Re: [Shutup] [ietf-smtp] Proposed Charter for something

Chris Lewis <ietf@mustelids.ca> Thu, 10 December 2015 19:36 UTC

Return-Path: <ietf@mustelids.ca>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92E671AD366 for <shutup@ietfa.amsl.com>; Thu, 10 Dec 2015 11:36:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.043
X-Spam-Level: ***
X-Spam-Status: No, score=3.043 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNEn0PaNMq43 for <shutup@ietfa.amsl.com>; Thu, 10 Dec 2015 11:36:24 -0800 (PST)
Received: from stoat.mustelids.ca (unknown [174.35.246.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8615F1AD289 for <shutup@ietf.org>; Thu, 10 Dec 2015 11:36:24 -0800 (PST)
Received: from [192.168.0.6] (badger.mustelids.ca [192.168.0.6]) (authenticated bits=0) by stoat.mustelids.ca (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tBAJaFNd013774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 10 Dec 2015 14:36:16 -0500
To: Christian Huitema <huitema@huitema.net>, "'John Levine'" <johnl@taugh.com>, shutup@ietf.org
References: <20151210144814.GA16386@lapsedordinary.net> <20151210151541.68326.qmail@ary.lan> <09ee01d1337b$64881950$2d984bf0$@huitema.net>
From: Chris Lewis <ietf@mustelids.ca>
X-Enigmail-Draft-Status: N1110
Message-ID: <5669D42F.5050502@mustelids.ca>
Date: Thu, 10 Dec 2015 14:36:15 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
In-Reply-To: <09ee01d1337b$64881950$2d984bf0$@huitema.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/FsHgAQKqG5QZ9mfSidMIV1-LDCw>
Cc: martijn@lapsedordinary.net
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for something
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 19:36:25 -0000

On 12/10/2015 01:48 PM, Christian Huitema wrote:

> I am not sure I understand correctly, but it seems the reference to phishing
> is in the context of "impersonated users." Bob receives a mail that appears
> to come from "Alice@example.com." Everything matches, SPF, DKIM, DMARC. So
> Bob actually believes the mail comes from Alice, and opens the attachment.
> But the mail actually comes from the evil Eve, who somehow managed to
> acquire Alice's password, and submitted the phishing message by
> authenticating as Alice to Alice's MSA. In that context, if Bob's UA notices
> that the submission IP comes from Upper Nowheristan instead of the usual
> Mirrorland, Bob's UA could pop up a warning, or block the message. Is that a
> correct summary of the concern?

If all of these in place world wide (ha!), it would still only apply to 
a small percentage (generally <10%) of the phishing that tries to 
impersonate the email address completely.  Most phishes don't 
impersonate email addresses, just the "friendly" part of the From: line 
if that.

How does SPF/DKIM/DMARC help you with?

Subject: Alert!  Your American Express card has been compromised!
From: "AmericanExpress Accounts" <frazzum@razzum.bar>

[Especially if razzum.bar's DMARC lines up]

Right now the highest volume spam of all is blind-recipient spoofing on 
behalf of various (for the most part non-finance) companies, and the 
headers are all brand-specific and consistent - except for the 
DKIM-useful header bits which are just plain random.  And infects you 
(with Dyre/Dridex) if you fall for it - just like phishing, but 
infection not identity/account being the payload.

The lack of a unique id of some kind (relatively static in terms of spam 
burst durations), forces the ML (or less sophisticated filter) to treat 
all of the output of a given domain (or MTA) as equal, and it cannot use 
originator distinction to "help" the content filtering.  Which, as we 
well know, is extraordinarily difficult in the case of 419 and 
essentially impossible in the case of CEO phishing.