Re: DMARC methods in mailman --- [LEDE-DEV] DMARC related mass bounces / disabled subscriptions (fwd) Jo-Philipp Wich: [LEDE-DEV] DMARC related mass bounces / disabled subscriptions

S Moonesamy <sm+ietf@elandsys.com> Sun, 18 December 2016 10:28 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2358512955A for <ietf@ietfa.amsl.com>; Sun, 18 Dec 2016 02:28:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.89
X-Spam-Level:
X-Spam-Status: No, score=-4.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-3.1, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=opendkim.org header.b=g90qmI9b; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=elandsys.com header.b=ZastOB44
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TL9K15cW2AlR for <ietf@ietfa.amsl.com>; Sun, 18 Dec 2016 02:28:28 -0800 (PST)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id E98F8129451 for <ietf@ietf.org>; Sun, 18 Dec 2016 02:28:27 -0800 (PST)
Received: from SUBMAN.elandsys.com (IDENT:sm@localhost [127.0.0.1]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id uBIASF3n025206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 18 Dec 2016 02:28:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1482056905; x=1482143305; bh=GFOSDTybDFVjyAJGZANenFKbiBVZ5rl7PZKba99OcDk=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=g90qmI9bggr9MTY8r8/YvDIYtCC9Cdts6Y7md670YuvhAW75jvZLVe6QmZK4tZjRc iSZ7CO1riMb+cwuZOQAuSItpDP+GjD65STVbgG4OaSAaQnYE8x7hAmrGLGGs9ctSO7 xwUlmN2yPebKQ5FA13SVF9TLSr0IMcb81ubvObkc=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1482056905; x=1482143305; i=@elandsys.com; bh=GFOSDTybDFVjyAJGZANenFKbiBVZ5rl7PZKba99OcDk=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=ZastOB44WoH2ALOiMUK5vZVEU0aAAeE0iJrA8jI5LgPjp35zhUrBvNVYu6q17znsp bwz3lfPOKwDT21HVf1wcWrVJlMHjWHXBxtqp7E5q7EFUKGT6UAjAPZ5RIY8k56UtBd Pb74a6ygt+HHXYyI7Fhj9RwTRvstvNgjqTeP1dTs=
Message-Id: <6.2.5.6.2.20161218010701.0c297120@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Sun, 18 Dec 2016 02:15:24 -0800
To: John C Klensin <john-ietf@jck.com>, ietf@ietf.org
From: S Moonesamy <sm+ietf@elandsys.com>
Subject: Re: DMARC methods in mailman --- [LEDE-DEV] DMARC related mass bounces / disabled subscriptions (fwd) Jo-Philipp Wich: [LEDE-DEV] DMARC related mass bounces / disabled subscriptions
In-Reply-To: <A087FD45F16AB4DEB6C520F0@PSB>
References: <25431.1481725548@obiwan.sandelman.ca> <6.2.5.6.2.20161217022643.0e830e78@elandnews.com> <60C5B0E2-95E6-4AE5-87FA-5C438F146181@fugue.com> <6.2.5.6.2.20161217081922.0b4350e0@elandnews.com> <A087FD45F16AB4DEB6C520F0@PSB>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/4BDOhZIsO7-3Qo3OBpuXxg7pSBs>
Cc: Michael Richardson <mcr@sandelman.ca>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Dec 2016 10:28:29 -0000

Hi John,
At 12:29 17-12-2016, John C Klensin wrote:
>Maybe this is what you meant by the scare quotes, but the IETF
>has been fairly clear -- in RFC 5321 and 5322 and elsewhere--
>that

RFC 7960 states that: "To alleviate unsubscribes to the Mailing List 
due to the messages bouncing because of DMARC, the MLM needs to not 
act on notification messages due to message authentication 
issues".  That would entail interpreting the Enhanced Status Codes, 
specifically the ones related to message authentication failures and 
ignoring them for unsubscription purposes.

>(1) Mailing lists can be handled at MTA level, in which case the
>backward-pointing envelope address is changed to point to the
>list but that, other than adding trace information (including
>List identification), the headers and message body should be
>unchanged.

Yes.  It is the message body change which indirectly causes the 
rejection for mail from those "p=reject" domains.

>(2) Mailing lists can also be handled at MUA level, in which
>case "Resent-" fields are added, possibly also with List
>information, but the header "From:" and "Sender:" fields are to
>be unchanged.

Yes.

>(3) Because we deliberately do not have standards about what an
>MUA can do -- precisely because it is ultimately an agent acting
>on behalf of the end user -- such a system can plausibly
>construe such a message as being received, modified as desired,
>and then forwarded to a list of others.   Again, there is no
>standard, but treating mailing list traffic that way opens up a
>whole series of potential attacks because, if the "MUA can make
>changes" model is applied, nothing prevents such an MUA from,
>e.g., changing every instance of "black" in the message body to
>"white".

The problem is that we are getting into what a MUA does, e.g. 
auto-completion.  We would also not be following RFC 5322 by making a 
change to the "From:" field [1].  In a way, this validates the 
argument that a whole series of potential attacks is being opened.

>(4) We have never encouraged anything that attributes semantics
>to either a name phrase (<display-name> in RFC 5322-speak).
>While we have never taken a position about auto-complete and
>populating address books based on those fields, doing the latter
>is fraught with risks, particularly if all I need to do to
>divert mail from Ted to you to an attacker is to send him a
>message with a "From:" header field of
>     S Moonesamy <evil-SM@example.com>

Yes.  We might end up having to consider whether to attribute 
semantics to the <display-name> as a way to solve the problem.  Let's 
assume that 20% of IETF mailing list subscribers use a "p=reject" 
domain name in the "From:" field and that they are no longer allowed 
to post messages to the mailing list because of the policy advertised 
by that sending domain.  What should the mailing list moderator do in 
response to complaints from those subscribers?

Regards,
S. Moonesamy

1. This is related to Point 2.