Re: [dmarc-ietf] Two new fields in aggregate reports

Alessandro Vesely <vesely@tana.it> Fri, 25 October 2019 18:35 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A831A12003E for <dmarc@ietfa.amsl.com>; Fri, 25 Oct 2019 11:35:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.001
X-Spam-Level:
X-Spam-Status: No, score=-4.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1152-bit key) reason="fail (message has been altered)" header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KYBT8CzAXB5n for <dmarc@ietfa.amsl.com>; Fri, 25 Oct 2019 11:35:55 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 278BC120033 for <dmarc@ietf.org>; Fri, 25 Oct 2019 11:35:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1572028550; bh=6vvVdObkRFsHFxnesRqqBDU1C2kU3seYhbd4Q3iwJtE=; l=3143; h=To:References:From:Date:In-Reply-To; b=DCmaI9hmJiLB2Cc8OBvwQFv1IQ8aatWCzPup2pMffF98YJCicg02CcWZz8wnRUKJL LG7ZBGE/oJ1182l4rO54O+lF3G//om11JyE9npP0bnZJE091B+Xici+RVt3OmeivS6 nh4jVGchbU9wyEIwGFQVIrOGN1LLPbaSvzlXnGVvDNCFDPgXqlqlipLoMQUED
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA id 00000000005DC028.000000005DB34086.00000D3E; Fri, 25 Oct 2019 20:35:50 +0200
To: =?UTF-8?B?0JTQuNC70Y/QvSDQn9Cw0LvQsNGD0LfQvtCy?= <dilyan.palauzov@aegee.org>, "dmarc@ietf.org" <dmarc@ietf.org>
References: <2c9f5a36-105f-22bd-2029-cb66867355c2@tana.it> <e5bc55efd6ef01ab849505a0872c9dc9a36e738f.camel@aegee.org>
From: Alessandro Vesely <vesely@tana.it>
Openpgp: preference=signencrypt
Message-ID: <682972a4-38e4-f5b2-3180-c5a03a3a08b4@tana.it>
Date: Fri, 25 Oct 2019 20:35:50 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <e5bc55efd6ef01ab849505a0872c9dc9a36e738f.camel@aegee.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/kGJshYMSA_cDmpoU_ud_rqmXP_A>
Subject: Re: [dmarc-ietf] Two new fields in aggregate reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 18:35:57 -0000

Hi Dilyan,

On Fri 25/Oct/2019 12:51:43 +0200 Дилян Палаузов wrote:
> 
> I do not see how this helps for DMARC.  An email either validates DMARC, or
> fails DMARC and the aggregate repors say per sending IP server (only direct
> mail flow is reported), whether DMARC validates or fails.  With this
> information it is sufficient to determine, if the DMARC/DKIM implementations
> on sender and receiver are either both bug-free,  or both have the same
> bugs.

Looking at aggregate reports, you cannot tell whether an authentication failure
is a sacrosanct signaling of your domain being abused rather than a legitimate
user going through external forwarders.


> I do not see, how the information you ask to add, while interesting, does
> help DMARC.>
> What is the purposes of the aggregate and non-aggregate reports?  What are
> non-goals?  I asked several times here, nobody answered.  Perhaps a
> discussion on the goals and non-goal would help.

That was probably discussed already.  Now that we have some experience, we can
discuss further.

I know some very acknowledgeable WG participants accumulate aggregate report
values in their own MySQL database (I'm not sure about the details).  Many
people, instead, outsource reports to specialized DMARC analyzers, who display
nice graphical summaries.  I run an XSLT transform of DMARC reports into an
HTML tabular format of one row per record.

In theory, reports can be something more than a debugging aid.  It has the
potential to assemble a community where bad actors are identified and dismissed.


> If it is a goal to reuse the dmarc-reporting mechanism to report also about
> perceived spam probability, then it can be discussed in more details how
> this can be achieved.

Well, spam score usually is hight for phishing too.  To counter phishing is
DMARC core business.


> My experience is, that asking a provider, why an obviously non-spam mail was
> evaluated as spam, virtually never leads to a useful answer.  So nobody
> wants to reveal how its spam system weigths factors and if there is lack of
> such interest, extending the report format will not help, as nobody will be 
> willing the report the data.

This is a problem, indeed.  Large mailbox providers may fear that giving bad
scores to an IP can result in senders complaining against against their
weighting method, requiring more personnel to answer back.  It should be made
clear that reports are given out AS IS, as a favor to senders, without liability.

Anyway, reporting MTAs don't have to reveal the method, just the result.


> Exchanging information on hard-coded rules in Spam-Assassing (IP reputation,
> HTML mime part without text/plain, the “Nigeria money” phrase), that is not
> based on filter training, does not help neither, as sender can run the tests
> on its own and predict how the recipient will evaluate these set of
> criteria.

Changing point of view, perspective also changes.  In addition, by comparing
external scores to internal predictions, one has a chance to evaluate the
goodness of the reporting MTA.


Best
Ale