Re: What I've been wondering about the DMARC problem

[Sabahattin Gucukoglu <listsebby@me.com>]

On 17 Apr 2014, at 21:53, Theodore Ts'o <tytso@mit.edu> wrote:
> Suppose we made the mailing list software take the contents of the
> From field, and moved it to something like "X-Originally-From: ", and
> changed the From field to be "ietf@ietf.org".  That would be what the
> DMARC people would want, right?

Probably.  I mean, the alternative is to upgrade DMARC so it recognises the Originally-From field as From when it is present, but that would actually require maintaining compatibility with decades-old software which didn't know that From was the arbiter of all truth. :)

> Except then, a couple of years later, because users might actually
> want to find the message that was written by "Brian Carpenter", or
> "Sabahattin Gucukoglu", and not from "ietf@ietf.org", MUA's might
> start using the Originally-From field in the summary field, and start
> emphasizing the "Originally-From" from field in the UI.  At which
> point, the spammer/scammer/whatever could start forging the the
> "Originally-From" field, and then Lo!  There will be a DMARC II,
> demanding that "Originally-From" field be aligned with the From field,
> and we're right back to where we started.
> 
> It was the same argument about why a DKIM or DMARC couldn't just
> verify the Sender field, and call it a day.  The problem is that the
> From field is what people pay attention to.

Precisely.

Of course, if we're starting just now, there's something we could try differently: write it into Internet law that "NO MUA SHALL PROMOTE FOO TO THE DEFAULT HEADER DISPLAY", where "foo" is whatever we come up with.  Then MUA software, when presented with a known-good and known-aligned authentication results for From: could start displaying the green bar or whatever nonsense they come up with to signal that all is good, just so long as the part to the right of the @ is the domain the user thought the mail was really from.  However the MUA could continue to provide conveniences such as address autocomplete, address book memorisation, search or reply that were all using our new foo.

> And this is true of whatever solution we want to better support
> mailing lists.  Suppose the answer is to rewrite the from field to
> something like this:
> 
> 
> From: ietf-resend+brian.e.carpenter=gmail.com@ietf.org
> 
> Or this:
> 
> From: ietf@ietf.org (Originally from Brian E Carpenter: brian.e.carpenter@gmail.com)
> 
> It doesn't matter.  Eventually, the UA's will start emphasizing and
> parsing out the original From field information, because that's what
> people will want to be automatically added to their address book, and
> not ietf@ietf.org, and that's what they will want to see in their
> e-mail summary.  And then the DMARC folk will say, "Oh, Noes!
> Spammers and scammers and bears, oh my!  They are using this loophole
> to fool the naive user."  We must have DMARC II... and DMARC
> III.... and DMARC IV.... and it will never end.

Indeed.  Of course, none of that helps the mailing lists of yesteryear, I mean today.  Right now, we're all screwed without one of these hacks. :(

Cheers,
Sabahattin