <laura@wordtothewise.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000025808b05ad129d07"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/_AWhEX5tE2U_WHJ6ix5Rjj_Q9Bs>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2020 13:19:04 -0000

On Mon, Aug 17, 2020 at 8:22 AM Laura Atkins <laura@wordtothewise.com>
wrote:

>
>
> On 17 Aug 2020, at 12:25, Alessandro Vesely <vesely@tana.it> wrote:
>
> On Mon 17/Aug/2020 11:46:55 +0200 Laura Atkins wrote:
>
>
> The forum page is off the FTC website, but the document links are
> still accessible:
>
>
>
> A copy is here:
>
> https://web.archive.org/web/20120603201012/https://www.ftc.gov/bcp/workshops/e-authentication/
>
> A sentence says:
>
>    The Report, however, identified domain-level authentication as a
>    promising technological development that would enable Internet
>    Service Providers (‘‘ISPs’’) and other domain holders to better
>    filter spam, and that would provide law enforcement with a potent
>    tool for locating and identifying spammers.
>
>
> And, 17 years on, we know that domain level authentication doesn’t
> actually help filter spam nor does it provide law enforcement with a potent
> tool for locating and identifying spammers. It was promising, it didn’t
> live up to the promise.
>
> There were a lot of thrown at the wall during those 3 days of talks. One
> of them was domain level opt-out. Another was a global opt-out list similar
> to the postal opt-outs run by the DMA. Another was a technology called
> TEOS. HashCash. The list of things we discussed as promising solutions was
> extensive. Just because we discussed a particular kind of solution does not
> mean that anything was decided. It also doesn’t mean that any particular
> solution mentioned was workable.
>
>
> https://www.ftc.gov/sites/default/files/documents/public_events/ftc-spam-forum/transcript_day1.pdf
>
> https://www.ftc.gov/sites/default/files/documents/public_events/ftc-spam-forum/transcript_day2.pdf
>
> https://www.ftc.gov/sites/default/files/documents/public_events/ftc-spam-forum/transcript_day3.pdf
>
>
>
> Thanks.  Let me quote a paragraph by Paul Q. Judge, from the 3rd pdf:
>
>    It doesn't require that one day everyone turns it on and we begin
>    to drop the rest of the e-mail and break e-mail.  If a domain
>    decides to turn it on, then they've prevented forgery for their
>    domain and they're protected.  For persons that have not turned it
>    on, then their e-mail still flows but they are not able to
>    stop people from forging messages from their domain.  So, I think
>    it's something useful and can be deployed incrementally.
>
>
> We know, now, that turning on domain level protection does not stop
> phishing attacks against that company. It stops direct spoofing of the
> domain, but the phishers simply use a completely different domain. Just
> this weekend I got a PayPal phish. PayPal who helped invent DMARC are still
> getting spoofed and phished. Sure, the phishers aren’t using the
> paypal.com domain, but that doesn’t seem to have any effect on their
> success at stealing money from people.
>

You raise an interesting point, Laura. Whatever "solutions" we put in
place, the abusers/bad guys will evolve. One of the problems for the good
guys (for some definition of good) is that standards work takes years
(decades?)  while the bad  guys change their tactics at will. Crime existed
before the Internet and will continue long after we are all dead and buried.

> It seems we're still stuck midstream...
>
>
> Stuck at what? Many of the people who were at that conference are still
> working in the field and understand both the purpose and what came out of
> the forum. I’d also say that most of what happened there is a nice bit of
> history but is also irrelevant to addressing the spam problem as it is now.
> Email has evolved significantly in the last 5 years, much less the last 15.
> We can use the discussion as history to say “we looked at this and it
> didn’t work” but I don’t really see a lot of value in saying “let’s retread
> things from a decade and a half ago that didn’t work.”
>

I think the most
 useful thing we can say about the FTC workshops is that they were a
forcing mechanism that instigated a lot of effort and innovation in the
space. Some of those efforts fell by the wayside and some still persist.

Michael Hammer

v2.23.0 | Report a Bug | By Email