IETF Logo Mail Archive

Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?

John Levine <johnl@taugh.com> Mon, 17 April 2023 16:05 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5474BC1516E2 for <dmarc@ietfa.amsl.com>; Mon, 17 Apr 2023 09:05:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.148
X-Spam-Level:
X-Spam-Status: No, score=-4.148 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="co6XcRzY"; dkim=pass (2048-bit key) header.d=taugh.com header.b="eR263KUC"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y5rJjDLp0U8B for <dmarc@ietfa.amsl.com>; Mon, 17 Apr 2023 09:05:24 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7323DC14CF09 for <dmarc@ietf.org>; Mon, 17 Apr 2023 09:05:24 -0700 (PDT)
Received: (qmail 51167 invoked from network); 17 Apr 2023 16:05:21 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=c7dd.643d6e41.k2304; bh=0jL5dv1MIS6hXxMGIih5oZFKrMyaaKXSxBVfr5NY2ao=; b=co6XcRzY8cy+Zy6eYPEZ0ptvuNhAVLzlyOyXar/GHE4+MaHAJXle3a3/1bMUU7CvafVDHcT9B1y40ow8rn60CwFEwtPXGuTqd4bRsWQga3g64MOMmnewUYcVaRZC2u00mEgUx02fTxscWMtMPairDNlMKbm+0JfjIrb2enpgvhNuRyBWJMfWH3yV8anaz/i3WyuNbtfMbZp7YMeREyUv1Yhq94h7s8C0eZKaEb500nE2bIY6LCvc8lxqcgRUughlycfJKXoni3eexTz0IOqc5Ry2g/1kj8qWsKFlycsspxHpp1rowmbS7JuB+48Ce5TW18A+3oDXq+zsE7HFZtGFug==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=c7dd.643d6e41.k2304; bh=0jL5dv1MIS6hXxMGIih5oZFKrMyaaKXSxBVfr5NY2ao=; b=eR263KUCwC87dD7TTtKGVfK6WWHHUWHxc0pJwuPE1cEkBen3NuiyniPCCXEvWQm6pFqjpbhdGVCXNzfkdIhEUiM08okiMAysN8gqeao97c1hDdY4fAMuGdDwQyVnfw0cj+wyBX7VpaVtdq99NgEcmOiyQXrDQfR+U9KG8kZ32rCULBrWKSUYJfka/EVClvKovWqT9ZMNqVNcTXauQcD4mJnvWxRDm3zllLqUJk9uhczJVe8tQHajUMwLwxj9dqXkYHIXC0zvXyPe2OM6gL7+PJBW2cfheOngqk//7P/7hO8GABoCJWydIdHz9TGPRU6v+w3QPPsymooAYbJygMbqyg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 17 Apr 2023 16:05:21 -0000
Received: by ary.qy (Postfix, from userid 501) id 0398EBF3F4F7; Mon, 17 Apr 2023 12:05:19 -0400 (EDT)
Date: Mon, 17 Apr 2023 12:05:19 -0400
Message-Id: <20230417160520.0398EBF3F4F7@ary.qy>
From: John Levine <johnl@taugh.com>
To: dmarc@ietf.org
Cc: laura@wordtothewise.com
In-Reply-To: <4FD1C711-7A7D-40E5-88DE-95CDD248F92B@wordtothewise.com>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/h9wGKE8mIl-IS-aJWaUHoHdJeAQ>
Subject: Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Apr 2023 16:05:29 -0000

It appears that Laura Atkins  <laura@wordtothewise.com> said:
>Is this another issue we should document and make recommendations about? I was thinking along the line that transactional SaaS
>providers should fully support DMARC and should not allow companies using p=reject in their business mail to access the
>service? 

Section 2.4 says that everything other than the From: header is out of
scome. Section 11.4 describes display name attacks and it looks OK to
me. I suppose we might tweak 2.4 to clarify that anything other than
the mailbox in the RFC5322.From field is out of scope to avoid any
implication that we're talking about the comment part.

It's not exactly a secret that bad guys can use misleading connents as
easily as good gyys. If we tried to enumerate all the ways that people
might do dumb things, we would die of old age before we finished so I
would prefer not to start.

At M3 people occasionally have talked about extending DMARC to cover
the From comment but it's such an ill-defined problem (what's
allowable? how could you tell?) that it has never gone anywhere.

R's,
John

v2.23.0 | Report a Bug | By Email