Re: dmarc damage, was gmail users read on... [bozo subtopic]
John C Klensin <john-ietf@jck.com> Sat, 13 September 2014 20:09 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EA6F1A00D4 for <ietf@ietfa.amsl.com>; Sat, 13 Sep 2014 13:09:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.252
X-Spam-Level:
X-Spam-Status: No, score=-4.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.652] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0LveEXz9j4gs for <ietf@ietfa.amsl.com>; Sat, 13 Sep 2014 13:09:06 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B306F1A00D1 for <ietf@ietf.org>; Sat, 13 Sep 2014 13:09:06 -0700 (PDT)
Received: from h8.int.jck.com ([198.252.137.35] helo=JcK-HP8200.jck.com) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1XStd3-000P9h-Am; Sat, 13 Sep 2014 16:09:05 -0400
Date: Sat, 13 Sep 2014 16:09:00 -0400
From: John C Klensin <john-ietf@jck.com>
To: John Levine <johnl@taugh.com>, ietf@ietf.org
Subject: Re: dmarc damage, was gmail users read on... [bozo subtopic]
Message-ID: <832617A8DFA9BF93CBDA3D97@JcK-HP8200.jck.com>
In-Reply-To: <20140913191426.3310.qmail@joyce.lan>
References: <20140913191426.3310.qmail@joyce.lan>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.35
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/NOvTA6k9gIqwnY0YjXNDgx390ME
Cc: tytso@mit.edu
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Sep 2014 20:09:08 -0000
--On Saturday, September 13, 2014 19:14 +0000 John Levine <johnl@taugh.com> wrote: >... > DMARC is only useful because many crooks are remarkably lazy or > stupid. I've seen numbers showing that it blocks vast amounts > of spam with From: addresses like <security@paypal.com> which > means that a lot of crooks just uses the exact address they're > attacking But it's not effective against stuff like this, > which they also use: > > From: <security@paypaI.com> > From: security at paypal.com <boris@rbn.ru> >... I would have added that it provides no protection against From: <security@pаypаl.com> (the oft-cited "Cyrillic 'a'" example) either. I think we are largely in agreement, but I think there is a reasonable hypothesis that would substitute "lazy and economically rational" for "remarkably lazy or stupid". No matter how vast the number of messages that are intercepted, the crooks have no incentive to adopt smarter procedures until the number and pattern of messages intercepted hurt the bottom line. Up to that point, they have multiple incentives to ignore DMARC and let it trap whatever it traps. Doing so forces us to expend resources to adjust to a technique they know how to (mostly) defeat and thereby lowers, however slightly, the available resources for dealing with the next attack. It leaves us guessing as to what new attacks will be mounted, forcing us to either wait and then react or to waste resources on approaches they are unlikely to try (or will avoid trying once we've spent the resources and deployed the solutions. As others have pointed out, spending our resources making the bad guys smarter is rarely a good tradeoff. DMARC does not seem to be a good candidate for a long-term exception. > For that second one, remember that a lot of MUAs only show the > comment on the From: line, not the address. I've often wondered how many successful phishing attacks we could stop by issuing a "best practices" statement pointing out the risks and difficulties associated with that address-suppression practice. I don't know that MUA authors/maintainers would pay any attention to us, but, if we hypothesize that they would not, it gets much harder to believe that plans that require MUA changes to deal with DMARC countermeasures would be effective. best, john
- gmail users read on... Brian E Carpenter
- Re: gmail users read on... Rich Kulawiec
- Re: gmail users read on... Andrew G. Malis
- Re: gmail users read on... Ross Finlayson
- Re: gmail users read on... Michael Richardson
- Re: gmail users read on... Mary Barnes
- RE: gmail users read on... l.wood
- Re: gmail users read on... Ross Finlayson
- Re: gmail users read on... Ted Faber
- Re: gmail users read on... Tim Bray
- Re: gmail users read on... TJ
- Re: gmail users read on... Ross Finlayson
- Re: gmail users read on... Riccardo Bernardini
- Re: gmail users read on... Paul Hoffman
- Re: gmail users read on... TJ
- Re: gmail users read on... Ted Faber
- Re: gmail users read on... joel jaeggli
- Re: gmail users read on... Phillip Hallam-Baker
- Re: gmail users read on... [technical subtopic] Brian E Carpenter
- Re: gmail users read on... [bozo subtopic] Brian E Carpenter
- Re: gmail users read on... [bozo subtopic] Andrew G. Malis
- Re: gmail users read on... [bozo subtopic] Hector Santos
- Re: gmail users read on... [bozo subtopic] Antonio Prado
- Re: gmail users read on... [bozo subtopic] Joe Abley
- Re: gmail users read on... [bozo subtopic] Doug Barton
- Re: dmarc damage, was gmail users read on... [boz… John Levine
- Re: dmarc damage, was gmail users read on... [boz… John C Klensin
- Re: dmarc damage, was gmail users read on... [boz… Doug Barton
- Re: dmarc damage, was gmail users read on... [boz… Doug Barton
- Re: dmarc damage, was gmail users read on... [boz… John Levine
- Re: dmarc damage, was gmail users read on... [boz… John C Klensin
- Re: dmarc damage, was gmail users read on... [boz… Nico Williams
- RE: dmarc damage, was gmail users read on... [boz… Christian Huitema
- Re: dmarc damage, was gmail users read on... [boz… George Michaelson
- Re: dmarc damage, was gmail users read on... [boz… John Levine
- Re: dmarc damage, was gmail users read on... [boz… Miles Fidelman
- Re: dmarc damage, was gmail users read on... [boz… Dave Crocker
- Re: dmarc damage, was gmail users read on... [boz… Theodore Ts'o
- Re: dmarc damage, was gmail users read on... [boz… Donald Eastlake
- Re: dmarc damage, was gmail users read on... [boz… Viktor Dukhovni
- RE: dmarc damage, was gmail users read on... [boz… MH Michael Hammer (5304)
- Re: dmarc damage, was gmail users read on... [boz… Wei Chuang
- Re: dmarc damage, was gmail users read on... [boz… Doug Barton
- Re: dmarc damage, was gmail users read on... [boz… Dave Crocker
- RE: dmarc damage, was gmail users read on... [boz… MH Michael Hammer (5304)
- Re: dmarc damage, was gmail users read on... [boz… Doug Barton
- Re: dmarc damage, was gmail users read on... [boz… Nico Williams
- Re: dmarc damage, was gmail users read on... [boz… Murray S. Kucherawy
- Re: dmarc damage, was gmail users read on... [boz… Murray S. Kucherawy
- Re: dmarc damage, was gmail users read on... [boz… Murray S. Kucherawy
- Re: dmarc damage, was gmail users read on... [boz… Sabahattin Gucukoglu
- Re: dmarc damage, was gmail users read on... [boz… John Levine
- Re: dmarc damage, was gmail users read on... [boz… John C Klensin
- Re: dmarc damage, was gmail users read on... [boz… Wei Chuang
- Re: dmarc damage, was gmail users read on... [boz… Wei Chuang
- Re: gmail users read on... Hector Santos
- Re: dmarc damage, was gmail users read on... [boz… Hector Santos
- Re: dmarc damage, was gmail users read on... [boz… Scott Kitterman
- Re: dmarc damage, was gmail users read on... [boz… Hector Santos
- Re: dmarc damage, was gmail users read on... [boz… Hector Santos
- Re: dmarc damage, was gmail users read on... [boz… Hector Santos
- Re: dmarc damage, was gmail users read on... [boz… Dave Crocker
- Re: gmail users read on... George Michaelson
- Re: dmarc damage, was gmail users read on... [boz… David Morris
- Re: dmarc damage, was gmail users read on... [boz… John Levine
- Re: dmarc damage, was gmail users read on... [boz… Rich Kulawiec
- Re: dmarc damage, was gmail users read on... [boz… Rich Kulawiec