IETF Logo Mail Archive

Re: [dmarc-ietf] Signaling MLMs

Alessandro Vesely <vesely@tana.it> Wed, 19 April 2023 09:09 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9E6AC159A1D for <dmarc@ietfa.amsl.com>; Wed, 19 Apr 2023 02:09:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="qdPWlt79"; dkim=pass (1152-bit key) header.d=tana.it header.b="BuIR91aB"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jxdRa5C7FEHb for <dmarc@ietfa.amsl.com>; Wed, 19 Apr 2023 02:09:29 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7995C159495 for <dmarc@ietf.org>; Wed, 19 Apr 2023 02:09:25 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1681895362; bh=FXJ3QGR0DORkISSDSZ5qPnSvSpuMZyuG15cbJwdK6dA=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=qdPWlt79X72IijgEKlzA9XYK/K5ubIZs3foDjaLm6PJOXqiZh0F5hoyCIyUiXGzG4 R9koedf3hyWhRG4/T3FBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1681895362; bh=FXJ3QGR0DORkISSDSZ5qPnSvSpuMZyuG15cbJwdK6dA=; h=Date:Subject:To:References:From:In-Reply-To; b=BuIR91aBNfz5dEcjDWDPGWNHMH8uX+7U0IXipy9JsNmRiRWS84M/CEbOkgEuK6Chk Om/n/qxXvjX8AscLu7/r1uY9arWsH4y2zLvzIg803w52+/UwDS/6N33l3EWRDMydtI jShbOFrbMNjSg98gjCxDImifwyGI2o565rZ16yOsuvFKJ1wrx2nVIzgT+hzNW
Original-Subject: Re: [dmarc-ietf] Signaling MLMs
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC143.00000000643FAFC2.000016C2; Wed, 19 Apr 2023 11:09:22 +0200
Message-ID: <dee4a66a-4741-264f-07d6-19c4db957748@tana.it>
Date: Wed, 19 Apr 2023 11:09:21 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <5DAE096A-B547-4569-A3C6-34ED9EC91B2D@isdg.net> <AA303EAF-76DA-4FAD-877D-C7B0143E21D3@marmot-tech.com> <643CB79E.7060309@isdg.net> <01ffe451b5f6e748cdcd295221f085e4@junc.eu> <D791743D-9E7F-4724-8181-44EF6148F5B3@isdg.net> <c19d02bdc96f8f016af430710ccb4247@junc.eu> <10c5dcb4-4eca-b6f4-6a76-29faf2700f76@tana.it> <A8C8D8CA-47D5-40FC-B164-E8CB221B3F35@isdg.net> <0e65af20ba017692818670b156151e4f@junc.eu>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <0e65af20ba017692818670b156151e4f@junc.eu>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/x9aNmT3ZVpLgTGY4sCr3YBnO4yY>
Subject: Re: [dmarc-ietf] Signaling MLMs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2023 09:09:34 -0000

On Wed 19/Apr/2023 01:13:48 +0200 Benny Pedersen wrote:
> Hector Santos skrev den 2023-04-18 20:47:
> 
>> So your verifier see Benny’s as suspicious because of arc=fail?
> 
> it does imho not fail on my own arc ?


My filter attempts to recover DKIM signatures after MLM transformation, but not 
ARC chains.  Currently, ARC is evaluated but its result don't modify message 
worthiness.


>> Benny is telling the world “ietf.org [1] is authorize to resign on 
>> my behalf” via DNS.  No headers required.  No delayed learning 
>> necessary.


How would I get a clue of that?


> if all maillist did arc on incomming mails before mailman scrapled dkim then 
> all will be good, only left is dmarc is not in all places tests arc results


It is all too easy to spoof an ARC chain offering false authentication results. 
  Allowing ARC to override DMARC result requires the ARC signer to be whitelisted.

Now, one can object that whitelisting could be done by DKIM, by SPF, by DNSWL, 
without the need to introduce a new, long-winded protocol.  However, ARC brings 
a couple of advantages:

1) In case of multiple forwarding steps, ARC delivers an ordered and cohesive 
chain which is easier to verify than a messy mass of DKIM signatures.

2) Authentication results, which normally are deleted or renamed on crossing 
ADMD barriers, can be exported.  As they can sometimes be checked against 
message transformation, fraudsters can in the long run be debunked.


Best
Ale
--

v2.23.0 | Report a Bug | By Email