IETF Logo Mail Archive

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Jesse Thompson <jesse.thompson@wisc.edu> Mon, 17 August 2020 23:39 UTC

Return-Path: <jesse.thompson@wisc.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AF753A1451 for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 16:39:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.048
X-Spam-Level:
X-Spam-Status: No, score=-3.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.949, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wisc.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YDOXGeFirReC for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 16:39:34 -0700 (PDT)
Received: from wmauth3.doit.wisc.edu (wmauth3.doit.wisc.edu [144.92.197.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8915A3A144F for <dmarc@ietf.org>; Mon, 17 Aug 2020 16:39:34 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by smtpauth3.wiscmail.wisc.edu (Oracle Communications Messaging Server 8.0.2.4.20190812 64bit (built Aug 12 2019)) with ESMTPS id <0QF80051HF1WVA30@smtpauth3.wiscmail.wisc.edu> for dmarc@ietf.org; Mon, 17 Aug 2020 18:39:33 -0500 (CDT)
X-Wisc-Env-From-B64: amVzc2UudGhvbXBzb25Ad2lzYy5lZHU=
X-Spam-PmxInfo: Server=avs-3, Version=6.4.7.2805085, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2020.8.17.233017, AntiVirus-Engine: 5.75.0, AntiVirus-Data: 2020.7.23.5750001, SenderIP=[104.47.55.100]
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TrOzhyAgrts8v0LEMjvmsYojVQKeNyPeqrikl8g/rybLqYRZCTvIrPIz3ckdupHyqZc4GamA5SkfQezu6qj0m8xNnqErECYn9XIU65EgoBmCCWWdT+2S6B0X5Kdn9nbWN3aYozzAeempK2/zgDT7tjXlCl/urlvpYwQy7Ys2hGQnUeApi+LfmyKT7RoVhP8kpMzTfaOx6iONYdzn6ybYAyLwIyKilDgClp+jVfVAgmASHME9cF7RAvfIMLGkIe2vkneXjyFCphTUdLN37Y5dy34BcuSryi4XbYWKIX2wbw/MhayVM6+QiS1fm8B7ZhWrCY/XL4JPMFAPhd6mDLRJbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4NrXWCYEWUzekBHmLQzPiyTT6zYoVZHOw+sTG4ET57Q=; b=FB5LlZW0c/s8e7nq4XMfjhPH5Ze8y3qhaELxOSrJNqmYkriE6rQOBAuUcaPUZxX3WysZ3BHkMJNOw0IE+j5DS/OZ5SSNM8m2v46hiDI/x3gzGn1uhrX8qc+fbGcaExPak+OirLKvO/kA3iudx0ZSBygsHSC/VD1pkbzXDCqI1GsWAy++C9isLLXojjPwcJ7hZ2pdTvvBhsYh54Un0ievKEL+PSCjWUhvshuYDba5tWaKIGCFXywpZz84Ipkm8GUn1BnApBZchOmEiigk7+/DlB7IsFs2Tp5dFKbfWrHQuax1srJhuDKIu+fafTFrbXN4atEfoX6djlsT4maQVna3Gw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wisc.edu; dmarc=pass action=none header.from=wisc.edu; dkim=pass header.d=wisc.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisc.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4NrXWCYEWUzekBHmLQzPiyTT6zYoVZHOw+sTG4ET57Q=; b=HmeLNQUGtupBjGs/7BpgHp424rsyYXoJe4nutOIrsU/cMUbt27o9IBNz5OEU5oDe8UEHf9nK70JXDkGbC9Kuob7tglSbjNZj8633dkODI64nGUjohXvOPwoE4llV6/Zk3gHvol08yQ2vwEXchqexBCxK4VxAIENJQJjk4aghjvk=
Received: from DM5PR0601MB3671.namprd06.prod.outlook.com (2603:10b6:4:7b::16) by DM5PR06MB3129.namprd06.prod.outlook.com (2603:10b6:4:40::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.26; Mon, 17 Aug 2020 23:39:31 +0000
Received: from DM5PR0601MB3671.namprd06.prod.outlook.com ([fe80::8def:be24:c82c:8d50]) by DM5PR0601MB3671.namprd06.prod.outlook.com ([fe80::8def:be24:c82c:8d50%6]) with mapi id 15.20.3283.027; Mon, 17 Aug 2020 23:39:31 +0000
To: John Levine <johnl@taugh.com>, dmarc@ietf.org
References: <20200808023259.1D07F1E60C2D@ary.qy>
From: Jesse Thompson <jesse.thompson@wisc.edu>
Message-id: <977bbb4f-c393-0314-df72-17f342f2f975@wisc.edu>
Date: Mon, 17 Aug 2020 18:39:16 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Thunderbird/81.0a1
In-reply-to: <20200808023259.1D07F1E60C2D@ary.qy>
Content-type: text/plain; charset="utf-8"
Content-language: en-US
Content-transfer-encoding: 7bit
X-ClientProxiedBy: CH2PR18CA0052.namprd18.prod.outlook.com (2603:10b6:610:55::32) To DM5PR0601MB3671.namprd06.prod.outlook.com (2603:10b6:4:7b::16)
MIME-version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [146.151.213.183] (146.151.213.183) by CH2PR18CA0052.namprd18.prod.outlook.com (2603:10b6:610:55::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.16 via Frontend Transport; Mon, 17 Aug 2020 23:39:30 +0000
X-Originating-IP: [146.151.213.183]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 1cfa31c6-a743-4518-2e56-08d84306ca18
X-MS-TrafficTypeDiagnostic: DM5PR06MB3129:
X-Microsoft-Antispam-PRVS: <DM5PR06MB3129D522912C4DC9671C82D1F65F0@DM5PR06MB3129.namprd06.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: K8smoK4ClcqoCYPViH7xOerh0+XFv6TkX5zIGMeItv3i6FqVuTx52SUQuB9XzhsPzYKnpmb6ftFzuGkZW5apBSSGOikW4Zn+4wk7ysCB2BVILdMkPW1iyFhNFtIb/D5gPJm0I9T4REbLayaVyGrjoHwNtq/jTuAQOj2ZNR9lNcmMDelQXRkTdAms7MvodHTRwzMEuJdkPS1+9YMLx8/y75TI1KUBnlqOZTdv3j3mLgvQGTDZhdlsvTBMT74InDAdyzLOuDBIUS63VeAYMhLF4H76c1Mm9wunpoRv7AgCbY2R7W678+bbxSYBsgL7BvZU0khwv9Kpgc6UwxzQvmMKEWLwxV1oYMNthNYO9lJG1UGDLtnjLnpu9a1X/ViCcp20iO0+MIRkzrVlfCRNYD63uz8sHxVSwGZebEmZ2ez0FDVbJv9JkG1weY2Wl3VPoltAg9gHFFwvsAWwFlUvwaKKnDG4dJjqAQJtsC/GT5EMHwQ=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR0601MB3671.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(366004)(396003)(376002)(346002)(136003)(6706004)(36756003)(316002)(16576012)(186003)(478600001)(5660300002)(66476007)(2616005)(16526019)(53546011)(66946007)(956004)(66556008)(786003)(75432002)(31696002)(26005)(6486002)(86362001)(8676002)(6666004)(2906002)(8936002)(44832011)(83380400001)(31686004)(3940600001)(130980200001)(223123001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: 5Nq05ltauOG4Qd5FcMfBj+Sbd1fq0rZMm0iGWiaSyoyoU0SLmmiDnk+EAqTYJq/A4m5vFgWFIiy8TAkK1lYrXyeR4nGpBYsVO6ANC+HEQgHwiq5q509fXPQbuHCGzBb+sdrlLG2hlG3tr91dEIlyw8/JlILtQ4zAT/05wbjd2oLpgbivGWrBcmXG2a3epkLamhZhSSfvoz+uMXmJyhJMaPXrLweU+WU63bARFdMFb67s/4CHCeTRoFAhVGwO/Noe2Oz3ImMdOp/jvIQpSfATqqjgsmGgGvPU7P07yIfEPOmO/KvsfwnMnYZUE5VDxbeyZRGOfz+04wQcELPDbTq7MaxEB5u0gi0gf5gKHhrqdfejoLb4eaEqboA352j0k7U96dnRvjZpvUtrx7FGB94Qcoo2u6F0Ro/t9kiUPsL7VjXbkoahoJtMSSP2MagjJk7cfMTv7c3jSMyR4YIj8x0e9sNlAvNlU1Kx6K5dm1x2218Mxqz/oejUuUHZav0PoA94iOPtGnCiOOnyJMs2IuRQLR0kXP74ntZNhEX/gkyLlTCcCpfQnZigv13VkJJbHphq6Avla95g7VXWoKOsWn3mfwj1KtnF8pm7O4rqy3YY3iHY4fP6XWuo0gC3cnChCkYBp2xYIk6A8UYVDhLEfuSL5w==
X-OriginatorOrg: wisc.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 1cfa31c6-a743-4518-2e56-08d84306ca18
X-MS-Exchange-CrossTenant-AuthSource: DM5PR0601MB3671.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Aug 2020 23:39:31.4121 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 2ca68321-0eda-4908-88b2-424a8cb4b0f9
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: DPvwxpHdQXrxQqZT+ma+Nz8COib9hr6jlWA3T6tbldIUDl6aStLiKi8I5L2o7aBjg8meH3yOiqvxWA6KuZjJHA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR06MB3129
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/vAxSUxgaEANWFYUSDadql7S6YJg>
Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2020 23:39:36 -0000

On 8/7/20 9:32 PM, John Levine wrote:
>> We need spoofing protection for all of our domains without being told we're misdeploying.
>
> I would be interested to better undertstand the meaning of "need"
> here. It is my impression that most people vastly overestimate how
> much of a phish target they are. Paypal and big banks certainly are, 
> other places, a lot less so.

(Sorry, I was on a much-needed vacation.)

Ok, that's fair, I should have realized that one was over-stated.  *Need* would imply that domain-spoofing is more common than it is in reality.

Cybersecurity-minded folk in EDU tend to equate observed inbound phishing with spoofing (even though most phishing is spoofing the display name and message bodies, not the domain) and conclude that they *need* DMARC without really understanding the nuances.  Given the opportunity that DMARC marketing promises, they definitely *want* inbound DMARC enforcement for domain-spoofing of inbound mail (they'll defer to the email-minded folk to figure out the local policy exemptions, ARC, etc), as well as *want* domain policies that prevent the potential domain spoofing scenarios of owned domains (again, the email-minded folk will figure out how to actually "misdeploy" DMARC).  To them, it's just a checkmark towards some "maturity" benchmark that they use to compare to their peers.

Email-minded folk in EDU, knowing that DMARC doesn't really have much practical application to phishing, like having the observability that DMARC provides, as well as the hammer that moving past p=none provides as a way to coerce their complex, decentralized institution into a more sustainable operation: 

* Departments sending transactional email - move them to dedicated subdomains (this is where really complex institutions would benefit from walking the domain tree instead of always inheriting from the org domain)

* People sending user email from random places - move them to authenticated submission (preferably OAuth - since basic authentication is the reason why so many passwords are exposed)

The latter scenario is interesting because a single user sending from a random place doesn't really show up in DMARC aggregate reports.  It may show up in forensic reports, but it is easily lost in the noise.  (SPF macros might be another way to get fine-grained observability, but that's a privacy leakage IMO.)

In the end, it still results in:
* That person wouldn't end up on our radar for communication
* That person wouldn't understand what the message is about, even if we did communicate with them
* That person wouldn't comply, even if they understood
* Once enforcement is in place, that person will complain and leverage every ounce of their political influence to resist.  (It's really fun when your own users threaten lawsuits against you - that doesn't happen in Corporate IT.)

I'm kind of rambling now, I see.  Hope you find it enlightening, regardless!

Jesse

v2.23.0 | Report a Bug | By Email