IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields

Dave Crocker <dcrocker@gmail.com> Tue, 02 June 2020 22:01 UTC

Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D85F3A1047 for <dmarc@ietfa.amsl.com>; Tue, 2 Jun 2020 15:01:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MfJaLTZXN_wJ for <dmarc@ietfa.amsl.com>; Tue, 2 Jun 2020 15:01:06 -0700 (PDT)
Received: from mail-oi1-x243.google.com (mail-oi1-x243.google.com [IPv6:2607:f8b0:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFF573A1045 for <dmarc@ietf.org>; Tue, 2 Jun 2020 15:01:05 -0700 (PDT)
Received: by mail-oi1-x243.google.com with SMTP id x202so12961206oix.11 for <dmarc@ietf.org>; Tue, 02 Jun 2020 15:01:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=2Q8oKDPDv5049u0SeUe2tuTPyyknldTcxGXVVOtB1G4=; b=HOC2cQj76Nx+07tkq/R6ndNdvlwySdZBgamZZ5uPMyEXIt95NwAUZ3JRdLpmlfJABk eNECdvNDBmeU5qAiCoh9buL7J/xlxz+Nopv3ngkqCWU0uTxkV1lvji0o6lMEQopaS8y/ VfsOnMl48phIURz138Y8utYiHN0VVEdlNNDqasN1oZbSTSlnvui1QX/5/E3LErEJYUtD 03CytGEgCO+wCDBcN9lvTvnQb/V+IlSmElVvRlNY0LVxZixx0VSuPs/7g8JDHoDmsdMW 1MQa90bANLPDasQqjb1jCA3hNVSXbiXhNEUQSJFlatPsu3W7+gHQFtMamT/hvg5Sz6Sp aGTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=2Q8oKDPDv5049u0SeUe2tuTPyyknldTcxGXVVOtB1G4=; b=ZFvCdTQAnkMri5lzPixpduGo952p5K6GC4GptCepdrxfm1HTNB762nkplZ1D2jKm87 cSo5yzUenlvqnwPlXvPD6vZK8PqNZH37+OVxZYs1hwe2AceGQgSltJYx/5whE26LsgqR 9fyPVRX+jXxCTGcHw6ZuscMv5pGc30JPwxsP1PBkArHA6GlLFSQRYmJJBxDCq3dKmHsY UlYBL4rnJBIdaIz/fMaPQkaUOuXrKZvW8UYA2IqtMm8LynYPPoZuUbeVZsmH/5Vld/iC 4s8QFydrV355Atn0IQVVg+JTCj+engq4LscHF7HSoPoKtn6sBrfYqfpSVRGJsAjqxByn cqBQ==
X-Gm-Message-State: AOAM533iiAbSNpTvWvMqu6dxP0piRiRCJALmLfl28rhTiafz+PA8ZkPd eG/8qrdJZE5qN97gWRTN6ppXiKcY
X-Google-Smtp-Source: ABdhPJx57tO+z6HokN4gF+1rmgz/gfDG04KoUbzJfrNbM9eI8bXvcliQ/gh/UN/GZYT47uj6K0Dbeg==
X-Received: by 2002:a05:6808:8d9:: with SMTP id k25mr3283453oij.179.1591135263653; Tue, 02 Jun 2020 15:01:03 -0700 (PDT)
Received: from ?IPv6:2600:1700:a3a0:4c80:74d5:2e17:a5f6:1e77? ([2600:1700:a3a0:4c80:74d5:2e17:a5f6:1e77]) by smtp.gmail.com with ESMTPSA id a34sm35459otc.60.2020.06.02.15.01.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Jun 2020 15:01:02 -0700 (PDT)
To: Seth Blank <seth@valimail.com>, "dmarc@ietf.org" <dmarc@ietf.org>
References: <DM5PR0601MB367115AD49513EAF3953716CF68B0@DM5PR0601MB3671.namprd06.prod.outlook.com> <18441e8d-cf87-053e-4957-7b9d6ea9690c@gmail.com> <CABa8R6s7Lh_nihfH4Y8=JFCDFL6T_iEd+dBf7C=iW+5S3K4i3A@mail.gmail.com> <1093905c-7556-ab65-ae9f-6c97d1707878@gmail.com> <CAL0qLwYm=QnSLQ_n_+xq_vvEh47TJT+HXZKem5uKhtfRotKAbQ@mail.gmail.com> <c03d4ea4-20e1-12a6-9581-f51a81330ca5@gmail.com> <CAOZAAfO42WrYi6drByD=fdoU=1su-WO6nGH0OoEN1Txw2ONNvA@mail.gmail.com>
From: Dave Crocker <dcrocker@gmail.com>
Message-ID: <33127379-a381-2d6c-a418-8525ac2d5693@gmail.com>
Date: Tue, 02 Jun 2020 15:01:00 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.8.1
MIME-Version: 1.0
In-Reply-To: <CAOZAAfO42WrYi6drByD=fdoU=1su-WO6nGH0OoEN1Txw2ONNvA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------4E185379700A0E98E8C331AF"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/rCiQZxnIZgsZ2J0BGpZ_2s6HlZw>
Subject: Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2020 22:01:08 -0000

Wow. I'll ask folk to reread my text, here, carefully, since it 
specified something quite narrow and concrete, but is somehow being 
taken to have meant something broad and general:

> On Tue, Jun 2, 2020 at 1:46 PM Dave Crocker <dcrocker@gmail.com 
> <mailto:dcrocker@gmail.com>> wrote:
>> However there appears to be no actual evidence that lying in the From 
>> field affects end user behaviors, and certainly none that lying in 
>> the From field about the domain name does.


And again, there are all sorts of threats and all sorts of bad 
behaviors, but the question is whether a particular kind of bad actor 
behavior affects recipient end-user behavior.

And the specific kind is lying about the From: field domain name.

Please point to specific research -- not an extended report with lots of 
varying content.


On 6/2/2020 2:30 PM, Seth Blank wrote:
> There are decades of data that prove just this.

As I said, we did an extensive literature search at the beginning of the 
BIMI and there was no supporting research.

So now let's look at the purported counter-example you provided:

> On the abuse side, Microsoft, Google, Proofpoint, Mimecast, and others 
> (including Valimail) have all published reams of research reports over 
> the years. On the marketing side, there's another decade or two of 
> data about how properly crafting the From materially impacts open 
> rates on messages, which means user behavior is certainly impacted by 
> what's in the From and display name.
>
> There's more data here than can be meaningfully summarized. So to pick 
> one at random about usage of these methods in abuse, read page 11 of 
> this report: 
> https://www.proofpoint.com/sites/default/files/pfpt-us-tr-q117-threat-report.pdf

Doesn't contain the word 'behavior'.

Doesn't contain 'from:'

Only 'author' is reference to malware creators, not recipients.

'Recipeint' gets a brief sidebar reference to mail pretending to be from 
a top executive. Another sidebar with the word explains 'spoofing' as 
impersonation (which, of course, is what it means in the real world, but 
not in the email abuse world, which has a much broader definition.

I'll stop now and note that the reference you gave appears to have 
nothing to do with the specific behavioral issue I cited.

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email