Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists

Miles Fidelman <mfidelman@meetinghouse.net> Fri, 18 April 2014 21:30 UTC

Return-Path: <mfidelman@meetinghouse.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D675B1A01CB for <ietf@ietfa.amsl.com>; Fri, 18 Apr 2014 14:30:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.281
X-Spam-Level:
X-Spam-Status: No, score=-0.281 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_16=0.6, MISSING_HEADERS=1.021, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oRqNdCU_sXlg for <ietf@ietfa.amsl.com>; Fri, 18 Apr 2014 14:30:11 -0700 (PDT)
Received: from server1.neighborhoods.net (server1.neighborhoods.net [207.154.13.48]) by ietfa.amsl.com (Postfix) with ESMTP id DF75D1A0109 for <ietf@ietf.org>; Fri, 18 Apr 2014 14:30:10 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by server1.neighborhoods.net (Postfix) with ESMTP id DAB41CC0BD for <ietf@ietf.org>; Fri, 18 Apr 2014 17:30:06 -0400 (EDT)
X-Virus-Scanned: by amavisd-new-2.6.2 (20081215) (Debian) at neighborhoods.net
Received: from server1.neighborhoods.net ([127.0.0.1]) by localhost (server1.neighborhoods.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id IUVvaGWlL6-n for <ietf@ietf.org>; Fri, 18 Apr 2014 17:29:58 -0400 (EDT)
Received: from new-host.home (pool-173-76-155-14.bstnma.fios.verizon.net [173.76.155.14]) by server1.neighborhoods.net (Postfix) with ESMTPSA id 1EC53CC0B3 for <ietf@ietf.org>; Fri, 18 Apr 2014 17:29:58 -0400 (EDT)
Message-ID: <53519955.9050102@meetinghouse.net>
Date: Fri, 18 Apr 2014 17:29:57 -0400
From: Miles Fidelman <mfidelman@meetinghouse.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25
MIME-Version: 1.0
CC: ietf <ietf@ietf.org>
Subject: Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists
References: <53499A5E.9020805@meetinghouse.net> <5349A261.9040500@dcrocker.net> <5349AE35.2000908@meetinghouse.net> <5349BCDA.7080701@gmail.com> <01P6L9JZF5SC00004W@mauve.mrochek.com> <CAL0qLwZr=wVX6eD+yGVOaxkSy5fJbuAErTshOG+2BywUvkDfAA@mail.gmail.com> <01P6QCMYYMJ000004W@mauve.mrochek.com> <6EF4DECC078B08C89F163155@JcK-HP8200.jck.com> <01P6QVVGQA4W00004W@mauve.mrochek.com> <5350A9FB.9010307@dougbarton.us> <01P6S93XQ9TI00004W@mauve.mrochek.com> <CAL0qLwbeouNWWAyanTdUHACLUds=5ZQcG0TMCW-AmMNmuE6qrw@mail.gmail.com> <CE39F90A45FF0C49A1EA229FC9899B0507D4DB17@USCLES544.agna.amgreetings.com> <53519532.5070205@meetinghouse.net> <CE39F90A45FF0C49A1EA229FC9899B0507D4DBFD@USCLES544.agna.amgreetings.com>
In-Reply-To: <CE39F90A45FF0C49A1EA229FC9899B0507D4DBFD@USCLES544.agna.amgreetings.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/lT5Kq1zS6JznmPVjbyQR2sJshHA
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 21:30:12 -0000

MH Michael Hammer (5304) wrote:
>
>> -----Original Message-----
>> From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of Miles Fidelman
>> Sent: Friday, April 18, 2014 5:12 PM
>> Cc: ietf
>> Subject: Re: DMARC from the perspective of the listadmin of a bunch of
>> SMALL community lists
>>
>> MH Michael Hammer (5304) wrote:
>>> MH: I’m going to disagree with Murray on the fact that it’s hurting
>>> us, the company as the motivator, at least from my perspective. I see
>>> it as preventing end users from getting hurt from this particular use
>>> case (direct domain abuse). The further we (for some definition of we)
>>> can push bad actors from reality (from the users perspective), the
>>> less likely they are to fall for certain types of social engineering.
>>> I would hypothesize that increased abuse of the type Yahoo has been
>>> seeing may be in part due to increased difficulty on the part of
>>> malicious individuals in abusing brands implementing DMARC with
>>> p=reject. P to P mail becomes increasingly attractive and the use of
>>> stolen address books or user email addresses and information from
>>> stored messages can be used to improve the effectiveness of the social
>>> engineer.
>>>
>> At least from the perspective of our lists, and spam traps - abuse of
>> stolen address  books and such has been a much larger problem than email
>> from forged addresses -- at least where Yahoo is concerned, our normal
>> spam traps (spamassassin with lots of checks) caught (and continue to
>> catch) most incoming spam -- EXCEPT for the stuff that comes form
>> legitimate addresses.
>>
>> I.e., botnets that have access to address books and legitimate login
>> credentials have been the main problem we've seen.  At least so far,
>> p=reject hasn't led to an increase in that.
>>
> The assertion has been made that the mail abusing the stolen address books was being sent from places other than yahoo.com but claiming to be from compromiseduser@yahoo.com. In this scenario p=reject would have an impact in mitigating that type of abuse for mailbox providers validating DMARC (notwithstanding the damage done to mailing lists and other 3rd parties).
>
>

All I can report is what I see in our logs, and after-the-fact analysis 
of mail that has actually made onto the lists we run.

Miles

-- 
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra