Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields

[Dotzero <dotzero@gmail.com>]

On Fri, Jun 5, 2020 at 5:26 PM Jim Fenton <fenton@bluepopcorn.net> wrote:

> On 6/4/20 10:39 PM, Dotzero wrote:
>
>
> The goal of DMARC was (and is) to mitigate direct domain abuse. Nothing
> more and nothing less. It helps receiving systems identify a (correctly)
> participating domain's mail. That is why a DMARC policy is often described
> as a sending domain's request and local policy is so important (and can
> override that request).
>
> I'm not clear on what kind of direct domain abuse you're referring to. If
> we accept that domain names are either not visible or are ignored by the
> recipient, the domain name doesn't matter much as long as the attacker can
> get their message delivered, and DMARC doesn't apply because they're using
> their domain.
>
>
> The type of direct domain abuse where someone attempts to send a message
using <fenton@bluepopcorn.net> in the From email address field. As I wrote
earlier, the combination of SPF/DKIM/DMARC is a tool that accomplishes a
narrow goal. It is not a silver bullet that solves all forms of abuse. It
can be used to mitigate a specific type of abuse.


> For attackers that deploy DMARC it simply means that they are self
> identifying their malicious messages as theirs.
>
> No, DKIM and SPF do that. DMARC doesn't have anything to do with
> identifying messages.
>
>
> As with SPF and DKIM, some abusers were quick to implement DMARC in
addition to SPF and/or DKIM on the theory that it makes their email appear
more legitimate to receivers. Just one more nail in the coffin.


> For Sending domains, SPF/DKIM/DMARC is only one set of tools in protecting
> their brand from abuse. It protects end users from abuse. In fact, in many
> cases the individuals most susceptible to falling prey to such abuse may
> not even be customers of that sending domain. No, that greeting card you
> received isn't legit (Nobody loves you). No, that retailer isn't giving you
> a $200 gift card. This is why other tools like takedowns are so important
> and why the removal of registrant information from domain registrations has
> enabled abusers.
>
> So maybe the core question here is, does the identity in the domain name
> matter or not? It does to me personally because I look at it (whenever I
> can -- my iPhone doesn't make it easy to display) and I pay attention to
> it. But I know I'm not a typical user, and I also see increasing evidence
> of mail client software that doesn't show anything but the Friendly Name.
> So is there a "brand" associated with the email domain name any more?
>
There is. Don't get hun up on what is displayed to the end user. Think
about the reporting aspect. In my previous incarnation we were able to
initiate takedowns and/or blocking by 3rd parties much more quickly based
on DMARC reports than simply waiting for end user complaints to customer
service or abuse@.

> If the domain name doesn't matter, the binding to the From/Signer address
> doesn't either.
>
> -Jim
>
It does matter for the specific abuse scenario. Those particular abusive
mail streams never get to the end user recipient. I'm basing this on my
experience on a corpus of billions of emails sent for what had been
previously highly abused domains/brands. For other types of abuse we
implemented other types of mitigation approaches. Collectively those
approaches reduced abuse by over 95%. The goal was to reduce ROI for the
bad guys to the point that they would look for greener pastures. You are
implying/assuming that DMARC solves the problem of a wider scope of abusive
email types than it does. The Display Name (Mail From) is a particularly
thorny problem to solve in that it is not tied to anything in that it is a
free form field into which anything can be entered.

Michael Hammer