RE: DMARC from the perspective of the listadmin of a bunch of SMALL community lists

"MH Michael Hammer (5304)" <MHammer@ag.com> Fri, 18 April 2014 21:19 UTC

Return-Path: <MHammer@ag.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5833B1A043E for <ietf@ietfa.amsl.com>; Fri, 18 Apr 2014 14:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_16=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQjcgSEZwxMc for <ietf@ietfa.amsl.com>; Fri, 18 Apr 2014 14:19:19 -0700 (PDT)
Received: from agwhqht.amgreetings.com (agwhqht.amgreetings.com [207.58.192.41]) by ietfa.amsl.com (Postfix) with ESMTP id 173661A007B for <ietf@ietf.org>; Fri, 18 Apr 2014 14:19:18 -0700 (PDT)
Received: from USCLES544.agna.amgreetings.com ([fe80::f5de:4c30:bc26:d70a]) by USCLES531.agna.amgreetings.com ([::1]) with mapi id 14.03.0158.001; Fri, 18 Apr 2014 17:19:14 -0400
From: "MH Michael Hammer (5304)" <MHammer@ag.com>
To: Miles Fidelman <mfidelman@meetinghouse.net>
Subject: RE: DMARC from the perspective of the listadmin of a bunch of SMALL community lists
Thread-Topic: DMARC from the perspective of the listadmin of a bunch of SMALL community lists
Thread-Index: AQHPWr6uPWZYqrDS0kS5LDODiAAGHZsXeXikgABNUQCAAAUTQIAAV3cA//+9bDA=
Date: Fri, 18 Apr 2014 21:19:13 +0000
Message-ID: <CE39F90A45FF0C49A1EA229FC9899B0507D4DBFD@USCLES544.agna.amgreetings.com>
References: <53499A5E.9020805@meetinghouse.net> <5349A261.9040500@dcrocker.net> <5349AE35.2000908@meetinghouse.net> <5349BCDA.7080701@gmail.com> <01P6L9JZF5SC00004W@mauve.mrochek.com> <CAL0qLwZr=wVX6eD+yGVOaxkSy5fJbuAErTshOG+2BywUvkDfAA@mail.gmail.com> <01P6QCMYYMJ000004W@mauve.mrochek.com> <6EF4DECC078B08C89F163155@JcK-HP8200.jck.com> <01P6QVVGQA4W00004W@mauve.mrochek.com> <5350A9FB.9010307@dougbarton.us> <01P6S93XQ9TI00004W@mauve.mrochek.com> <CAL0qLwbeouNWWAyanTdUHACLUds=5ZQcG0TMCW-AmMNmuE6qrw@mail.gmail.com> <CE39F90A45FF0C49A1EA229FC9899B0507D4DB17@USCLES544.agna.amgreetings.com> <53519532.5070205@meetinghouse.net>
In-Reply-To: <53519532.5070205@meetinghouse.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.104.254.231]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/DfW9gBnGlUgLPSK24Z1XyWm240s
Cc: ietf <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 21:19:20 -0000


> -----Original Message-----
> From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of Miles Fidelman
> Sent: Friday, April 18, 2014 5:12 PM
> Cc: ietf
> Subject: Re: DMARC from the perspective of the listadmin of a bunch of
> SMALL community lists
> 
> MH Michael Hammer (5304) wrote:
> >
> > MH: I’m going to disagree with Murray on the fact that it’s hurting
> > us, the company as the motivator, at least from my perspective. I see
> > it as preventing end users from getting hurt from this particular use
> > case (direct domain abuse). The further we (for some definition of we)
> > can push bad actors from reality (from the users perspective), the
> > less likely they are to fall for certain types of social engineering.
> > I would hypothesize that increased abuse of the type Yahoo has been
> > seeing may be in part due to increased difficulty on the part of
> > malicious individuals in abusing brands implementing DMARC with
> > p=reject. P to P mail becomes increasingly attractive and the use of
> > stolen address books or user email addresses and information from
> > stored messages can be used to improve the effectiveness of the social
> > engineer.
> >
> 
> At least from the perspective of our lists, and spam traps - abuse of
> stolen address  books and such has been a much larger problem than email
> from forged addresses -- at least where Yahoo is concerned, our normal
> spam traps (spamassassin with lots of checks) caught (and continue to
> catch) most incoming spam -- EXCEPT for the stuff that comes form
> legitimate addresses.
> 
> I.e., botnets that have access to address books and legitimate login
> credentials have been the main problem we've seen.  At least so far,
> p=reject hasn't led to an increase in that.
> 

The assertion has been made that the mail abusing the stolen address books was being sent from places other than yahoo.com but claiming to be from compromiseduser@yahoo.com. In this scenario p=reject would have an impact in mitigating that type of abuse for mailbox providers validating DMARC (notwithstanding the damage done to mailing lists and other 3rd parties).

Mike