Re: [IETF] DMARC methods in mailman

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 31 December 2016 20:49 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6829612959D for <ietf@ietfa.amsl.com>; Sat, 31 Dec 2016 12:49:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dS94wnyD2OLg for <ietf@ietfa.amsl.com>; Sat, 31 Dec 2016 12:49:18 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4CB1129483 for <ietf@ietf.org>; Sat, 31 Dec 2016 12:49:17 -0800 (PST)
Received: from [IPv6:2604:2000:1382:81a2:504f:d1f:232d:c233] (unknown [IPv6:2604:2000:1382:81a2:504f:d1f:232d:c233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 3CA08282D54 for <ietf@ietf.org>; Sat, 31 Dec 2016 20:49:16 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Subject: Re: [IETF] DMARC methods in mailman
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <20161227170912.GQ13486@mournblade.imrryr.org>
Date: Sat, 31 Dec 2016 15:49:13 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <6DF613F9-C75E-479E-BB63-B83ED7923696@dukhovni.org>
References: <A2F8894E-C983-42F2-9EB9-3E7032615F86@dukhovni.org> <20161227145738.24244.qmail@ary.lan> <20161227170912.GQ13486@mournblade.imrryr.org>
To: IETF general list <ietf@ietf.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/LvzQmy1jRmYGePLaEzUv6WfP6SU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: IETF general list <ietf@ietf.org>
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Dec 2016 20:49:19 -0000

[ On-list follow-up to off-list discussion with John R Levine ]

> On Dec 27, 2016, at 12:09 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>; wrote:
> 
> What I'm saying is that phishing protection is not the actual goal
> when publishing or filtering on DMARC.  The metric used is complaints
> about spam, or messages blocked not reduction in monetary loss,
> and this lines up with reducing support costs, ...
> 
> So filtering on DMARC reduces complaints and support costs.  Its
> effect on phishing is a separate issue.
> 
> Many of my inbound 419 scams are sent with Yahoo/Gmail/... "Reply-To"
> addresses (the From address is in some random domain), and DMARC
> does nothing to address the endemic infestation of Yahoo/Gmail/...
> by 419 scammer maildrops.

A perfect illustration of this, in the form of (two copies of) a
vanilla 419 scam sent via Yahoo, claiming to be from Gmail, with
a Gmail From/Reply-To landed in my mailbox today:

Return-Path: <fdstrefd@gmail.com>;
Received: from nm26-vm3.bullet.mail.ir2.yahoo.com (nm26-vm3.bullet.mail.ir2.yahoo.com [212.82.97.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by mournblade.imrryr.org (Postfix) with ESMTPS id 294A3282D54
	for <ietf-dane@dukhovni.org>;; Sat, 31 Dec 2016 20:11:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1483215114; bh=c4EvhVuT7B7QSV9hGxgYY5JM/FjAch9pBRo19btgucE=; h=Date:From:Reply-To:Subject:References:From:Subject; b=WoiPMDpaa+cfZ9QhmywsDmt8fwb4nK6vFIm6dBY4CV5WaamvGPq+i5VX66OPKSkFHA8kNnzkHuhN4iSFT7gQRNk1/xX6xJ9iGw4GUOePrLSsAJC5uCS+aHEnrTTuLi2yF+S1YDefU286pBkw4yHoX9JN0gcvb5s7uD+JSwIYjlLYOGr+PpGrEAuXNVE2NGzIcb9UWTSJXZMwlBbWkY7nqz1ud1OFhAruu7M8J0b9Qy0JguRF+TXoVIlgwmhtLUkW7zVUjJH97A+pGPLZJTb3ZsP4i+JITXntKt5LTh3rmoA/imXEm5SGRgY26w8S33ogKRbxOGMF+bExVfFSGu6pZw==
Received: from [212.82.98.55] by nm26.bullet.mail.ir2.yahoo.com with NNFMP; 31 Dec 2016 20:11:54 -0000
Received: from [212.82.98.94] by tm8.bullet.mail.ir2.yahoo.com with NNFMP; 31 Dec 2016 08:02:52 -0000
Received: from [127.0.0.1] by omp1031.mail.ir2.yahoo.com with NNFMP; 31 Dec 2016 07:55:04 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 927888.62800.bm@omp1031.mail.ir2.yahoo.com
X-YMail-OSG: QcOFysMVM1m.D45t1au9SSm7UzQg.moWDy838PFy.crU_U2N2Ln5zfPjrV316am
 O5_zn_VmvWY0mvTu381bdjL6BcURqvRHcKaw3g25Wps4hfu5qEa_L9zn29KWuwNWSIyddDcm8mIy
 FyM7llRByUhCYWb7Usx1_GR.5JD3.phNO88gGojPDNcflzmS.nAErUq9Qkt1NWsV1LIOjMO3NJzL
 gmLNZCDp34o6QleUNJ9Ku3Ovu9OkUh0tT0mDgr4wlOnvV6YRHMjpSdIwIOWOOgRXvZyL9TjBwoZ0
 VJe89OUB40o37la9j7NbS2vcdzyPnZHH.n5.ETUZCQjwd9G.CbFHugfmbCQUaSr1YY6EjRNWvnbb
 eUHSEkuPEuTsFM8taHzKIfTfmnPkjYRhzOa2Ch800ROLuT0KUj0jFrHTCA_KLwewubm4G2J01.7s
 RJJKbUMFLFg4xhPS5ZJJf8T7DexaxYYUHrvI2tC9KqRu9HVBPSI0GM2qnYXtySZ4.jFttaFem9WH
 eicjn4zzDzOULy3qatyVelmI-
Received: from jws700080.mail.ir2.yahoo.com by sendmailws165.mail.ir2.yahoo.com; Sat, 31 Dec 2016 07:55:04 +0000; 1483170904.369
Date: Sat, 31 Dec 2016 07:55:04 +0000 (UTC)
From: "Mr.Iheleme Oskama" <fdstrefd@gmail.com>;
Reply-To: "Mr.Iheleme Oskama" <mr.ihelemeoskama@gmail.com>;
Message-ID: <1310822406.6745256.1483170904116@mail.yahoo.com>;
Subject: Greetings My Dear Friend

My MUA's (Mail.app) filters easily recognized it as Junk email, if
only Yahoo's outbound email filters had been equally effective, but
I don't believe that protecting email users against scams is the
game being played.

Yes, when Paypal publishes DMARC policy, the policy is both reasonable,
and does have positive impact in reducing phishing of Paypal users.
Paypal's DMARC policy also has no negative impact on mailing lists.

When a large consumer email provider publishes p=reject, their
motivation is likely less noble and negative impact on other
legitimate uses of email is not negligible.

-- 
	Viktor.