IETF Logo Mail Archive

Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations

Alessandro Vesely <vesely@tana.it> Sat, 18 July 2020 08:45 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11EA63A00B3 for <dmarc@ietfa.amsl.com>; Sat, 18 Jul 2020 01:45:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwVbTyE7PByq for <dmarc@ietfa.amsl.com>; Sat, 18 Jul 2020 01:45:16 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 448263A00AD for <dmarc@ietf.org>; Sat, 18 Jul 2020 01:45:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1595061912; bh=/jzkH7LHlPNioBbu6zpXVTIjjTcRKKaxfww3KOCOAFQ=; l=1310; h=To:References:From:Date:In-Reply-To; b=BBZdnw6+8qdmq8S8S8Yuq9RWQ88FSpjWjJBjOGm4MkWqlqaJZKvHpAt6kVW1NSMNq Kccxpv9zprrIewDnbCE9fwzVMHJ1gD85PZkbttmiIG8wRqKHdVr57YxuXSBn/I79D8 1KwT20MkrfN8IN+R5HgPe+gwEhPNNwJAkxLDDbkk/PqipA8VKUiwqjZwdNjNE
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC053.000000005F12B698.00000AA3; Sat, 18 Jul 2020 10:45:12 +0200
To: dmarc@ietf.org
References: <20200717210053.674D61D2C431@ary.qy>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <ab04e30f-1b10-64ae-0cc7-4924ed14fe24@tana.it>
Date: Sat, 18 Jul 2020 10:45:12 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20200717210053.674D61D2C431@ary.qy>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/kXZvK2jAPda4tLQIKH-Ak_ckt04>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jul 2020 08:45:18 -0000

On Fri 17/Jul/2020 23:00:53 +0200 John Levine wrote:
> In article <cd9258e6-3917-2380-dd9b-66d74f3a64d3@gmail.com> you write:
>>> I'd counter by personal anecdote that we have had to undertake 
>>> security remediations because of messages which were forwarded by our 
>>> CEO to other employees for responses which happened to contain malware 
>>> and/or bad links. ...
> 
>> Except that the problem isn't the email address, especially since almost 
>> no one sees those any more.  And the display name isn't protected.
> 
> Do we have any recent numbers on how many users see the From address rather
> than or in addition to the display name?


Similar problems are typosquatting and homograph attacks.  I heard the latter 
is being addressed also in email clients —which implies they target users who 
look beyond the display name.  We used to hold that DMARC does not cover those 
topics.  Why should we worry about display names?

DMARC filtering is designed to operate at the (edge) MX, not MUA.  If applied 
consistently, it grants a well defined kind of protection.  That is just a 
building block, not a silver bullet.  Our problem is that DMARC filtering 
cannot be applied consistently, because of MLMs.  Lowering DMARC's contractual 
obligations is not a proper solution.


Best
Ale
--

v2.23.0 | Report a Bug | By Email