Re: [dmarc-ietf] ARC vs reject

Michael Thomas <mike@mtcc.com> Mon, 07 December 2020 05:24 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C6DB3A1011 for <dmarc@ietfa.amsl.com>; Sun, 6 Dec 2020 21:24:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EAvqz72fbcXy for <dmarc@ietfa.amsl.com>; Sun, 6 Dec 2020 21:24:02 -0800 (PST)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 489913A1010 for <dmarc@ietf.org>; Sun, 6 Dec 2020 21:24:01 -0800 (PST)
Received: by mail-pf1-x42e.google.com with SMTP id 11so2422029pfu.4 for <dmarc@ietf.org>; Sun, 06 Dec 2020 21:24:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=KD2ghDNIU1iFdKOLVtWD1SF+ju37ububLWGQAArygQg=; b=xD9IngQA84P5QgS3ic162y23KOQv2j0SrfOnNtgbZd2IibuwgQ2gPMzurDhf4s5mYG ozxZzUy25zucOyznKx63BP1N4TchR0kyM0LUa6Sduoo3PpK39mTrgGh6pAbJjDhtTxIV VO/8gL/Fyjnl2/m0veRMkJuniIZU49iHHV8F2HmwFWojJhbIU06/4kRBHkp2W7LYEFlw msqgxxQRHNZx0GSRfL6I7T+JdcZBCcOvrPT0QwFv8Q3AZ25Jz+nruP64UblcqxUHbO6e jBP3lsDN3XacJxOHrhiBEQ61X5tgaPVaHas5BZVLQ7/zJg88dnCPwe74oIGBAYKK0v/R LSZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=KD2ghDNIU1iFdKOLVtWD1SF+ju37ububLWGQAArygQg=; b=GrVSGw0UYfHBp77C5fmWqjUZ0aLOONPr5b5l+NUqVlCfOcTk1ruSVZutVecMLKjXFt g+SmX3vIM4lB+NrZTYITjc/A5tGMfrY44Js18X8jfDwLf4MBmenqx7pgSVGJFCw7OHP5 9ITEGFQ2PB3ZB4M1B4pvnCLfwp2N3wzes+etAEp3m398vbg1CYnuOBHuB/btdDfpPL6k 4lfAr6jUVDmmEPL8pMl2RJZv0yb9NUvQUHeTmbVy0JZmTlVM3QhMonFTMQl69POav/uq g++ayFHsyVgGTneWAguWv4E2mdFyvvNoeNjiQhXYjRVXXrxSwA1RJyphn2GJ4Q57DnYw wReg==
X-Gm-Message-State: AOAM5314PawCXJilqxEFUU8u/mZ8CiXtsELxlyT1y+k2Fy1lH4ZUudks R1R20TzRepFHY6EOOeIAxQEGuBIBKi2FuQ==
X-Google-Smtp-Source: ABdhPJw6yCtlE6FHTh2/Zbzcq4/Z+BoxfdzyKIJd5F+Bf2zqluJta8Z2RBFfIdYF/EHXlUF4FHocsA==
X-Received: by 2002:a17:902:9341:b029:d9:e385:bca2 with SMTP id g1-20020a1709029341b02900d9e385bca2mr14571526plp.64.1607318640699; Sun, 06 Dec 2020 21:24:00 -0800 (PST)
Received: from mike-mac.lan (107-182-42-108.volcanocom.com. [107.182.42.108]) by smtp.gmail.com with ESMTPSA id a11sm12671486pfc.31.2020.12.06.21.23.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 06 Dec 2020 21:24:00 -0800 (PST)
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <20201205210351.DB78E2904420@ary.qy> <28759E60-3A00-4D25-9490-34495B96EE10@bluepopcorn.net> <9c23d850-4164-1320-1c25-40554c1f64b@taugh.com> <A7E1018B-F6B1-46F3-8FEF-69FDC744DA4A@bluepopcorn.net> <d8dc2644-cbcf-d3a1-c5fb-46fdf5bec819@taugh.com> <CAH48ZfxWWxSh3j3YnA4eD4Y5Ep4GfVDr22WX1MCM4-tcVK0UpQ@mail.gmail.com> <b5774a04-fbee-8d23-d760-0380d58a9fb7@mtcc.com> <CAL0qLwZ+KFrPzScr6c-tMOd2nCV=v1Mf71h0fWBUV9_ZZ-k6Cw@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <be9ddc32-8709-0990-c663-5c625efd6b1f@mtcc.com>
Date: Sun, 6 Dec 2020 21:23:58 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <CAL0qLwZ+KFrPzScr6c-tMOd2nCV=v1Mf71h0fWBUV9_ZZ-k6Cw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------50CC5010E15FE30B598E3ED0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/p0eq6-CXdm8XIq6tbttY-S1WX_s>
Subject: Re: [dmarc-ietf] ARC vs reject
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 05:24:04 -0000

On 12/6/20 9:05 PM, Murray S. Kucherawy wrote:
> On Sun, Dec 6, 2020 at 11:02 AM Michael Thomas <mike@mtcc.com 
> <mailto:mike@mtcc.com>> wrote:
>
>     Based on the work I did at Cisco 15 years ago which essentially was a
>     heuristic based form of those two drafts, I found that it worked for
>     about 90 some percent. I unfortunately do not know what the nature of
>     the remaining messages that could not be recovered (either I never
>     did
>     the analysis or don't remember). Things may have changed some since
>     then, but that was what we got for the entire mail stream of a large
>     company. Is that "good enough"? Or better yet, what is the
>     definition of
>     "good enough"?
>
>
> A counter-argument I've heard often to the idea of reversible 
> transformations is that it can become a spam vector, no different than 
> the argument against "l=".  For instance, if we start chopping off 
> typical list signatures ("delete everything at and after the lowest 
> line containing only hyphens"), then I can take a message from a good 
> actor, tack a spam list signature onto it, claim I'm an MLM, and it'll 
> still pass with the author domain signature when it gets delivered 
> downstream, though the spam will still be there.
>
> Another is that it's not actually easy to describe all or even most of 
> the mutations an MLM might make to a message. (Mailman sent me the 
> list of changes they might make to a message.  It's not a small list.)
>
> Yet another is that two different MLMs might implement MIME-izing 
> actions ever so slightly differently, yet both results are fully 
> compatible with MIME and indistinguishable when rendered by most MUAs.
>
> So in the limit, this comes down to defining a set of transformations 
> everyone agrees are allowed, and then all MLMs and filters 
> implementing exactly those and no more. There doesn't seem to be much 
> of an appetite in the community for this path.
>

An idea that i've been rolling around in my head is that the MLM could 
give a sed-like script to rollback the changes. since they know their 
modifications, they can obviously express how to unmodify them. it may 
have less issue with the mime hackery you were thinking about.

But as far as your point about spam vectors it is surely just as true 
about ARC, right? at least with recovering the original text i have the 
ability to remove all of the transforms and deliver the original text.  
ARC not so much. it's all or nothing on the trust front.

But I really think the key thing about all of this is figuring out what 
defines success. That is the most important thing by far.

Mike