Re: [dmarc-ietf] Report bombing is a prolem, Forensic report loops are not

Dotzero <dotzero@gmail.com> Mon, 01 February 2021 21:58 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33A663A150E for <dmarc@ietfa.amsl.com>; Mon, 1 Feb 2021 13:58:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MlpIbnZo9K45 for <dmarc@ietfa.amsl.com>; Mon, 1 Feb 2021 13:58:29 -0800 (PST)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACDE03A150D for <dmarc@ietf.org>; Mon, 1 Feb 2021 13:58:29 -0800 (PST)
Received: by mail-qt1-x82a.google.com with SMTP id l23so13481247qtq.13 for <dmarc@ietf.org>; Mon, 01 Feb 2021 13:58:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=mAnO6zgP1mt/4+iVJ+zoFQqBuJRIJP5RybSNzsyXeII=; b=jQKip06HhDbR09pZxwgpu6wJ6oVYJh5sNSmsOeJk2iPPb/9rR6qggso2pCflifqDNR 8mvn5AEwTOL4ML16ZRmIr0P7nZoiXkWnfDegiMVPDTbaaZmuXT74EIDxixdREW75539W I1ek+4EHcGlohQth3pLpSNuEUlRaSpHpLzy0YIHCak7+Bzo/E22Kml58OcIM0nIcCqBn ygfo35uNddBxCBmVftO5dUkaZ8yc/Utz7Waz7tA1waVhn6xdSYn+odp7b8G+qCbomRD2 9Xim9eVkFq02Wzeizzi87KXuBnj/WXM8LFqlU8alAPxZjed7XrsmLQvuqZjkt5Udu1Cw txDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=mAnO6zgP1mt/4+iVJ+zoFQqBuJRIJP5RybSNzsyXeII=; b=Cyo1dpRN4on7vM8jElVItePQu/HjbMQmlJcZqTTnP+fqSryyBX/nfBmhBVp5SHC/sD 3n+cyXLQWtJfkoisjnR2cC2ixlXwFYVsyW4X5eoquk7eS7IUc+lGq1zrNT0MGmyU6ttJ KJOYNTyn0VNPM1r2R/P8riFPUXBIwuud5xjRHepzOqiJV7GB1u3FQJzSQfBck/Dj0ngA QIDnh7gI4ydcnP9LUQAlLzSxjpPq/iIf41y66lAnUiWaHjVq8hVb1R6Jx8grBOhtFgAt eq11yZv4tihkiw53UcdrT57iJbfvqReNjSHHQ2KAnFfOw+Z9DfIU5wHmhs/j8Uce3pPA q14w==
X-Gm-Message-State: AOAM533pOP3d0SYxeJJKEs25iflzxEMmQM+3CLAEukxxaEuTMdZ69Ztl R/OuFVVbvI8AAaMQwEPD2fAOxgOQExIMaXYXCISO1dYP3A4=
X-Google-Smtp-Source: ABdhPJz+E7ouhDSkGWLevChSifzJpPQn8OU9NhDpFbR+JcrrlhLXLByHY4I/0FzC4b0Wzf/RNA9TjsnE5Fza9/NaCbU=
X-Received: by 2002:ac8:67ca:: with SMTP id r10mr17253276qtp.267.1612216708251; Mon, 01 Feb 2021 13:58:28 -0800 (PST)
MIME-Version: 1.0
References: <49b248dc-91a7-7f2d-ba28-72fe8d6d356a@tana.it> <20210131200238.931356D11D79@ary.qy>
In-Reply-To: <20210131200238.931356D11D79@ary.qy>
From: Dotzero <dotzero@gmail.com>
Date: Mon, 1 Feb 2021 16:58:17 -0500
Message-ID: <CAJ4XoYe54BLvHOn3vuPr9VUPmqPUTq_Pdt91jOSRsUAfL+uO5A@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000032423705ba4d74f7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/bZN38HKfpiGKLE2IejVsidd3Fu4>
Subject: Re: [dmarc-ietf] Report bombing is a prolem, Forensic report loops are not
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 21:58:31 -0000

On Sun, Jan 31, 2021 at 3:02 PM John Levine <johnl@taugh.com> wrote:

> In article <49b248dc-91a7-7f2d-ba28-72fe8d6d356a@tana.it> you write:
> >Rate limiting usually implies a number of buckets.  They are managed by
> >imposing limits per time periods, which can be either server-global or
> per
> >bucket.  Normally, for MSA usage, one has one bucket per user.  I have
> never
> >implemented failure reporting, but I'd guess buckets may vary.  Besides
> the
> >signing domain (which determines the report consumer), the receiving
> address,
> >the sender and the spam flag may deserve their own buckets.
>
> The only one that matters for DMARC reporting is the recipient
> address, since the purpose of rate limiting is to avoid overloading
> the recipient mail system. I wouldn't worry about trying to send a
> "representative" set of reports.
>
> Keep in mind that very few people send failure reports at all.
>

My experience is that most failure reports are provided through private
channels where there are contractual agreements in place to deal with
potential privacy and legal issues. This may be through intermediaries or
direct between the parties (sending organization and receiving
organization).

Understand that the DMARC effort came about because the original
participants felt it was useful in the private exchange of information
between senders and receivers. We felt it was better as an open standard
rather than as a private club.

>From my perspective it is unfortunate that we can't seem to find a way to
implement a system where failure reports are available other than through
private channels.

In my
> experience few of them are useful. Most of mine are ordinary mailing
> list messages where the failure is not surprising and does not mean
> that anything needs to be fixed.
>

I disagree with John about failure reports not being useful.  I have found
failure reports to be extremely useful in anti-abuse efforts. The value can
range from takedowns of images and links to maliciousness to shutting down
sources of maliciousness.In some cases it has proven useful to law
enforcement as documentation of activities.

Unfortunately, I think addressing some of this has to be beyond the scope
of the current effort.

Michael Hammer