Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis
Scott Kitterman <sklist@kitterman.com> Sun, 06 August 2023 20:46 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 144B0C151544 for <dmarc@ietfa.amsl.com>; Sun, 6 Aug 2023 13:46:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="yPCoFdrl"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="mMuWncE+"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekysn1Mc8sHt for <dmarc@ietfa.amsl.com>; Sun, 6 Aug 2023 13:45:58 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BD6EC14F75F for <dmarc@ietf.org>; Sun, 6 Aug 2023 13:45:58 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 792A5F80134; Sun, 6 Aug 2023 16:45:48 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1691354733; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=sSyVYWXsEUzhM2qXpGmyU8MZwlCgDzWyLQWI3P6TGao=; b=yPCoFdrl7mAKiAnQOQfFyL6QhNagliK6chjaQQKi71Pbx+IDB0sTupdo24x9K5zeUryk0 q93uqv68cYGlg5WCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1691354733; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=sSyVYWXsEUzhM2qXpGmyU8MZwlCgDzWyLQWI3P6TGao=; b=mMuWncE+sWmfrWI02k+M7FP9s2LV6md8i0PiRfo0KYsAWSB/QAUloeh1I/6Uj4o93MGoC UO6RlUnPPtHgVDlgRZ6+gPmXgu30tLpUGdgojNo6niIdOye/2SCbB6OPsIpdesQ92cp0ANi T77jS/tifmJdvb0ybH3KAlk3Zw9i7riUmzfPgwp0Jay7U0imYqQgO2eMS7IsRmAU1qVzplS tB4gMnFb+2oMaycn7U0P/yvl5FZCTT1Bvg9SxKmZnedkhoItNOk4d75kyb7fWq5rDHE5iVG l6MH6o0xwyfmwDk4k7Q+RgqBp4txOBM/xBUmfxVYJnGhtRYFz51//pJCLsqQ==
Received: from [127.0.0.1] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 7C429F800CC; Sun, 6 Aug 2023 16:45:33 -0400 (EDT)
Date: Sun, 06 Aug 2023 20:45:25 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <CAAFsWK119cvS8VxfVMCdewPRKLNk4Zfa2R0-MYfb6CY9SJC7tQ@mail.gmail.com>
References: <20230805195903.26505FF79E6F@ary.qy> <3536799.mSVOu7074L@localhost> <2B846955-E465-4A1F-9F89-3DDDB8B362CF@isdg.net> <3611454.GY1gGpy5ap@localhost> <CAAFsWK119cvS8VxfVMCdewPRKLNk4Zfa2R0-MYfb6CY9SJC7tQ@mail.gmail.com>
Message-ID: <DB3C9948-9BCE-4939-966A-86BB66AA2D80@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/dHOug6X8ZtCS-nO6d_SHJev8eJE>
Subject: Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Aug 2023 20:46:03 -0000
That reads to me as guidance for DMARC implementers on how to integrate SPF and DKIM results for the purposes of DMARC. I think that's in scope for DMARCbis. There's a multitude of ways people can screw these things up and we won't be able to cover them all. The guidance needs to be somewhat high level. One of my favorites is a case I was asked to investigate where an ESP had transmitted a clearly forged email for one of their customers and the customer wanted to know why DMARC hadn't protected them, even though they had a p=reject policy. What happened was that the ESP received a DMARC fail email from an unrelated mail server that also had a valid ARC signature, so instead of rejecting the message, they allowed the ARC result to override the DMARC policy and accepted it. Then they relayed it to the final destination (which in the same domain as the From domain - which was owned by their customer). There's all kinds of things people can do to mess this up. I don't think it's obscure that one should only believe ARC results from trusted sources, but there we were. Scott K On August 6, 2023 8:07:31 PM UTC, Wei Chuang <weihaw=40google.com@dmarc.ietf.org> wrote: >I don't think having this language is saying you can't do SPF. Rather this >is about preventing new spoofing attacks on DMARC aligned identity. In >particular where previously this attack was not possible on forwarders that >honored the p=reject policy, now that they will downgrade to quarantine, it >opens a new vector that should be reviewed to prevent this attack. I >propose this because I've seen the forwarding attack with SPF on ups.com. >The Liu et. al. paper notes that they were able to spoof the From header >government e.g. state.gov, financial and legal companies with SPF. You >noted that it's feasible with DKIM too. The RFC should ask forwarders to >do this review when they p=reject downgrade otherwise it does add systemic >risk to the DMARC protected From identity. > >-Wei > >On Sun, Aug 6, 2023 at 11:38 AM Scott Kitterman <sklist@kitterman.com> >wrote: > >> On Sunday, August 6, 2023 2:10:35 PM EDT Hector Santos wrote: >> > > On Aug 5, 2023, at 5:37 PM, Scott Kitterman <sklist@kitterman.com> >> wrote: >> > > >> > > On Saturday, August 5, 2023 3:59:02 PM EDT John Levine wrote: >> > >> It appears that Scott Kitterman <sklist@kitterman.com> said: >> > >>>> When receivers apply the "MUST NOT reject" in Section 8.6 to accept >> > >>>> unauthenticated messages as quarantined messages, receivers SHOULD >> > >>>> carefully review how they forward mail traffic to prevent additional >> > >>>> security risk. That is, this downgrade can enable spoofed messages >> > >>>> that >> > >>>> are SPF DMARC authenticated with a fraudulent From identity despite >> > >>>> having >> > >>>> an associated strong DMARC policy of "p=reject". ... >> > >> >> > >> We all realize that SPF has problems, but I really do not want to fill >> > >> up the DMARC document with text that says "you can authenticate with >> > >> SPF, hahaha no just kidding." >> > >> >> > >> The way to fix Microsoft's forwarding SPF problem is for Microsoft to >> put >> > >> the forwarding user's bounce address on the message, not for us to >> tell >> > >> the entire world to use kludgy workarounds. >> > > >> > > I agree. We need to be careful to solve protocol problems in the >> protocol >> > > and leave fixing implementation problems to implementers. We aren't >> > > going to protocol our way out of bad implementation decisions. >> > >> > Taken within the good-intention, protocol-compliant implementations, >> which >> > one do we add as “Implementations Notes?” Which or rather What are >> > “Current Practice”behavior can we note? >> >> I think best current practice goes in a different document. Maybe we do >> that >> after DMARCbis is buttoned up? >> >> Scott K >> >> >> _______________________________________________ >> dmarc mailing list >> dmarc@ietf.org >> https://www.ietf.org/mailman/listinfo/dmarc >>
- [dmarc-ietf] Proposal for additional Security Con… Wei Chuang
- Re: [dmarc-ietf] Proposal for additional Security… Scott Kitterman
- Re: [dmarc-ietf] Proposal for additional Security… Tim Wicinski
- Re: [dmarc-ietf] Proposal for additional Security… John Levine
- Re: [dmarc-ietf] Proposal for additional Security… John Levine
- Re: [dmarc-ietf] Proposal for additional Security… Scott Kitterman
- Re: [dmarc-ietf] Proposal for additional Security… Alessandro Vesely
- Re: [dmarc-ietf] Proposal for additional Security… Scott Kitterman
- Re: [dmarc-ietf] Proposal for additional Security… Hector Santos
- Re: [dmarc-ietf] Proposal for additional Security… Scott Kitterman
- Re: [dmarc-ietf] Proposal for additional Security… Wei Chuang
- Re: [dmarc-ietf] Proposal for additional Security… Douglas Foster
- Re: [dmarc-ietf] Proposal for additional Security… Wei Chuang
- Re: [dmarc-ietf] Proposal for additional Security… Wei Chuang
- Re: [dmarc-ietf] Proposal for additional Security… John R Levine
- Re: [dmarc-ietf] Proposal for additional Security… Scott Kitterman
- Re: [dmarc-ietf] Proposal for additional Security… Wei Chuang