Re: [dmarc-ietf] Rethinking DMARC for PSDs

"Douglas E. Foster" <fosterd@bayviewphysicians.com> Mon, 08 April 2019 11:11 UTC

Return-Path: <btv1==0019ccb4d59==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0F721202E7 for <dmarc@ietfa.amsl.com>; Mon, 8 Apr 2019 04:11:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yVYLJYeZnSQ7 for <dmarc@ietfa.amsl.com>; Mon, 8 Apr 2019 04:10:59 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39F391203D6 for <dmarc@ietf.org>; Mon, 8 Apr 2019 04:10:59 -0700 (PDT)
X-ASG-Debug-ID: 1554721857-0990573e633ea60001-K2EkT1
Received: from webmail.bayviewphysicians.com (webmail.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id P2GzLMYvydN6WNmY (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Mon, 08 Apr 2019 07:10:57 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h= content-type:mime-version:message-id:reply-to:date:subject:to:from; bh=8ORfGKnPzCAJpgKX2JxdR7segzloXUGiyKlQkjJH/04=; b=ZppLa66wvkuGACc73eekUh6dfW6PPdfZhH2U6hVu3VwJU0UDCvLVDVkeZjxwhsWSE NGCaFThDlA1I0ZylxKWrxZskdAY/JBsFaWV+jsMmpTd0GEwU2r2OqR6vVP3QP7GG8 Pr6FW1TVmT1v4XdEI8zxfj9VxtlHKWklMSvayKjDM=
Received: by webmail.bayviewphysicians.com via HTTP; Mon, 8 Apr 2019 07:10:49 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: <dmarc@ietf.org>, "Scott Kitterman" <sklist@kitterman.com>
Date: Mon, 8 Apr 2019 07:10:49 -0400
X-ASG-Orig-Subj: Re: [dmarc-ietf] Rethinking DMARC for PSDs
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <4d1471de0a9c482e9a51a1a1deb2d71c@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=afe27a23aea84dbe8feb2cbc0a766b1a
X-Originating-IP: [192.168.1.239]
In-Reply-To: <2380056.rpXNijDuEj@kitterma-e6430>
References: <20190408005045.5EC462011B2BFE@ary.qy> <2380056.rpXNijDuEj@kitterma-e6430>
X-Exim-Id: 4d1471de0a9c482e9a51a1a1deb2d71c
X-Barracuda-Connect: webmail.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1554721857
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 7676
X-Barracuda-BRTS-Status: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/qhSdSs-sM14CD2JiCDTutISNb6Q>
Subject: Re: [dmarc-ietf] Rethinking DMARC for PSDs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 11:11:07 -0000

Have the national CIRT groups made an issue about needing to block 
non-existent domains?
  
 Because a spammer can create a non-existent government agency like 
"irs.audit.gov", this email weakness becomes a national security issue and 
should be handled as a CVE.    This should get the vendors moving.  Has it 
been done?
  
 If not, perhaps Mr Levy would be willing to start the process on behalf of 
uk.gov.
  
 Doug Foster
  
  
  
  

----------------------------------------
 From: "Scott Kitterman" <sklist@kitterman.com>
Sent: Sunday, April 7, 2019 10:00 PM
To: dmarc@ietf.org
Subject: Re: [dmarc-ietf] Rethinking DMARC for PSDs   
On Sunday, April 07, 2019 08:50:44 PM John Levine wrote:
> In article <c588c5eeec224162bffd080693c703e1@bayviewphysicians.com> you
write:
> > The problem:
> > Spammers use non-existent domains to achieve identity spoofing, such 
as
> >
> >tax.example.gov.uk
> >
> > This is primarily a reception problem, because many recipient mail 
filters
> >
> >are not equipped to block this type of fraud. ..
>
> Right, and we can stop right there.
>
> A decent spam filter will treat a nonexistent From: domain or envelope
> bounce address as extremely suspicious and send the message into spam
> folder purgatory. If someone's filters aren't doing that, it is
> unlikely that they're paying much if any attention to DMARC, and no
> amount of fiddling with DMARC will make any difference.
>
> My mail server rejects anything with a non-existent bounce address at
> SMTP time and I don't think it's ever rejected anything my users would
> want.
>
> The solution to this problem is for mail systems to fix their filters,
> not to invent yet another mail-breaking hack that they won't use
> anyway.

Which mail breaking hack is that? Since PSD DMARC almost entirely applies 
to
domains that don't send mail, I don't think it breaks anything. It is in 
part
a tool to make hard rejects easier for receivers that don't typically 
reject
solely due to non-existence and in part a tool to provide feedback to PSD
operators so they can understand patters of abuse in their namespace.

As I understand it, rejecting mail from non-existent domains is a long
standing, well-known tool for receivers. I hear you saying it works for 
you
in your circumstances, but that doesn't mean it scales. Given that 
rejecting
non-existent domains is a well established option, but not everyone does 
it,
what basis for optimism do you have that 'fix their filters' will change
anything?

If fixing filters was enough, would anyone bothered to have published:

$ dig txt _dmarc.gov.uk +short
"v=DMARC1\;p=reject\;sp=none\;adkim=s\;aspf=s\;fo=1\;rua=mailto:dmarc-
rua@dmarc.service.gov.uk\;ruf=mailto:dmarc-ruf@dmarc.service.gov.uk"

All PSD DMARC would do is make that record apply to domains lower in the 
tree
without their own DMARC record. It's not that complicated.

Fielding of DMARC did a huge amount of damage to the e-mail ecosystem that 
I'm
not convinced it will ever fully recover from, but PSD DMARC doesn't add 
to
it.

Scott K

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc