RE: protecting the Internet from DMARC damage, was perspectives

["MH Michael Hammer (5304)" <MHammer@ag.com>]

> -----Original Message-----
> From: John Levine [mailto:johnl@taugh.com]
> Sent: Monday, April 14, 2014 5:50 PM
> To: ietf@ietf.org
> Cc: MH Michael Hammer (5304)
> Subject: Re: protecting the Internet from DMARC damage, was perspectives
> 
> >The fact is that a vocal constituency led by John Levine made it
> >extremely clear that MLMs were out of scope and there was zero interest
> >on the part of the MLM community in discussing ways in which MLMs could
> be made to work in an email authentication framework even if there were
> any MLM operators willing to do so. ...
> 
> DMARC must be in pretty bad shape if its proponents have to resort to
> malicious lies like this.  It saddens me that Mike, who I used to consider a
> friend, would do so.
> 

John, your position has been absolutely consistent through the years. Your comments below reflect that. Your comments in the IETF-DKIM working group reflected that as well. I'm sorry you no longer consider me a friend but your position has consistently been "we are not broken, now go away". If the world were encased in ambergris that might be a useful position but the world is not. We have disagreed on this for over a decade.

> My position has always been perfectly clear: mailing lists are not broken, they
> provide a significant service to individual Internet mail users, and it is not our
> job to spend time and money to solve other people's problems.  DMARC, like
> all of its predecessor authentication schemes, has a model of the way people
> send mail that describes much but not all of the actual mail people send.
> There are an awful lot of ways that people send mail, so this shouldn't come
> as a surprise to anyone.
> 

How does your statement substantively differ from what I wrote in my previous post? You explicitly state that it is not your problem and it is somebody else's problem. You have been vocal about your position for years and years. You may not like my characterization of your position but that is your position nonetheless. It is not simply that you took that position regarding DMARC but that you have consistently taken that position for ANY discussion regarding potential changes to MLMs for ANY changes that might relate to authentication. Your position has been that the community at large can rely on "your" reputation (the actual example you gave in the SSP discussion in 2008 related to the IETF-DKIM list hosted by Dave Crocker). While you (or Dave) may have an excellent reputation - and I agree that you do despite our differences - that is not the basis for a scalable standard. You assert that lists are not and have not been a vector for abuse. I've seen abuse through lists where a subscriber account has been compromised. Yes it may get addressed by operators, some faster than others. Rather than working to find a model (or expand existing ones) to address the use cases you claim won't work or shouldn't be changed because "we were here first and it works for us", I would assert that it is beneficial to the community to have the discussions to come up with standards and practices that protect end users from abuse. 

> The invariable next step is that some of the proponents of the scheme,
> rather than recognizing and admitting to its limitations, declare that the mail
> the scheme can't describe is bad and must be eradicated, with the term
> "forged" often misused.  People who have been around long enough will
> remember when the SPF crowd demanded that everyone stop forwarding
> mail, or a few people wanted to apply strict DKIM ADSP to everything.
> Mailing lists are the most obvious sending scenario that DMARC doesn't
> describe, but it's far from the only one.
> 

You are absolutely correct in stating that DMARC doesn't address mailing lists - because you have staked out a position that mailing lists should not have to change in any way shape or form to deal with any authentication model. That is extremely constraining out of the gate and pretty much ends any meaningful discussion at that point. "How about if we... NO!"

> I have always said that DMARC is useful for a lot of mail, such as the "spam
> cannon" stuff (a comment on the volume, not necessarily the
> character) that Mike's employer sends, or that Paypal and banks send.
> As we have seen, it fails miserably for domains with non-employee live
> users.
> 

I haven't pushed for DMARC to be applied to domains with end users but the fact that it "fails miserably" (for some definition of fail) reflects more on a lack of discussion and effort on how it (or other approaches) might work (due to intransigence) rather than the fact that it or some other approach could work.

> Without exception the ways proposed to change MLMs to "to work in an
> email authentication framework" have involved removing useful features
> added over the decades that our users use and like, so it also shouldn't be a
> surprise that we're not interested in bowdlerizing our service to solve their
> problem.  We also note that many of the proposed solutions are
> overcomplicated and unlikely to work in practice (original-authentication-
> results) or just plain won't work (turning off all subject tags, message footers,
> and other message
> modifications.)
> 

John, abuse is a community problem. I haven't been involved in any of the proposed solutions regarding mailing lists which you mention for precisely the reason that you (As the voice of MLM developers and operators) have made clear that there is absolutely no implementation (other than leave you to your own devices) that is acceptable. I don't count using separate IPs and signing mail emitted by your servers (for domains other than your own) as a meaningful effort. I'm just not the kind of guy who accepts "trust me" as a meaningful anti-abuse solution.

> If the DMARC crowd were interested in being good net citizens, there is a
> way to deal with DMARC's limitations that is straightforward but not free:
> whitelisting.  Most of the lists I see sign their mail, and they generally use
> static IP sending addresses, so they're not hard to characterize.  The set of
> mailing lists and other legitimate mail sources that DMARC doesn't describe is
> not enormous, and it should be possible to develop shared whitelists for
> them, if someone were willing to pay for doing so.  (This is a much smaller
> problem than trying to whitelist all "legitimate" mail.) If the list-whitelist
> group said that lists need to sign their mail or use an unshared IP to get
> whitelisted, you would find little resistance, both because most of us do that
> already, and because it doesn't ask us to make our lists worse for our users.
> 

You have put forward the whitelist (FUSWP - Final Ultimate Solution to the Whitelisting Problem) solution in the face of a variety of proposals. DMARC does not preclude whitelisting by the validating operator. In fact, it specifically provides for local policy overrides, including one for mailing lists. You say it is someone else's (the "DMARC crowd" as you put it) problem. It's kind of like the old saw about truckers thinking they are in the trucking business rather than the transportation business. We are ALL in the email space.

Your solution to mailbox providers with users that implement p=reject is to boot the users off of mail lists and tell them to go find another mail provider. That may work for some lists but there will be significant issues for others. I'm not even going to delve into your comments about lists signing their mail when sending as a domain other than themselves. That discussion has been had multiple times in multiple forums. When presented with a mail list signature on an email purporting to be from a given domain and an assertion from the domain itself that constrains use of that domain, I know which one I'm going to go with as a general rule.

When I think of your church mail list example, the first thing that came to mind is WWJD? The second thing that came to mind is that an organization, whether a church, a university or similar organization, might not be too appreciative if significant donors or volunteers were told by their mail list operator "to take a hike" because the mail list operator is upset by that persons mailbox provider. Whether you like it or not and whether you admit it or not, it is your problem because it is a community problem. As I have stated before, I have not advocated that domains with users should publish a p=reject. I do recognize that those domains may have an interest in protecting their domains from abuse and see DMARC is a potential tool to mitigate direct domain abuse. I say this without personally advocating for it. You have studiously avoided one of the key underlying questions for this discussion and others: Does the owner of a domain have the right to control or limit the use of its domain (or other similar resources)? If not, which 3rd party gets to be the decider? Are there any limits on the 3rd party decider? If so, who gets to set the limits on the 3rd party decider? Be careful, it's a slippery slope.

> Unfortunately, we've seen no willingness to spend their money to help us
> solve their problem, and far too much of do it our way or else, because we
> are bigger than you are.
> 

Look at how you phrased the above. That translates into give us money or we won't make any effort whatsoever. Is it really about money? I truly don't think so. Please provide as a reference your ID for this proposed whitelisting standard in datatracker. Absent specific detailed proposals that would induce someone to sponsor your effort why would anyone give you money for this whitelisting equivalent of FUSSP? Good mailers go bad. Every once in a while bad mailers go good. I'm quite familiar with whitelisting schemes and my personal position is "What have you done to me today?". I don't care what your reputation has been for the last x years if you are emitting badness today. You opened your email stating that "It saddens me that Mike, who I used to consider a friend, would do so." You obviously don't whitelist people so why would you expect people to accept your assertion that you (your maillist) should be whitelisted? I am of course disappointed that you no longer consider me a friend, but if blunt discourse on a difficult subject requires you to do so then I accept that. Readers of this exchange can decide for themselves whether, as you have asserted, I have maliciously lied about you. The archives from IETF-DKIM are available as are the ones for IETF-DMARC and DMARC-DISCUSS. I would also point people to the archives for ASRG as well for a litany of out-of-hand rejection (although I willingly admit that many of the proposals from newly subscribed participants did lack a certain understanding of the problem space).

You may not like my characterization of your position but your position has consistently - over quite a few years - been that MLMs are fine, now go away because it is "your" problem, not mine. That is the essence of your post I'm currently responding to.  It's not a function of "them" being bigger than you. It's a function of you not being willing to have any sort of meaningful engagement with "them" other than on terms you dictate. It's not just large domain owners and corporations struggling with abuse. It's domain owners of all sizes and types. And yes, it's individuals that suffer the consequences of our collective failure to find solutions to real world abuse. I again reiterate that I am not personally advocating that domains with users publish p=reject regardless of impact on others. I will say that the train has left the station and I expect there will be other domains which, in the face of significant abuse, will make similar decisions. Absent alternatives and seeing that similar domains claim that the approach has provided relief for them, this would appear to be a logical choice and not an irrational one.

With each additional domain that makes such a decision your position becomes increasingly untenable. You (and others) might be willing to kick off list participants from such domains if it represents some small percentage of participants but how many list operators will do so if such participants represent a significant portion or majority of participants? Will the organizations that these lists are managed for accept such outcomes? Some will but many won't. They will switch to implementers that allow them to go about their daily activities without it being made painful for them. If a mailing list is configured and nobody is subscribed or participates is it a mailing list? You propose pain as a motivator but you don't seem to recognize that such pain may motivate people and organizations to outcomes other than that which you desire.

I recognize that this is a bitter discussion for some. It could have and should have been a discussion held much earlier and in a different context. That is water under the bridge. As others have asked, where should the IETF and the larger community go from here? Punishing users as a means of getting at a mailbox provider doesn't seem particularly constructive in the long run and as I have indicated above may be somewhat self-defeating. IETF shunning of DMARC may feel good but even John Levine has stated that it has benefits in particular implementation categories (as long as no change is asked of MLMs). A discussion of technical approaches that enable mail lists to participate in authentication approaches for 3rd party domains without losing (significant) functionality might be useful. Are there alternative ways of providing that same functionality? Note that I'm not even being DMARC specific in proposing that. John Levine has proposed whitelisting as a solution. I don't buy into that personally but it might be a useful discussion to have - monetary donations should not be required in order to have a discussion about this.

Apologies to all for this long missive.

Mike