[dmarc-ietf] ARC questions

Michael Thomas <mike@mtcc.com> Sat, 21 November 2020 21:32 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89CE93A0E09 for <dmarc@ietfa.amsl.com>; Sat, 21 Nov 2020 13:32:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.345
X-Spam-Level:
X-Spam-Status: No, score=0.345 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DRUGS_ERECTILE=1.994, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8FCJj-LY8miW for <dmarc@ietfa.amsl.com>; Sat, 21 Nov 2020 13:32:58 -0800 (PST)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 290D13A0E07 for <dmarc@ietf.org>; Sat, 21 Nov 2020 13:32:57 -0800 (PST)
Received: by mail-pl1-x630.google.com with SMTP id l11so6828763plt.1 for <dmarc@ietf.org>; Sat, 21 Nov 2020 13:32:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=YgdLbrbWy1tAW2zyNu3U0QaOtE+htVH0a9GR81eRbQ4=; b=upsheV/GNDlawbzKhA+3vd9eNZ6baNHom7NPBcDZxS/wpipyDgKwkRltTonGfgnwbV c+CxMYYKGh/cfyaAe8FDJAdtsiSPkZQ6u1bIs6HimWsfcAgeSSyHZJjOqv8zuPiuOivK gTJqXoYo6gVDTYlbx/y4N7SSPoJkt2JErrJ7ppXstX6gqGwcIwSZ4VS07HzLADyVNwAx 9W0yriQ5PucssgcJzxsvErNJqDXXf9rGKi5+wgjgkC7Jz+utq5wBzMK7VG8Jf/R0/XX8 Hi8WgEZGegNC852pVh5LkZowU199Tx8RjEpDDaAy0bz5z4VDexupRUbYIlwr1YLbgMLh hQAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=YgdLbrbWy1tAW2zyNu3U0QaOtE+htVH0a9GR81eRbQ4=; b=UMheBqXzkW+9HAdewRNEYQrORBoR/5XF3Lbzx7PtXD+aA2rvpwAOdhw6otHQBwNuq0 wIv8omUuXd4KMZ/pFuHWRXU846f3588uvUy2DnwcYmjER5HFz6fJIFJnGM/bAqAY4Kac nKMhHYkX9m9vwayjhQii/YB/cxG/2izPKd9J1gfVX5gq6cWweqCOaqF478kWZ7STz3TN uOi8jddEsDc3Jx5jL+MAYZzrixgwjMD9F8irpjrx0nA4bWoRPiImZr6amLyoH06m+flV hCZee6BuFCaJHpQ0gERnjcYQ5hx27/V6NvIjkxqaIGy18O6gqiJWOVJ4jjD8hEZF7UM3 L6uw==
X-Gm-Message-State: AOAM531gp9JyY89DegGGjYO5aCm0N5zYCqMkToVZS2lg8AgAcxxrwVD2 h5qFSLu39A8JFMla+1W6seumf6ytrIhWRg==
X-Google-Smtp-Source: ABdhPJzkS8C/2Hl3d80AIsMBNckAw7xFegSiYR962Ep1eKBzNfwedEzTPJ+ScDGUlK8jQQ2I4PnFUQ==
X-Received: by 2002:a17:902:b209:b029:d8:e7a4:bf10 with SMTP id t9-20020a170902b209b02900d8e7a4bf10mr18745185plr.77.1605994376888; Sat, 21 Nov 2020 13:32:56 -0800 (PST)
Received: from mike-mac.lan (107-182-37-5.volcanocom.com. [107.182.37.5]) by smtp.gmail.com with ESMTPSA id y81sm8080650pfc.25.2020.11.21.13.32.55 for <dmarc@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 21 Nov 2020 13:32:56 -0800 (PST)
To: dmarc@ietf.org
From: Michael Thomas <mike@mtcc.com>
Message-ID: <dcc265f9-a143-5093-eba0-94ee059c7cc7@mtcc.com>
Date: Sat, 21 Nov 2020 13:32:54 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/gMDVFoGDJfLMux3jD7ZBHR22gKk>
Subject: [dmarc-ietf] ARC questions
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2020 21:33:00 -0000

Hi all, long time.

I finally read through the ARC spec after seeing it accidentally in mail 
headers wondering what it was, especially since it was so DKIM like. My 
barely informed take is that it allows intermediaries to say "this is 
what it looked like to me at this point [and before i messed it]". So 
far, so good. It seems that a receiver can then verify that the ARC 
signature especially if the "original" DKIM signature is broken. So far, 
so good again.

If I'm a receiver who is going to be making some filtering decisions 
based on ARC, I see that it passed by some authenticator along the way 
which is fine, but my question is why I should trust that intermediary 
in general? I mean, this is easy if it's gmail since I know google has 
an interest in good email practices out of band, but what if the ARC 
signer is actually an attacker that I have no idea who they are?

Which is to say, how do I go about trusting the ARC signer to not be 
doing something bad? I don't have a specific attack in mind (still too 
new to this), but say if spam.com ARC signs a message it adulters to its 
advantage how do I know that I should disregard its ARC results? Or 
maybe not so much disregard results per se, but not want to "accept" the 
changes to the original message?

Ok, maybe here is an attack. Suppose this message is scrapped by a 
spammer since this is a public email list. It has a broken original DKIM 
signature but a valid ARC signature from ietf.org. The attacker takes 
the message, adds the Viagra scams in the body to the ARC signed message 
and reinjects the new message toward the targets of their choice (? 
mailing list members only? not sure).

Or did I miss where ARC resigns the body? Or is there a tie in for ARC 
with the mailing list's resigned DKIM signature for the new message?

Sorry so many questions, and probably misunderstanding what's going on.

Mike