IETF Logo Mail Archive

RE: Enabling DMARC workaround code for all IETF/IRTF mailing lists

"MH Michael Hammer (5304)" <MHammer@ag.com> Fri, 11 May 2018 15:13 UTC

Return-Path: <MHammer@ag.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A92C312D94E for <ietf@ietfa.amsl.com>; Fri, 11 May 2018 08:13:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aF7Bx0i1_z33 for <ietf@ietfa.amsl.com>; Fri, 11 May 2018 08:13:22 -0700 (PDT)
Received: from agwhqht.amgreetings.com (agwhqht.amgreetings.com [207.58.192.31]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D56A1200C1 for <ietf@ietf.org>; Fri, 11 May 2018 08:13:22 -0700 (PDT)
Received: from USCLES544.agna.amgreetings.com ([fe80::f5de:4c30:bc26:d70a]) by USCLES533.agna.amgreetings.com ([::1]) with mapi id 14.03.0266.001; Fri, 11 May 2018 11:13:21 -0400
From: "MH Michael Hammer (5304)" <MHammer@ag.com>
To: John C Klensin <john-ietf@jck.com>, Alexey Melnikov <aamelnikov@fastmail.fm>, "ietf@ietf.org" <ietf@ietf.org>
Subject: RE: Enabling DMARC workaround code for all IETF/IRTF mailing lists
Thread-Topic: Enabling DMARC workaround code for all IETF/IRTF mailing lists
Thread-Index: AQHT6R3/hcwHJqV1jkuJ8o0vYGU8LKQq4v2A//++TDA=
Date: Fri, 11 May 2018 15:13:20 +0000
Message-ID: <CE39F90A45FF0C49A1EA229FC9899B053743DE8B@USCLES544.agna.amgreetings.com>
References: <919855CA-9F77-420A-8B8F-79174CD2FC19@fastmail.fm> <61B1EDB45FC4FF33154B13B0@PSB>
In-Reply-To: <61B1EDB45FC4FF33154B13B0@PSB>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.144.6.88]
x-kse-attachmentfiltering-interceptor-info: protection disabled
x-kse-serverinfo: USCLES533.agna.amgreetings.com, 9
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean, bases: 5/11/2018 1:45:00 PM
x-kse-dlp-scaninfo: Skipped
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/xbwK7alkKVPkJLS1a47H32Sps64>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 15:13:25 -0000

John, I have to disagree with your comment in the appendix about a decline in bounce messages and changes/implementations such as DMARC. Joe Jobs and other abuse have been around a long time. Given a choice between constraining (some functionality) to mitigate/minimize damage and enabling large scale breakdowns of functionality due to abuse, I'll choose the former.  I guess it's a case of picking your poison. Adjust, don't conform.

Mike

P.S. At the end of this month I am leaving American Greetings and will no longer be participating using this account. I already use my dotzero@gmail.com account for some working groups and will switch participation on the ietf list to that account.

> -----Original Message-----
> From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of John C Klensin
> Sent: Friday, May 11, 2018 11:03 AM
> To: Alexey Melnikov; ietf@ietf.org
> Subject: Re: Enabling DMARC workaround code for all IETF/IRTF mailing lists
> 
> Alexey,
> 
> This may be the best that can be done given the degree to which DMARC is
> an attack on the mail system (those who don't understand that assertion
> should see the appendix below) but I think we should all be concerned about
> the trend it seems to represent.  Again, that is not a suggestion that we not
> do this (and wouldn't be one even if the decision had not yet been made),
> just a plea that we be very aware of, and document, the tradeoffs that are
> being made.
> 
> That said, I'm uncomfortable with using "=40" as a convention in the middle
> of an address.  First, there is nothing that supports the idea of encoded
> octets in the middle of local parts and, as you know, there is ample
> precedent for interpreting an equal sign in a local part as an indication of a
> name-value setup.  We haven't seen SMTPUTF8 addresses on the IETF list
> yet, but I think there is a strong case to be made that, if we are going to start
> encoding things, we should be encoding Unicode code points (e.g.,
>   "alexey\u'0040'example.com@dmarc.ietf.org" or
>   "alexey?utf8"?40?example.com@dmarc.ietf.org"
> ) rather than inventing yet another new system.   I don't think
> that is a good idea, in part because I encountered an example in the last 24
> hours that tries to use encoded words to deal with a non-ASCII local part
> (something the EAI WG considered and rejected and that, if performed in
> transit, is non-conformant with the SMTPUTF8 specs).  Any encoding trick like
> the above (or like just using "=40") is going to encourage that sort of
> "innovation".
> 
> With the understanding that I'm holding my nose while saying this (because I
> have been happy to see the convention fade from use), we already have a
> widely-supported and recognized convention for this type of encoding and I
> wonder why those who have been involved with this effort rejected it.  That
> would be to use
>   alexey%example.com@dmarc.ietf.org
> 
> just a thought.
> best,
>     john
> 
> 
> 
>     -------
> Appendix:
> 
> I've said this before but, to the degree to which the spam and other attacks
> which DMARC is intended to mitigate force us to change the mail system in
> ways that make it less functional, we are essentially admitting that the bad
> guys have won.  This is certainly not the only case and may not be the most
> important one.  For example, the mail system was designed on the
> assumption that delivery would be reasonably reliable, that non-delivery
> would be indicated by NDNs ("bounce messages"), and therefore that
> delivery or read acknowledgments would typically be unnecessary
> (important because they pose privacy problems).
> However, because of concern about blowback attacks, fewer and fewer sites
> are generating bounce messages, at least to unauthenticated senders.
> 
> Rules against tampering with or even inspecting message content in transit
> have also eroded due to the need to do malware
> filtering.   That is probably also the least-bad solution
> possible but takes us down a path similar to the switch from HTTP to HTTPS-
> based web connections: enterprises with concerns about attacks hidden
> behind the encryption have huge incentives, even a sense of necessity, to
> fake termination points and keys
> to allow content inspection at firewalls or the equivalent.
> 
> In each case, the bad guys may get frustrated in their immediate goals but
> the long-term effect is a narrowing of the functionality and reliability of the
> Internet.
> 
> 
> --On Friday, May 11, 2018 13:00 +0100 Alexey Melnikov
> <aamelnikov@fastmail.fm> wrote:
> 
> > Hi,
> > Many of you have seen several long discussions thread about DMARC and
> > how it affects use of IETF/IRTF mailing lists.
> >
> > After testing DMARC workaround code written by Henrik Levkowetz on
> > several high volume IETF and IRTF mailing lists (e.g. CFRG, WebRTC,
> > DMARC, QUIC), the tools team and the IESG decided that Henrik's code
> > should be deployed for all IETF and IRTF mailing lists. In particular
> > the workaround allows people from DMARC p=reject domains to
> > participate in IETF mailing lists, as well as to avoid the problem of
> > recipients being unsubscribed from mailing lists. These 2 issues were
> > the main reasons for developing the DMARC workaround code..
> >
> > The workaround will be deployed today, May 11th.
> >
> >
> > Below are some technical details on how the email address rewriting
> > workaround is going to work:
> >
> > Emails from domains that don't have a p=reject DMARC setting are not
> > going to be affected in any way.
> >
> > For emails from p=reject domains:
> >
> > - The From header field of such emails will be rewritten to be under
> > @dmarc.ietf.org domain (which will have a p=none policy). For example,
> > "alexey@example.com" email address would become
> > "alexey=40example.com@dmarc.ietf.org". The original From header field
> > will be preserved in the X-Original-From header field, which can be
> > used for automatic message processing by Sieve and Mail User Agents.
> >
> > Note that the mapping is reversible, so it is possible to send replies
> > or new messages to an original sender by sending them to the
> > corresponding mapped @dmarc.ietf.org email address.
> 
> 
>

v2.23.0 | Report a Bug | By Email