Re: [DNSOP] [EXTERNAL] Re: RDBD (Related Domains By DNS)
Ben Schwartz <bemasc@google.com> Wed, 04 March 2020 04:55 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E77483A0E39 for <dnsop@ietfa.amsl.com>; Tue, 3 Mar 2020 20:55:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.339
X-Spam-Level:
X-Spam-Status: No, score=-17.339 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tGw5PSzvho1K for <dnsop@ietfa.amsl.com>; Tue, 3 Mar 2020 20:55:41 -0800 (PST)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B8723A0E38 for <dnsop@ietf.org>; Tue, 3 Mar 2020 20:55:41 -0800 (PST)
Received: by mail-wr1-x42c.google.com with SMTP id v2so667799wrp.12 for <dnsop@ietf.org>; Tue, 03 Mar 2020 20:55:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uHG4aAA13kn16Xz8tSOmiLZbjn0Xc3B22oqNycnhnJ4=; b=sFznMrZnKBqx8V2RZkYdnat1KZ2/INWcy+F4JeHk/nrw267YPCLh9Sy7CZA1ZruRQP EoziCpVj+MEdq8NOg+sTUgRG7iC3XmTQprE14HVBQqdX5kJ+hZGDsWjdVpi7L/a5FFB2 XgDkGvDFewGtSyDDmKa+PpUql8DB438L3vp6y2ncscmJuc1oWm6Hy1YrY8l8Qk5QHs7D nTIKp/Yxo0/VEDFcNb+X30blmRzDLGlq32NskxazBS4djYoX60TzW3r81u+t4NlvL0MZ Fdfq6Mnoyr5RYtSzbcTrwvidiPahACx/Sns9taTLbhHBxGEIF+kbuwmDggnKO0ne2/cB XW2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uHG4aAA13kn16Xz8tSOmiLZbjn0Xc3B22oqNycnhnJ4=; b=C1S0CClcaeO/+DuFYAFlab82qJfsP0gIE3twJg/npFP+l+Sbz8gXCocbgmGvRFss0I ImFALMLtfYbWGdEtwol0JmndOGFvjZcRg+yHyePuGfDtgye8N9TFvFZhBW2VQsiWl350 vmoIRdaLxJNOQVRgjW9LjTsKmvG5XyBKlKdQBqymWJXVaAphitihXaDFqoYDQkTGBxCz LhwYsB8PNfzYTJpsPZS+U1HtyWkmA70o4hguLYknUHDcd9MyATDfXwF3wE96rqxUfz/E 5VrRE49pBGaaioBR6SlOaJCHWB580TRg4JGOLAOxq+HL3LS2GHykrHMGK/WINXKOpJlZ +g0A==
X-Gm-Message-State: ANhLgQ02MNzV52F9EkwXjS++gQdGtkwssMaLBLLekJYo7s9NL1r73+A6 rNGms6pZmlWVuSpXJge65gt9qlumbKlOogcYcz02GQ==
X-Google-Smtp-Source: ADFU+vsNGvcoa4OhY7NWP7+BMzXuajSOY2qzBrnnLTuD/KHHp/Qv/lTlMx4dzXMAZD4rmuFa9l+I5g5AzXFfN0dRBGA=
X-Received: by 2002:a5d:4fce:: with SMTP id h14mr1853259wrw.177.1583297739248; Tue, 03 Mar 2020 20:55:39 -0800 (PST)
MIME-Version: 1.0
References: <SN6PR11MB263815A3157874070BE86908F7E40@SN6PR11MB2638.namprd11.prod.outlook.com><CAHbrMsBa0rmhP9=qq_g9dBjiui84A7XqW1eC=18EENoOnKTuxg@mail.gmail.com> <SN6PR11MB2638E17F7238590571642988F7E50@SN6PR11MB2638.namprd11.prod.outlook.com>
In-Reply-To: <SN6PR11MB2638E17F7238590571642988F7E50@SN6PR11MB2638.namprd11.prod.outlook.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 03 Mar 2020 23:55:27 -0500
Message-ID: <CAHbrMsDDPHboGFgdP6-n7PyK7V7rr-8CkcKttezxi_k+ZRaKyQ@mail.gmail.com>
To: "Brotman, Alex" <Alex_Brotman@comcast.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000005e314c05a0003bf5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iu_nDHqiXUMUUFK0lRqbZMjmKs8>
Subject: Re: [DNSOP] [EXTERNAL] Re: RDBD (Related Domains By DNS)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 04:55:44 -0000
It sounds like you're proposing that this would be used as part of an anti-phishing e-mail filtering system. That seems like a fine use-case, and I would suggest spelling it out precisely in the draft, instead of the current (vague) use cases. I'm still not entirely clear on how this is supposed to work, which is why I would appreciate the worked example. It seems like, in addition to RDBD, your filter also needs some kind of "appears-related" heuristic, and a list of "high-trust" domains, on the theory that one should block messages containing repudiated domains that look similar to a high-trust domain. However, I don't think this is likely to be a reasonable use of the existing rdbd-tags, neither of which amounts to an accusation of phishing per se. (Consider, for example, the entire ".sucks" TLD.) Regardless of the use case, I think a more detailed example would be helpful for understanding what heuristics are needed, and to what extent RDBD would make the use case easier. On Tue, Mar 3, 2020 at 10:09 PM Brotman, Alex <Alex_Brotman@comcast.com> wrote: > From the perspective of messaging anti-abuse, this can help when that > department goes to an outside source. If I see “example.com” and “ > example-hr.com”, is there an easy way today to ensure they’re actually > related if they’re not registered through the same firm or hosted at the > same NS systems? If one can’t definitively determine that, you might > decide that they are spam/phishing messages, and treat them more harshly > when trying to determine if they are legit/spam. For example, I’m pretty > sure that “google.com” and “google-events.com” aren’t related based on > the content of the latter’s website, but if I were to receive an email > message from google-events.com, it might not be as easy to tell. As for > cousin domains, if you already know that the malicious domain exists, you > can assert a negative relationship. If “example.com” does not know “ > examp1e.com” exists, there would be neither a positive or negative > relationship asserted, but the lack of a positive (when others are stated > positively/negatively), could be used as some signal by the evaluator. > > > > -- > > Alex Brotman > > Sr. Engineer, Anti-Abuse & Messaging Policy > > Comcast > > > > *From:* Ben Schwartz <bemasc@google.com> > *Sent:* Tuesday, March 3, 2020 5:38 PM > *To:* Brotman, Alex <Alex_Brotman@comcast.com> > *Cc:* dnsop@ietf.org; Stephen Farrell <stephen.farrell@cs.tcd.ie> > *Subject:* [EXTERNAL] Re: [DNSOP] RDBD (Related Domains By DNS) > > > > Thanks for the draft. I haven't been following this, and I found it > interesting. > > > > I would appreciate more fully worked use cases to explain the motivation. > What is the use in correlating different domains? How would one use this > to prevent "cousin" attacks? > > > > On Tue, Mar 3, 2020 at 2:12 PM Brotman, Alex <Alex_Brotman@comcast.com> > wrote: > > Hello, > > A while ago, Stephen and I had sent out a few versions of this, and we had > some discussions and revisions were made. At the time, discussion waned, > however I wanted to pick this up again before the onset of IETF107. > > https://datatracker.ietf.org/doc/draft-brotman-rdbd/ > > I've had some folks contact me privately, and I saw an inquiry on another > list. There does seem to be some interest, at least in the anti-abuse and > research communities, of making this a functional proposition. > > To recap, the rough idea is that implementers would be able to positively > or negatively confirm relationships between domains. In the world of > anti-abuse and research, these links are not always obvious. For example, > in a large corporation, some teams may go outside acceptable practice and > register a domain through another provider. Or it may be that you have > international branches that operate on a different TLD, but you may not > have registered with all TLDs. In the latter case, being able to both > positively and negatively state a relationship could be useful for > anti-spam/phishing. > > Any questions or comments would be greatly appreciated. Thank you. > > -- > Alex Brotman > Sr. Engineer, Anti-Abuse & Messaging Policy > Comcast > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > >
- [DNSOP] RDBD (Related Domains By DNS) Brotman, Alex
- Re: [DNSOP] RDBD (Related Domains By DNS) Ivanov, Pavel
- Re: [DNSOP] RDBD (Related Domains By DNS) Ben Schwartz
- Re: [DNSOP] [EXTERNAL] Re: RDBD (Related Domains … Brotman, Alex
- Re: [DNSOP] [EXTERNAL] Re: RDBD (Related Domains … Ben Schwartz
- Re: [DNSOP] [EXTERNAL] Re: RDBD (Related Domains … Stephen Farrell
- Re: [DNSOP] [EXTERNAL] Re: RDBD (Related Domains … Brotman, Alex
- Re: [DNSOP] RDBD (Related Domains By DNS) Martin Thomson