IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Emanuel Schorsch <emschorsch@google.com> Sat, 15 April 2023 03:13 UTC

Return-Path: <emschorsch@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78456C14CE33 for <dmarc@ietfa.amsl.com>; Fri, 14 Apr 2023 20:13:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.595
X-Spam-Level:
X-Spam-Status: No, score=-16.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, FUZZY_PAYPAL=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kjK8PvHqR9fb for <dmarc@ietfa.amsl.com>; Fri, 14 Apr 2023 20:13:03 -0700 (PDT)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF068C14CEFE for <dmarc@ietf.org>; Fri, 14 Apr 2023 20:13:03 -0700 (PDT)
Received: by mail-vs1-xe2a.google.com with SMTP id f10so6751546vsv.13 for <dmarc@ietf.org>; Fri, 14 Apr 2023 20:13:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1681528382; x=1684120382; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=aGYpSKBgDqggAS2JskQLuEUVZMJzEAGvPeQrJO/t1Eo=; b=hrnJPtQJjI+VjbhEiKKZCBZA9x+k4x/Uv01dGntrE1BINkUQDSYKdl2zRpFyYUTMKk chJyYRxBLEFvNZdZFuExRhm/9eEW9i+/qzjzKjC2ZTXQeOP4UiGmDZmV46KDj1pIx3iF Yj4V2t6mRQuhMfd33zmaXMnVmRsqw2xDvyTYwz4Q34TTZRinX0CYAKj7vxMEPrRkuKrl AxvOmpL5DNd+9fndaYU2DWjvFacZLufms9ocbLL6IuGNwMAoHVitBHjEwKqgLfmklrRc 4VtmxgW9vUN8DZLeXyksKEpNzdtFGSNBmVIZ2wHyA7CL8PZMg58KatDj/7vT3dfx9CsL aZyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681528382; x=1684120382; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aGYpSKBgDqggAS2JskQLuEUVZMJzEAGvPeQrJO/t1Eo=; b=Fro5DUOV3vZ904yQ8w4J3mB1UggtlrlDHj887QNo8ZLIb0vYACOuErVJkUUF3RF0yv 1h2fYmKEzOy5cT77p/GxTd76xzm0/a3U7J5h+wATVEEq/fkn8EY1jHX6CD4j8gwMxpq5 2HTHZFujXFHCoeTAH2eSZXvsdeUNEfYNSutbQVTsi/f33q48Jm6w6ifztoCRneeTgwE2 KPuS70z7O95DLs8QveLtQ8DRP902gpyJFCf/Lq18yfyadVQlMp+Ut++yX/XqhoEK1ZmI z55VYSUOAn51DHWQWSSsOySYospYrprfFTuwvYiSun5/g5Y+eIOwjcAUiPFQSPGY9e32 k6zg==
X-Gm-Message-State: AAQBX9cqgO71Th3TKbTSf1qUbJXJzkbO2WHiF5DJm50rWUwnhvFZWkMF zdOjx2Cs4gpcla9s6g3sZoA/JINjH0Q0JJMZMmJafA==
X-Google-Smtp-Source: AKy350a5zft8wwGJmzpnqLYJI4fSM8/1rq0lXMRgOZ73gsIVGsdWIWDib9fGp066K3OIHRRgTNK2KcWWaG78AD86YWE=
X-Received: by 2002:a67:d715:0:b0:42c:79de:eabf with SMTP id p21-20020a67d715000000b0042c79deeabfmr5058114vsj.7.1681528382075; Fri, 14 Apr 2023 20:13:02 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <13603D87-4FDE-4768-9712-E6DB0818C802@kitterman.com> <CALaySJLY-9O1Wauk50WMMobNs3cKUzmB+=np080nYCHEZa32UA@mail.gmail.com> <3129648.WqDQmVRvLn@localhost> <CAJ4XoYe3Z8=G8H6hQFuiMMwfZQt1JvLpK3bQmrtGCz=b-w=CJA@mail.gmail.com> <86E22FA6-759F-40F3-AEA3-119EE90F64A0@kitterman.com> <80086446-effa-7ee2-91c7-1f44449d92fb@tekmarc.com> <CAL0qLwaKO5A_OSjod00msw+8EALOUqYzeXb_aPjVhQ2R1wZKJg@mail.gmail.com> <def03c2f-25ec-d3f1-1ea5-678b16369f61@tana.it> <8D2F4B6A-2E72-4763-8B1F-719236B21D1E@wordtothewise.com> <CAH48ZfxP3F0jueQwsFyXBUojQryO2NOhCZzKxbLiZMHW3h10Zg@mail.gmail.com> <5ABFFAF7-4B03-4CCC-81C2-303A6B6F506E@wordtothewise.com> <f5a510b6-553c-e07c-c249-03a68c3cc60e@tana.it> <899E29E9-71E0-49DC-A3C4-746766C7EC67@wordtothewise.com> <CAJ4XoYftxv21D7mhXdRzg+f4Qo99Y=qcZ+eK5_PvPv62hVbM_A@mail.gmail.com> <CAL0qLwZKNWuFgrLvPfP=qxviYZuiUq1EMaL-QG=xe1AA4_Tg2g@mail.gmail.com> <CAH48ZfzyeAYBg=eFOw0aHcusDLA=QQ7CTp5P_S5VWwmdQDmqOA@mail.gmail.com> <CAL0qLwYrXAgP5qR6B+aTU5gop07E1AzC+QWTOixbJSq1occe5A@mail.gmail.com>
In-Reply-To: <CAL0qLwYrXAgP5qR6B+aTU5gop07E1AzC+QWTOixbJSq1occe5A@mail.gmail.com>
From: Emanuel Schorsch <emschorsch@google.com>
Date: Fri, 14 Apr 2023 23:12:25 -0400
Message-ID: <CAFcYR_VzGmukoB18f1FW5PdXaD=bG6u-_yOSV2kz4NYOVS-9QA@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e5094705f9575539"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/dJvbWFonE3hlVGr4IEKFsLFqorw>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2023 03:13:07 -0000

I agree there are no silver bullets. But different policies make fighting
abuse harder or easier. To give a concrete example we see huge volumes of
abuse spoofing "gmail.com" fromHeader. There are also a huge number of
benign parties that have become accustomed to spoofing "gmail.com". This
makes it much more challenging to get it perfectly right when
distinguishing the abusive cases from the benign cases. I point this out
mainly to emphasize two points:
1) There is real abuse happening for domains that don't yet have a policy
beyond p=none. This abuse has noticeably higher volumes than other sources
of spoofing.
2) When benign traffic routinely follows the same practices as
spammers/phishers it makes it more difficult to cleanly separate the
buckets.

Compare this to the abuse levels we see spoofing Paypal, a domain with a
p=reject policy. Of course there's no silver bullet and the levels aren't
zero. There is DisplayName spoofing, there is cousin domain spoofing. But,
it is substantially easier to mitigate against these because there are very
few benign users sending mail from paypaI.com (using a capital i), or using
a display name of "Paypal" signing with random domains and sending large
volumes. From what I have seen, spoofing a domain like Paypal is
substantially harder to scale because the benign and abusive cases are much
more cleanly separated.

I would love to find a way for Mailing Lists to operate without the pain of
from-munging and also give domains like gmail.com a tool to protect
themselves. Obviously we are not there yet, so instead there is a very real
and painful tradeoff to consider. I don't know what the solution is (maybe
mailing lists can use from-munging, ARC and X-Original-From and destination
receivers that participate can then unmunge it if that receiving user
trusts that mailing list?). But I think we should be able to agree that
there is a real security risk that stricter DMARC policies provide value
against, AND that those stricter policies degrade the mailing list
experience. Of course that says nothing about whether or not that tradeoff
is reasonable or should be made :)

Instead of being forced to pick between two unappealing options I would
love to put more effort into figuring out solutions that make both cases
work. Maybe there is no solution. But I am optimistic that with some
creative thinking and group problem solving we can work out something that
protects against domain impersonation and allows Mailing Lists to work more
effectively than the current solutions.

On Fri, Apr 14, 2023 at 10:08 PM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Fri, Apr 14, 2023 at 6:47 PM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> Unless a mailing list has controls in place to ensure that EVERY post
>> comes from the asserted participant, it is the height of hypocrisy to ask
>> an evaluator to assume that the post is from the asserted participant.
>>  IETF cannot do even the easiest part of that task, so I have no reason to
>> expect better elsewhere.
>>
>
> Nobody is asking the evaluator to assume anything.  That's what email
> authentication is about; it shouldn't assume anything, and you only really
> know something when you get a "pass".  Reacting harshly to a "fail" when
> there are so many legitimate ways the current authentication schemes can
> fail is folly.  But people are looking for silver bullets, so here we are.
>
> A world free of fraudulent email is a laudable goal, of course.  But since
> DMARC can only actually affect direct domain attacks, and makes no
> discernible attempt to mitigate cousin domain or display name attacks to
> which attackers can trivially switch, I think I'd like to see some proof
> that it staves off enough of the darkness to be worth this level of defense.
>
> -MSK, participating
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email