IETF Logo Mail Archive

Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations

Jesse Thompson <jesse.thompson@wisc.edu> Fri, 31 July 2020 22:00 UTC

Return-Path: <jesse.thompson@wisc.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D78E3A0C5D for <dmarc@ietfa.amsl.com>; Fri, 31 Jul 2020 15:00:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wisc.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rdi6mDvBqsIV for <dmarc@ietfa.amsl.com>; Fri, 31 Jul 2020 15:00:42 -0700 (PDT)
Received: from wmauth1.doit.wisc.edu (wmauth1.doit.wisc.edu [144.92.197.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75B703A0C5C for <dmarc@ietf.org>; Fri, 31 Jul 2020 15:00:41 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2101.outbound.protection.outlook.com [104.47.70.101]) by smtpauth1.wiscmail.wisc.edu (Oracle Communications Messaging Server 8.0.2.4.20190812 64bit (built Aug 12 2019)) with ESMTPS id <0QEC0096IT54F520@smtpauth1.wiscmail.wisc.edu> for dmarc@ietf.org; Fri, 31 Jul 2020 17:00:41 -0500 (CDT)
X-Wisc-Env-From-B64: amVzc2UudGhvbXBzb25Ad2lzYy5lZHU=
X-Spam-PmxInfo: Server=avs-1, Version=6.4.7.2805085, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2020.7.31.215118, AntiVirus-Engine: 5.75.0, AntiVirus-Data: 2020.7.21.5750001, SenderIP=[104.47.70.101]
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A+oRHHASE47ywQ4eUnG1UewNc1YAWLyYlNPtarswnzhASJyjraVxBhLxcGyeF0GqpoJ7HWRDXHOqIf/13BtXkKXqmRGp30X06q1Ja0un2OvuvjwFdyvmCyZqvrgUsKlQ+BIlc/MXQtPXQgzt9Vh97I40R6CPQi11M/1rzW22qIuUP0JJpCYwxgNw+QJZgFsWKzw7Elh9APUmJtqdj2mJzx/EaWuBediTepOHrCBipgzYWsYISbWFpiLRYC5ud4nPc/gy/yTnsotEB3rEcx8UTEcRqS6Oc2FCAIH2e60dex8HyaoulZJ3sE/iTpLvJy15UAjXEVhWa5i/RaAUMdgREA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dBAt8aknoYpSpLRyH4LF4TIeKBQTL2BJwFOa5aoh7CA=; b=HwLWj2fTn1wMJHgy0/7j4Nll+NsBPJWang+6RT9A/6LL7c79uDjaxUg2XCTiKSRcQ/TGeDY6QycmmSgqzeEZVPrkWLQEe7eLfmhNJJ9dJErkTesWVKMNQMXPiazZlqcDBfexBNKcQc1ip81vqlQjKfsAZbM1/Qk6gvLelCQftzIV/UET0GrfH4DPWyY/81lv9cV8uSRCP3rjr1SBgu1BNILv7TJemQANAm1ytMhRoFrroGEyXVeFiOyE8oeBLne2EA5qvfTIp/fccvjj/iIjLT1oFIcBYi92pOjBF6NSpna03+dtxRST6E7+x9DjarbV9vfJMDUwzWeev1QoHlMjUw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wisc.edu; dmarc=pass action=none header.from=wisc.edu; dkim=pass header.d=wisc.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisc.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dBAt8aknoYpSpLRyH4LF4TIeKBQTL2BJwFOa5aoh7CA=; b=w7mBVX6XnXFv0d2yvNxjJA0QwXAjM40VDXIEhzrAWtxhgtyovTD091Oek+Mcu2lkkPI2jXBSzab00n9t95PndUUgfNgLuaOPfbGxdIztyET3Vrx48Dh6jW3KMZ7kxD6iqdxfiwnVsgzv18hDspmOjYX/1ms7PDQCXj3y6FQ8e0s=
Received: from DM5PR0601MB3671.namprd06.prod.outlook.com (2603:10b6:4:7b::16) by DM6PR06MB4810.namprd06.prod.outlook.com (2603:10b6:5:e::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.28; Fri, 31 Jul 2020 22:00:39 +0000
Received: from DM5PR0601MB3671.namprd06.prod.outlook.com ([fe80::a92c:9a15:1bb0:4bfa]) by DM5PR0601MB3671.namprd06.prod.outlook.com ([fe80::a92c:9a15:1bb0:4bfa%7]) with mapi id 15.20.3216.033; Fri, 31 Jul 2020 22:00:39 +0000
To: dmarc@ietf.org
References: <cd9258e6-3917-2380-dd9b-66d74f3a64d3@gmail.com> <20200717210053.674D61D2C431@ary.qy> <CAL0qLwbkhG-qUyGqxaEjcFn2Lb7wPMhcPFEMA8eqptBJpePPxA@mail.gmail.com> <8efcf71c-f841-46a4-10b7-feb41a741405@gmail.com> <CAL0qLwbK7GQXkiS+H8GtsvHMzWr4o431Shc7Cc9MhqsTiHfzFw@mail.gmail.com> <bc7ed18c-8f1d-b41b-0a4b-3aa180a63563@gmail.com> <CAL0qLwYgs7py1aTQ87pykNT_0dpnrKz=+1DxMMSQMgbwz4XZDg@mail.gmail.com> <381c7792-5bd8-a1be-6b93-b7df015a2333@gmail.com> <d8bab034-7539-fbb4-faa0-daf6aa51e087@wisc.edu> <CAMSGcLAfhvsJhzB0Ukaer_ZCS276vZ5i=k08KAcWudJ0mLvLEw@mail.gmail.com>
From: Jesse Thompson <jesse.thompson@wisc.edu>
Message-id: <d07d0034-f9c2-5111-8c7e-4e8266dc2f05@wisc.edu>
Date: Fri, 31 Jul 2020 17:00:37 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Thunderbird/80.0a1
In-reply-to: <CAMSGcLAfhvsJhzB0Ukaer_ZCS276vZ5i=k08KAcWudJ0mLvLEw@mail.gmail.com>
Content-type: text/plain; charset="utf-8"
Content-language: en-US
Content-transfer-encoding: 7bit
X-ClientProxiedBy: CH2PR18CA0042.namprd18.prod.outlook.com (2603:10b6:610:55::22) To DM5PR0601MB3671.namprd06.prod.outlook.com (2603:10b6:4:7b::16)
MIME-version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [146.151.213.183] (146.151.213.183) by CH2PR18CA0042.namprd18.prod.outlook.com (2603:10b6:610:55::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.17 via Frontend Transport; Fri, 31 Jul 2020 22:00:39 +0000
X-Originating-IP: [146.151.213.183]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 65003788-0002-4af4-78db-08d8359d297f
X-MS-TrafficTypeDiagnostic: DM6PR06MB4810:
X-Microsoft-Antispam-PRVS: <DM6PR06MB4810A9998E0AEDABAB28A70FF64E0@DM6PR06MB4810.namprd06.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: cZ3ytxjekmYOS8REUfcWRn3807+SOUMoTFtk/PFPxyhAyHboC/BjpTT9NGoKge0K7B//BfF76GUR6GHk6AIbWvtml8rrNHz5GxaiIsFwiaZ4GJOuLgXMt6ZJ/4XeS2cJzly7fy9oeuJDARSrMvMVrRqOUWq1H4uayxHn6seXOOLOLqxJs1VxOfJzsJY08CF1V/b5XbI4IduIUMSxQTZo0b4a5GlTa0TvQEJFkEBAtnI70IPiQgK9jjkoooGaQtZrCfV2vodBGKW9PJAc4XjQbNm/xxZUjDHwRwogC5HYq3oa8abb+5vP93C9HPbsuiItuscpsvl7i+5gxj6r/1kJL6ev2G4YmjEggP9MTwZSzjZwZjiatWXGcpfRCOo1pFVDUQRL+Dd/8KmF1SISDEPpadSG6hxVwqKyumVIGvDd2xc=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR0601MB3671.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(376002)(39860400002)(346002)(366004)(396003)(136003)(16526019)(186003)(6486002)(2906002)(31696002)(15650500001)(31686004)(83380400001)(44832011)(8936002)(956004)(86362001)(2616005)(75432002)(478600001)(53546011)(26005)(316002)(6706004)(66946007)(66476007)(66556008)(5660300002)(6916009)(16576012)(786003)(8676002)(36756003)(3940600001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: 6UUysPbdEQfr5ddCYkfyyBAz9dDliG9+812Du6PZQrSpdfFIfyf0f8Cyh3Blm8cu4fCzEEsg3T0mp/Dea8UkIjuwevIqIUxEXw9rio8I1aGZC9UzePhHs+nm48Md9XTMp2ddU8Tl3AHHZaX7v5+ZxQJOMwTLCvfCVI15eO9t/Aq0qD4gHQn2pmY67GmeBKZXpcAP7Cl+SNB8YRK/yGaVHuSaD+cQsn2lmkB0kDWigPE6QuIJokzO1af4bqz/hqOYRgwDOAqLigZEIg660HjHsTSYLNqZugJWKAIMF+3iAAY2qoPKMs/lRc1vHlKa+vXz4dDyOSm7AlVevvdVmGqBTpwbhCQ5/sUWO0/BC2iAotKMD7OIvyvLpEXmF2wnmaKQCyAft3ZWurz13SdO2u9wT9Lk0pdEGDdTyrqVIJ9UoKF51lmxkr2J/K2koxYyUTUroMxddm0uWUy0M5OnWQSym4mTPzcihJBjMcYJRTTQiGsH4GIddpwZH+LkybiQprkP
X-OriginatorOrg: wisc.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 65003788-0002-4af4-78db-08d8359d297f
X-MS-Exchange-CrossTenant-AuthSource: DM5PR0601MB3671.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Jul 2020 22:00:39.7331 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 2ca68321-0eda-4908-88b2-424a8cb4b0f9
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: a/6VF7iDs+V37HsFGRW4P7ESwZVxgLPhcZXLGvu5l0WHjE5SX16zxV/5vMk644a6A6BVoPLPXwrIysVrt/QNMQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR06MB4810
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/xTFNb72VsvwfYdq1Dhfw6z8s2Og>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 22:00:46 -0000

On 7/23/20 8:07 AM, Joseph Brennan wrote:
>> I think that we just have to agree that From-munging by MLMs is a permanent reality.  It needs to be documented more prominently (and promoted as part of the DMARC marketing) so that implementations are more consistent, so that un-munging tactics and/or MUA behavior can be consistently implemented.
>>
> I'd be happier for the proposed standard to say that DMARC policy
> "SHOULD NOT" be compromised by rewriting From lines-- and see how that
> goes over. My reasoning is that blessing the practice makes it easier
> for bad actors to craft spoofed mail and get it accepted. The opposite
> of the purpose of DMARC, isn't it?

(sorry, I forgot to reply earlier)

I realize that your worry is valid if anyone attempted to un-munge the messages and then use the un-munged state somehow to validate authenticity.  I assume that un-munging would only be attempted locally if the message passes DMARC and is trusted by local policy.  (Similarly, as I've suggested in other contexts, it would be nice if the Receiver could preemptively communicate this trust to the Intermediary so that the munging didn't need to occur in the first place and ARC could come to fuition, but I digress.)

As others have said, munged messages sent via a MLM aren't much different than someone posting to a web form and it then distributing the post to a set of email recipients.  That web form isn't expecting to be able to use the author's domain, and the pattern it uses in the Friendly From is somewhat arbitrary and could be co-opted by spammers.  

I don't think that bad actors crafting is a huge worry since I think that in both scenarios it would just fall back on the reputation of the domain (and other factors). 

(just spit balling... it's getting late on a Friday...) Perhaps an interesting local policy enforcement (to get at your concern) would be to require that messages with certain Friendly From patterns to be DMARC aligned (regardless of policy) since I could assume that any MLM (that I care about) that's DMARC aware enough to munge would also have aligned SPF and/or DKIM results.

Jesse

v2.23.0 | Report a Bug | By Email