IETF Logo Mail Archive

Re: [ietf-dkim] [dmarc-ietf] a slightly less kludge alternative to draft-kucherawy-dmarc-rcpts

"Murray S. Kucherawy" <superuser@gmail.com> Wed, 16 November 2016 20:58 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A846712958A for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Wed, 16 Nov 2016 12:58:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.089
X-Spam-Level:
X-Spam-Status: No, score=-1.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, DKIM_SIGNED=0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_SORBS_SPAM=0.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 333hLCh-YA-q for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Wed, 16 Nov 2016 12:58:06 -0800 (PST)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97018129551 for <ietf-dkim-archive@ietf.org>; Wed, 16 Nov 2016 12:58:06 -0800 (PST)
Received: from simon.songbird.com (simon.songbird.com [127.0.0.1]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id uAGKwEGC012667; Wed, 16 Nov 2016 12:58:15 -0800
Authentication-Results: simon.songbird.com; dkim=fail reason="verification failed; unprotected key" header.d=gmail.com header.i=@gmail.com header.b=KTx3HZ+0; dkim-adsp=none (unprotected policy); dkim-atps=neutral
Received: from mail-yb0-f176.google.com (mail-yb0-f176.google.com [209.85.213.176]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id uAGKwA46012653 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <ietf-dkim@mipassoc.org>; Wed, 16 Nov 2016 12:58:12 -0800
Received: by mail-yb0-f176.google.com with SMTP id v78so46653816ybe.3 for <ietf-dkim@mipassoc.org>; Wed, 16 Nov 2016 12:57:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=64FsrWNDi8J5Pb0/MfS/FGvq9NJjX9qajaiDNN/Jg/k=; b=KTx3HZ+0XG+a6QEECx4rXaxcyPFHfwUVlngBFbrlPu2Cybilcf1MJAQcXTYTavyVZK 4TIPOm3aZp9pGgZwD+zpjjRHXxKL4G73qi0mJISzwnYvCWtVpVRHiDjma7ExjYNmVxcf mzgxwCkWyH86kcusU2TcH+LQdkwfr3CEGjvnnlaSmQS80xKQgqpkezgV0ISbHl0Pey8r P5q1nXUWxAtCsw14A1pG3rGXjkv/hZ1UoX/RF+vg15dbHJHOVEf19bmpIQbo/XBQVo5u JzZa9QAHKRSZCBuv09dhGGJId5RR7+1wR8uUUKZFkgzoJEXfcxvcmMXrYj4fN4P4UnGU MvtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=64FsrWNDi8J5Pb0/MfS/FGvq9NJjX9qajaiDNN/Jg/k=; b=KGr6hW4XEOEL8Ma+pZSn1lNQz927sAK/Vlh+H7egSdXL6Kuvs+xqR75N1NfVdDOOpo RyUoHkdcHMpEKBqTztCsmrFBuAJNCoF2BnGx9A8su3byoAIzYmZ7n0nsWvSSSlQGlLzg yAaShr+haHs1aZvooXbbwqsg7zkTuBgEEiVKo50QVB8t6GWUGjD5ng12nPIpa8TMq6s9 aK4aRVScVu+CV8ahvzZWTKEPKTO2iviFO8LNvmO9YaSyCQQnIYFtBAp2rSVu20qvJr8E N/9nSw/4op1E5x0tD3BHcL6qGL/P556OKeWTFP8x6kx3FjG9SrFudjA/2M8biGZGi9Eg pblg==
X-Gm-Message-State: ABUngvde4RlJUgbIFIgnXMoU0htCleEyscQ4k9eZa1OQ/HHzNbVvBYz4sQu0CFvox/n6KmzIQLc8F51Vw/dqRg==
X-Received: by 10.37.80.134 with SMTP id e128mr2924570ybb.89.1479329829784; Wed, 16 Nov 2016 12:57:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.111.130 with HTTP; Wed, 16 Nov 2016 12:57:08 -0800 (PST)
In-Reply-To: <CY1PR00MB0107C2A78F65F65ED68920A796BE0@CY1PR00MB0107.namprd00.prod.outlook.com>
References: <alpine.OSX.2.11.1611142158000.21738@ary.local> <01Q7ASDZFS6C011WUX@mauve.mrochek.com> <CAL0qLwazAg2UJvGAr+nx8R_xEbc4xV0ttPEWFKUD69u6xXaMhA@mail.gmail.com> <CAL0qLwaMzy=qeW5XYZ_txPaiYE27Oof+C5V1uRANvv-_cayOcQ@mail.gmail.com> <CY1PR00MB0107389F8FE73F140849A19996BE0@CY1PR00MB0107.namprd00.prod.outlook.com> <2736ea21-69e6-83b1-3b59-377c032290b5@dcrocker.net> <CY1PR00MB01072F4EB32969888104C45196BE0@CY1PR00MB0107.namprd00.prod.outlook.com> <CAL0qLwbdNVwT-xiCmxyhSqKcp4-hCA1COHKh0wdYrYEekzZ=XA@mail.gmail.com> <3009defcc6dc9043823618dbc338460d@xmail.mwn.de> <CY1PR00MB0107C2A78F65F65ED68920A796BE0@CY1PR00MB0107.namprd00.prod.outlook.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 17 Nov 2016 05:57:08 +0900
Message-ID: <CAL0qLwZ1K-QOxX=C2WuF5p4hmP52jtqLZWne-1oMHJxsgr9ySg@mail.gmail.com>
To: Terry Zink <tzink@exchange.microsoft.com>
Cc: Ietf Dkim <ietf-dkim@mipassoc.org>
Subject: Re: [ietf-dkim] [dmarc-ietf] a slightly less kludge alternative to draft-kucherawy-dmarc-rcpts
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim/>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============6612644834029384586=="
Errors-To: ietf-dkim-bounces@mipassoc.org
Sender: ietf-dkim <ietf-dkim-bounces@mipassoc.org>

On Thu, Nov 17, 2016 at 3:09 AM, Terry Zink <tzink@exchange.microsoft.com>
wrote:

> > This means ARC will be needed not only for mailing lists which modify
> the header or
> > body of an email, but for EVERY mailing list and EVERY forwarded email
> or EVERYTIME
> > the recipient has been modified and the email leaves the ADMD boundary.
> From a
> > DMARC point of view DKIM will not be needed anymore because it has now
> the same
> > function as SPF - verifiying the origin of direct emails - and SPF is
> easier to implement
> > for most administrators.
>
> +1.
>
> It basically (almost) turns DKIM into SPF. That's not that appealing a
> solution.


Yep, it does.  And as we've already said on this thread, "Don't do that"
(i.e., don't sign spam in the first place) is far and away the preferred
solution, but it does happen resulting in increased reputation-enhanced
spam delivery to inboxes.  So we have a choice now between not doing
something like this which enables the attack described in the document to
continue, or doing something like this and making DMARC have to go through
some kind of unpleasant permutation.

It's funny you should mention ARC, because this was first raised on the
mailing list where ARC is developed, and then discussed further at MAAWG
this fall, and then brought to us to brainstorm on a solution.  So far,
this is where we've landed as being the least damaging thing to do when
"don't sign spam in the first place" is rejected as a solution.

Maybe we should take this back to the MAAWG technical discussions list.
I'll do that later today.

-MSK

_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email