Re: [dmarc-ietf] DMARC threat analysis needed
"Murray S. Kucherawy" <superuser@gmail.com> Sun, 19 July 2020 00:14 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D22923A0EA0 for <dmarc@ietfa.amsl.com>; Sat, 18 Jul 2020 17:14:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dL7gY6iFQKjE for <dmarc@ietfa.amsl.com>; Sat, 18 Jul 2020 17:14:05 -0700 (PDT)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 727F13A0E9F for <dmarc@ietf.org>; Sat, 18 Jul 2020 17:14:05 -0700 (PDT)
Received: by mail-ua1-x92f.google.com with SMTP id g4so3961929uaq.10 for <dmarc@ietf.org>; Sat, 18 Jul 2020 17:14:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qqtNjoM97FGf1TFl3Dn5pjQmNFVJiCseEfnALkdFu1c=; b=RYo9S3sDrxzeRHBD/hPmjAXxHoD2kNnJUn7LMVwU0VupluO5crkp03eRV8ExmGFm+v F+CLx6T5PIxYEWOXJc5W4q2/E1oBj4X1ukxjB0YCX5BwC4D+JG9r7FJXFNurw8xqqXDV 0iG4tlJmFnRjhzyVSFLe0G4X2TZ0+1VW1FBX8eWaZhrjCtxyTj82o69bK/2J71C+1nYD Od5l/UJ0Mn6PLK9A+9flVUwl17dscsPu80XqihdihlJ+tDGfFsrKHv2jrBSoSn6Imp3a bDjCGYAD1XO/16rxxu3VY8vJ8zSGGhxH4fdRvmgjcviYBVsZTrZNaAf66c2sEm7dPTMf GI0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qqtNjoM97FGf1TFl3Dn5pjQmNFVJiCseEfnALkdFu1c=; b=XWJoF0knglAyAX+vcAMceJCD6ouIpweFqTwJRBO9wyDWyo3FX8gRlRnD1/oBO0+zlq iumxPgJ3VLKRNG2gk70zkqvKMeb3eryRPpoPm2rFN6midSuXOBxuKEsLvtGZCNpiF4he ZkmGpSfLnVNyAkMkMz91fAOmegoj7/uqX4KJArhR83OfNPp2ElTTVDkb1oIYg6jmhimN yWnaTXXGAJd9DeLtD7Q77jLvIan/QlWJhv0nJaiCb7A7wQhtNDoUaeutfvvcxIfW6wyM oEy9V8nZTE5BOF4aQRJG4ApJG4WkmMMq6toc+rG9TGVpkw4KbaCANKAIswpMBeKDZXr3 P0sA==
X-Gm-Message-State: AOAM533QNrM70SN6kYIWTgtbuSOh8PezH+KXh/NuDxDr+SinbIPHtclp 5HttSFMsY0FUxKEJvYPtkUUy06401JZ/m6fVBbnsSQ==
X-Google-Smtp-Source: ABdhPJxHoeU/cMN7H5hrEk053hbLRzJegsBC+tDRGtC+jWkruXlnERnkiZQV7A1G3bqfaj79TQK5i+wPGPBk5/nuGyk=
X-Received: by 2002:a9f:2a8e:: with SMTP id z14mr12233681uai.47.1595117644328; Sat, 18 Jul 2020 17:14:04 -0700 (PDT)
MIME-Version: 1.0
References: <ab2296fb-201a-3bfb-f61c-27848ac5acf3@bluepopcorn.net> <CAJ4XoYdU1==PJOKKuG+WFv1sSYD=rudPsoDpEPrbY8+f0FmMXA@mail.gmail.com> <f774bb8f-d586-4368-05ff-d277e8645d54@bluepopcorn.net>
In-Reply-To: <f774bb8f-d586-4368-05ff-d277e8645d54@bluepopcorn.net>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Sat, 18 Jul 2020 17:13:53 -0700
Message-ID: <CAL0qLwbq7pZE4TLPK6A9JspKy0XneK36hxAdrhiLb1Y-AcodOA@mail.gmail.com>
To: Jim Fenton <fenton@bluepopcorn.net>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000090b2c005aac044ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/_sSW-n5MYNn663rkdFpUmJa9egc>
Subject: Re: [dmarc-ietf] DMARC threat analysis needed
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2020 00:14:07 -0000
On Sat, Jul 18, 2020 at 10:17 AM Jim Fenton <fenton@bluepopcorn.net> wrote: > Yes, the issues of cousin domains, homoglyphs, etc. are thrown out there > as reasons why DMARC is "irrelevant" to solving problems such as spam or > phishing. It doesn't solve spam but it does have an impact on phishing, if > only to push the bad guys to "push reality". If I get a phishing email from > a bank that is not my own, I as an end user am less likely to fall for that > particular phishing scheme. It makes it easier for validators/receivers to > differentiate real from Memorex. It's also important to recognize that the > environment isn't static. The bad guys are always thinking up new > approaches as the old/currnt ones yield declining results. This evolving > context is sometimes brandished against DMARC as an indicator that it isn't > useful. > > It's not that DMARC isn't useful. We need to consider (and document) the > threats that it is effective against (unauthenticated mail claiming to come > from a domain from which it should have been authenticated) and those it is > not effective against (homoglyphs, display name misuse, etc.). And then we > need to consider the collateral damage, such as against mailing lists and > their users, and do a cost/benefit analysis to determine whether the > benefit justifies the breakage. With 5 years of experience since RFC 7489 > was published it's reasonable to revisit these issues with the benefit of > that experience. > DMARC did attempt to document these shortcomings itself, for example in Section 12.4 of RFC 7489 which covers display name attacks. I imagine this would be carried forward into the standards track version, unless the working group wants to entertain the idea of breaking it all out and re-hashing it first. This working group also produced RFC 7960 which talks about the problems with respect to mailing lists. Maybe we have more data in the last four years? Still unresolved, IMHO, is Dave's point about whether the RFC5322.From domain truly matters. -MSK, most participatorially
- Re: [dmarc-ietf] DMARC threat analysis needed Doug Foster
- [dmarc-ietf] DMARC threat analysis needed Jim Fenton
- Re: [dmarc-ietf] DMARC threat analysis needed Dotzero
- Re: [dmarc-ietf] DMARC threat analysis needed Hector Santos
- Re: [dmarc-ietf] DMARC threat analysis needed Jim Fenton
- Re: [dmarc-ietf] DMARC threat analysis needed Jim Fenton
- Re: [dmarc-ietf] DMARC threat analysis needed Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC threat analysis needed Alessandro Vesely
- Re: [dmarc-ietf] DMARC threat analysis needed Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC threat analysis needed Alessandro Vesely
- Re: [dmarc-ietf] DMARC threat analysis needed Brandon Long
- Re: [dmarc-ietf] DMARC threat analysis needed Murray S. Kucherawy