Re: [dmarc-ietf] Two new fields in aggregate reports

"John Levine" <johnl@taugh.com> Fri, 25 October 2019 20:13 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3B9212004F for <dmarc@ietfa.amsl.com>; Fri, 25 Oct 2019 13:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=L3I2XUzF; dkim=pass (1536-bit key) header.d=taugh.com header.b=2k3C1u6d
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n9FUNMZkgo_D for <dmarc@ietfa.amsl.com>; Fri, 25 Oct 2019 13:13:47 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6B9A12003E for <dmarc@ietf.org>; Fri, 25 Oct 2019 13:13:46 -0700 (PDT)
Received: (qmail 31222 invoked from network); 25 Oct 2019 20:13:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=79f4.5db35779.k1910; i=printer-iecc.com@submit.iecc.com; bh=IisW42XjRZ5/N/IkJ1E8k5xp+s+j/vNJfdyqKNWZiho=; b=L3I2XUzFZBITWWtahT8rOQoWrd04IK1Io6iD2D4jkuj9VFmBB27D3MxB0tHO9+fLh+YNwmxgi1+plG5YqzbJLgKsrtV4oaXGpHM57GhVEE/JKGkWn5HNevFg2qRXuATBF4366LvzJyb6nlHfGr15N0J+rs/lhwoAIQPkV3kaub7aj23C4kS0gU5oDUPYxOf/nLb+cpXHzhy64hr/mCHLpT4/16v3NRgpuWEpmRI8iwG1OH+oPfbJPNXeeLOuNkc6
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=79f4.5db35779.k1910; olt=printer-iecc.com@submit.iecc.com; bh=IisW42XjRZ5/N/IkJ1E8k5xp+s+j/vNJfdyqKNWZiho=; b=2k3C1u6dVkmsmkxPAgoF18CZPIVA0YQVrP2FqPMvgO+KnwD235awjlrR1MbqGt6d+lcvliZhDgEFWTBgogSkQtQrfY+V58rbVVInIVVirxY8iAJaIqHRORtVX3no8sZj59LxDStDQEKyIUb78wvc4IUrauawddJAz/R7KoUmdK3oYTZhnT6lOuG8bvK5roFIoxw33gbUt510PGUsz1a6izbxV0TorZCVVfRWHD7/KtcyeT+OH/T28y4jrPezWAep
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, printer@iecc.com) via TCP6; 25 Oct 2019 20:13:45 -0000
Received: by ary.qy (Postfix, from userid 501) id BB28AD68CE6; Fri, 25 Oct 2019 16:13:44 -0400 (EDT)
Date: 25 Oct 2019 16:13:44 -0400
Message-Id: <20191025201344.BB28AD68CE6@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dmarc@ietf.org
Cc: vesely@tana.it
In-Reply-To: <682972a4-38e4-f5b2-3180-c5a03a3a08b4@tana.it>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/hNAS0CIID_yzTohVNsE2ZC_Bqjs>
Subject: Re: [dmarc-ietf] Two new fields in aggregate reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 20:13:48 -0000

In article <682972a4-38e4-f5b2-3180-c5a03a3a08b4@tana.it>; you write:
>Looking at aggregate reports, you cannot tell whether an authentication failure
>is a sacrosanct signaling of your domain being abused rather than a legitimate
>user going through external forwarders.

Sure you can, you look at the IP address and see who it is.  In my reports I
see bursts of authentication failures from hosts that are obviously mailing
list servers, and lots of failures in China which are random spambots.

>In theory, reports can be something more than a debugging aid.  It has the
>potential to assemble a community where bad actors are identified and dismissed.

No, that's not what they're for and they don't have the necessary
info.  There are systems that compile data for IP reputation but
that's not what DMARC is.  The point of DMARC is to try to tell "is
this message really from X", not "is this message spam."

R's,
John