Re: (DMARC) We've been here before, was Why mailing lists

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 18 April 2014 20:47 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A621D1A03BA for <ietf@ietfa.amsl.com>; Fri, 18 Apr 2014 13:47:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YJpzL9cgVSC2 for <ietf@ietfa.amsl.com>; Fri, 18 Apr 2014 13:47:32 -0700 (PDT)
Received: from mail-pb0-x232.google.com (mail-pb0-x232.google.com [IPv6:2607:f8b0:400e:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id DA0451A02EB for <ietf@ietf.org>; Fri, 18 Apr 2014 13:47:32 -0700 (PDT)
Received: by mail-pb0-f50.google.com with SMTP id md12so1791661pbc.23 for <ietf@ietf.org>; Fri, 18 Apr 2014 13:47:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=XiXLjN4IJAE8Ubua6ooKChb/H0YqXYq0hCF880j2vTg=; b=bFR+3XfQE6wlo+6+NhQHo+Ub97zr+rpwSmrMi4WRD7wFNyVwsdgjCuIXShqoNzsS8Y DfR7dsvRu8IIuyZ5Z6BiNvY8gWJK1DvBDwNlvvP2Qs9Y25gm0PkxPyTwjkyzRX2EkMrz Ma5qzGVgwCIYqwJjLCx6ZP+tUgMDwhAtBATraAcds6MU1QLqbjI4sCC+zIqxG+ZN7mi2 85rQXaEdZqbJ1XROAdYJw5a4cGVT2X70Aem4yufql5wCqaf5nLJvqmRLm6IRGhDe86NG T/y7rf7glMCNFFA+CwRxojSaz3bWOWMKvdN2JCjThb7PPFgHznp2VHtak/tYVZTCDTR2 GC5g==
X-Received: by 10.68.200.133 with SMTP id js5mr24280049pbc.138.1397854048989; Fri, 18 Apr 2014 13:47:28 -0700 (PDT)
Received: from [192.168.178.20] (225.195.69.111.dynamic.snap.net.nz. [111.69.195.225]) by mx.google.com with ESMTPSA id vg1sm61744685pbc.44.2014.04.18.13.47.26 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 18 Apr 2014 13:47:28 -0700 (PDT)
Message-ID: <53518F69.90703@gmail.com>
Date: Sat, 19 Apr 2014 08:47:37 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Murray S. Kucherawy" <superuser@gmail.com>
Subject: Re: (DMARC) We've been here before, was Why mailing lists
References: <20140417181815.8A5871ACD1@ld9781.wdf.sap.corp> <9451.1397772992@sandelman.ca> <CAL0qLwa0a4nDAdCHkkMJdeemsj+cezcmH3+59CvhF8q7B72ryg@mail.gmail.com>
In-Reply-To: <CAL0qLwa0a4nDAdCHkkMJdeemsj+cezcmH3+59CvhF8q7B72ryg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/O8pYlCq221Il--JFBVNsjlYNHIk
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, Pete Resnick <presnick@qti.qualcomm.com>, John R Levine <johnl@taugh.com>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 20:47:33 -0000

On 19/04/2014 03:20, Murray S. Kucherawy wrote:
...
> One of the key points about DMARC's design is that it's concerned
> specifically with From:.  The reason is that the content of From: is what's
> typically shown to the recipient by MUAs.  If DMARC keyed off Sender:
> instead, then this would work:
> 
> MAIL FROM: haha@badguy.example.com
> 
> From: security@paypal.com
> Sender: haha@badguy.example.com
> DKIM-Signature: v=1; d=badguy.example.com; ...

So, if the From says

From: goodguy@yahoo.com <haha@badguy.example.com>

many UAs would show only goodguy@yahoo.com as the sender,
but badguy could have passed DMARC, no?

This would not exactly enhance goodguy's reputation,
or Yahoo's for that matter. I realise it isn't the exploit
that Yahoo is trying to stop, but it suggests to me that
DMARC is only plugging one small hole in a very leaky dam.

    Brian