Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

[Franck Martin via dmarc-discuss]

On Mon, Feb 8, 2016 at 4:35 PM, Al Iverson via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> On Mon, Feb 8, 2016 at 1:51 PM, John R Levine via dmarc-discuss
>  wrote:
> >> It is even worse than I thought, you really want to stop efforts in
> >> fighting phish, by muddling the waters between real domains and fake
> ones
> >
> >
> > There's no muddling going on.  dmarc.fail is a real domain that should
> have
> > an excellent reputation since it sends no phish.
>
> I think Franck is right. It is muddying the waters by introducing a
> wholly other domain that has nothing to do with the list or the
> subscriber. Not seeing why anybody would recommend that as a best
> practice.
>
>
>
Not to mention this is also a privacy issue. Now the owner of dmarc.fail
has visibility on some traffic he/she should not see.
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] I need an advice

[Franck Martin via dmarc-discuss]

My pleasure, now watch out for Business Email Compromise (BEC) and Account
Take Over (ATO). Your domain is hosted via Google Apps, as they use DMARC
to filter incoming emails, now nobody can inject into your system an email
that would look like internal (as per your domain name), this will help a
lot.

On Tue, Feb 9, 2016 at 2:01 AM, Denis Salicetti via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Hi Franck,
> you were right. After a couple of weeks introducing reject policy, I
> noticed a decrease of Threat/Unknown sources and now I get just a few of
> those. It worked!
>
> Thank you very much.
>
> *Denis Salicetti* 
>
> Avviso di riservatezza  | Inviami messaggi protetti
> 
>
> 2016-01-19 23:13 GMT+01:00 Franck Martin :
>
>> If you report for take down the URLs you get from the failure reports...
>> Also until you moved to p=reject they would not have noticed a decrease in
>> their success rates... Once it is not worth it, they will move to a softer
>> target, or use a different method to achieve their goals.
>>
>> On Mon, Jan 18, 2016 at 3:54 PM, Denis Salicetti via dmarc-discuss <
>> dmarc-discuss@dmarc.org> wrote:
>>
>>> Hi Jacob,
>>> thank you for your right consideration about the increase of the
>>> deployment and implementation of DMARC reporting, because I think for me it
>>> will be useful for a better assessment in future.
>>>
>>> In this particular moment though, DMARC reporting for my domain is more
>>> o less the same of always.
>>>
>>> Best Regards.
>>>
>>> *Denis Salicetti* 
>>>
>>> Avviso di riservatezza  | Inviami messaggi protetti
>>> 
>>>
>>> 15251a1f17561224
>>>
>>> 2016-01-18 16:46 GMT+01:00 Jacob Evans :
>>>
>>> Another thing to consider is the increase of the deployment and
 implementation of dmarc reporting, as more SMTP Servers report spf/dkim
 failures, those numbers will also increase in the report aggregation.

 My $.02
 ~Jake

 Thank You,

 Jacob D. Evans
 Cloud Consultant
 717.417.8324
  
  
 

 --
 *From: *"Denis Salicetti via dmarc-discuss" 
 *To: *"Matt Simerson" 
 *Cc: *"Denis Salicetti via dmarc-discuss" 
 *Sent: *Monday, January 18, 2016 10:36:58 AM
 *Subject: *Re: [dmarc-discuss] I need an advice

 Hi Matt,
 thank you very much for your kind reply.

 Best Regards.

 *Denis Salicetti* 

 Avviso di riservatezza  | Inviami messaggi
 protetti 

 2016-01-17 23:42 GMT+01:00 Matt Simerson :

> This sounds quite "normal" in my experience.
>
> I started using DMARC for exactly this reason, when one of my domains
> experienced increased spoofing attacks. In the years since, I've witnessed
> this scenario play out in a dozen other domains I manage for my clients. 
> In
> every case, deploying DMARC for their domain with p=reject greatly reduces
> the volume of bounces they receive and the reports reveal the vast 
> majority
> of attacks originating in China and smattering of other IPs from around 
> the
> world. Within weeks after deploying DMARC, the attacks on that domain tail
> off and all but one case I've seen, don't recur.
>
> Matt
>
> PS: My same size is too small to draw conclusions but it seems that
> shorter domain names are more likely to be abused.
>
> On Jan 17, 2016, at 2:08 PM, Denis Salicetti via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
> Hi Guys,
> I have implemented DMARC for long with p=none rule with a minimal and
> sporadical Threat/Unknown sources, but recently I had to increase to
> p=quarantene and then to p=reject because I'm having a lot
> of Threat/Unknown sources (25% rate).
> It seems that lately my domain is under serious attack. I'm pretty
> sure I have zero impact of my legit email flow because each configuration
> is good, therefore every Threat/Unknown source is not legit (most of all
> from China).
>
> Someone more experienced of me can tell me if this rate is usual? Is
> there something more that I can do to minimize it?
>
> Thank you very much.
>
> *Denis Salicetti* 
>
> Avviso di riservatezza  | Inviami messaggi
> protetti 
> ___
> dmarc-discuss mailing list
> 

Re: [dmarc-discuss] I need an advice

[Denis Salicetti via dmarc-discuss]

Hi Franck,
you were right. After a couple of weeks introducing reject policy, I
noticed a decrease of Threat/Unknown sources and now I get just a few of
those. It worked!

Thank you very much.

*Denis Salicetti* 

Avviso di riservatezza  | Inviami messaggi protetti


2016-01-19 23:13 GMT+01:00 Franck Martin :

> If you report for take down the URLs you get from the failure reports...
> Also until you moved to p=reject they would not have noticed a decrease in
> their success rates... Once it is not worth it, they will move to a softer
> target, or use a different method to achieve their goals.
>
> On Mon, Jan 18, 2016 at 3:54 PM, Denis Salicetti via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> Hi Jacob,
>> thank you for your right consideration about the increase of the
>> deployment and implementation of DMARC reporting, because I think for me it
>> will be useful for a better assessment in future.
>>
>> In this particular moment though, DMARC reporting for my domain is more o
>> less the same of always.
>>
>> Best Regards.
>>
>> *Denis Salicetti* 
>>
>> Avviso di riservatezza  | Inviami messaggi protetti
>> 
>>
>> 15251a1f17561224
>>
>> 2016-01-18 16:46 GMT+01:00 Jacob Evans :
>>
>> Another thing to consider is the increase of the deployment and
>>> implementation of dmarc reporting, as more SMTP Servers report spf/dkim
>>> failures, those numbers will also increase in the report aggregation.
>>>
>>> My $.02
>>> ~Jake
>>>
>>> Thank You,
>>>
>>> Jacob D. Evans
>>> Cloud Consultant
>>> 717.417.8324
>>>  
>>>  
>>> 
>>>
>>> --
>>> *From: *"Denis Salicetti via dmarc-discuss" 
>>> *To: *"Matt Simerson" 
>>> *Cc: *"Denis Salicetti via dmarc-discuss" 
>>> *Sent: *Monday, January 18, 2016 10:36:58 AM
>>> *Subject: *Re: [dmarc-discuss] I need an advice
>>>
>>> Hi Matt,
>>> thank you very much for your kind reply.
>>>
>>> Best Regards.
>>>
>>> *Denis Salicetti* 
>>>
>>> Avviso di riservatezza  | Inviami messaggi protetti
>>> 
>>>
>>> 2016-01-17 23:42 GMT+01:00 Matt Simerson :
>>>
 This sounds quite "normal" in my experience.

 I started using DMARC for exactly this reason, when one of my domains
 experienced increased spoofing attacks. In the years since, I've witnessed
 this scenario play out in a dozen other domains I manage for my clients. In
 every case, deploying DMARC for their domain with p=reject greatly reduces
 the volume of bounces they receive and the reports reveal the vast majority
 of attacks originating in China and smattering of other IPs from around the
 world. Within weeks after deploying DMARC, the attacks on that domain tail
 off and all but one case I've seen, don't recur.

 Matt

 PS: My same size is too small to draw conclusions but it seems that
 shorter domain names are more likely to be abused.

 On Jan 17, 2016, at 2:08 PM, Denis Salicetti via dmarc-discuss <
 dmarc-discuss@dmarc.org> wrote:

 Hi Guys,
 I have implemented DMARC for long with p=none rule with a minimal and
 sporadical Threat/Unknown sources, but recently I had to increase to
 p=quarantene and then to p=reject because I'm having a lot
 of Threat/Unknown sources (25% rate).
 It seems that lately my domain is under serious attack. I'm pretty sure
 I have zero impact of my legit email flow because each configuration is
 good, therefore every Threat/Unknown source is not legit (most of all from
 China).

 Someone more experienced of me can tell me if this rate is usual? Is
 there something more that I can do to minimize it?

 Thank you very much.

 *Denis Salicetti* 

 Avviso di riservatezza  | Inviami messaggi
 protetti 
 ___
 dmarc-discuss mailing list
 dmarc-discuss@dmarc.org
 http://www.dmarc.org/mailman/listinfo/dmarc-discuss

 NOTE: Participating in this list means you agree to the DMARC Note Well
 terms (http://www.dmarc.org/note_well.html)



>>>
>>> ___
>>> dmarc-discuss mailing list
>>> dmarc-discuss@dmarc.org
>>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>
>>> NOTE: Participating in this list means you agree to the DMARC Note Well
>>> terms (http://www.dmarc.org/note_well.html)
>>>
>>
>>
>> 

Re: [dmarc-discuss] Sub-domain validation

[Franck Martin via dmarc-discuss]

Relaxed alignment means the identifier domain (SPF or DKIM) have the same
organizational domain as the domain in the RFC5322.From.

On Tue, Feb 9, 2016 at 1:36 PM, Brotman, Alexander via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Hello,
>
> I have a question about how to interpret a message for DMARC validation,
> relating to section 3.1.1, specifically:
>
>To illustrate, in relaxed mode, if a validated DKIM signature
>successfully verifies with a "d=" domain of "example.com", and the
>RFC5322.From address is "ale...@news.example.com", the DKIM "d="
>domain and the RFC5322.From domain are considered to be "in
>alignment".  In strict mode, this test would fail, since the "d="
>domain does not exactly match the FQDN of the address.
>
> We've encountered a situation where a sender has a DMARC record, and
> they've signed the message with "d=sub.example.com", and the 5322 From
> Domain is "example.com".  The record does not specify an adkim value, so
> it should default to relaxed.
>
> I'm reading the above as the "relaxed" selector should apply to "
> sub.example.com" and something like "foo.sub.example.com", but not to "
> example.com".  From the way the above reads, this part of the validation
> should fail as there isn't a valid DKIM signature available for the 5322
> domain.  Is this correct?
>
> Thank you
>
> --
> Alex Brotman
> Engineer, Anti-Abuse
> Comcast
> x5364
>
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] Sub-domain validation

[Brotman, Alexander via dmarc-discuss]

Hello,

I have a question about how to interpret a message for DMARC validation, 
relating to section 3.1.1, specifically:

   To illustrate, in relaxed mode, if a validated DKIM signature
   successfully verifies with a "d=" domain of "example.com", and the
   RFC5322.From address is "ale...@news.example.com", the DKIM "d="
   domain and the RFC5322.From domain are considered to be "in
   alignment".  In strict mode, this test would fail, since the "d="
   domain does not exactly match the FQDN of the address.

We've encountered a situation where a sender has a DMARC record, and they've 
signed the message with "d=sub.example.com", and the 5322 From Domain is 
"example.com".  The record does not specify an adkim value, so it should 
default to relaxed.  

I'm reading the above as the "relaxed" selector should apply to 
"sub.example.com" and something like "foo.sub.example.com", but not to 
"example.com".  From the way the above reads, this part of the validation 
should fail as there isn't a valid DKIM signature available for the 5322 
domain.  Is this correct?

Thank you

--
Alex Brotman
Engineer, Anti-Abuse
Comcast
x5364



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Sub-domain validation

[Roland Turner via dmarc-discuss]

Brotman, Alexander wrote:

> I have a question about how to interpret a message for DMARC validation, 
> relating to section 3.1.1, specifically:
> 
>To illustrate, in relaxed mode, if a validated DKIM signature
>successfully verifies with a "d=" domain of "example.com", and the
>RFC5322.From address is "ale...@news.example.com", the DKIM "d="
>domain and the RFC5322.From domain are considered to be "in
>alignment".  In strict mode, this test would fail, since the "d="
>domain does not exactly match the FQDN of the address.
> 
> We've encountered a situation where a sender has a DMARC record, and they've 
> signed the message with
> "d=sub.example.com", and the 5322 From Domain is "example.com".  The record 
> does not specify an
>  adkim value, so it should default to relaxed.
> 
> I'm reading the above as the "relaxed" selector should apply to 
> "sub.example.com" and something
> like "foo.sub.example.com", but not to "example.com".  From the way the above 
> reads, this part of
> the validation should fail as there isn't a valid DKIM signature available 
> for the 5322 domain.  Is this
> correct?

No. You appear to be confusing the quoted example (merely one case) with the 
spec (all possible cases).

- For a relaxed match the spec merely requires that the organisational domains 
be the same (which is true in each of the cases that you describe).
- The quoted example merely describes one situation, that being what an example 
is. The fact that there are other cases that don't match the example above 
doesn't mean that they aren't supported.

- Roland
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

[John Levine via dmarc-discuss]

>Not to mention this is also a privacy issue. Now the owner of dmarc.fail
>has visibility on some traffic he/she should not see.

Oh, come on.  The owner of dmarc.fail is me, and I assign the addresses
to mail that goes through my own web server.

R's,
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Experience 16 days with DMARC

[Roland Turner via dmarc-discuss]

I'd suggest a few things:

- You're looking a little too closely at daily changes, particularly around 
implementation time. Allow the thing some time to settle, perhaps a month, 
before considering next steps. Bear in mind that there are multiple, 
independent good and evil actors here, each reacting to the others all the 
time. This will take time to settle, a single day's (or week's) change is 
unlikely to be actionable. Note in particular that the larger receivers are 
almost certainly comparing their user feedback ("This is [not] Spam") with your 
DMARC policy ([un]authenticated messages that get reported as [not-]spam) as an 
input to their decision making. On the fairly small numbers that you're talking 
about, this calculation could take weeks to converge.
- The Forwarder and Threat/Unknown categories in Dmarcian are a mix of 
probabilistic assessments by email-receivers and by Dmarcian, not a reliable 
indication of what the email messages in question contain. They're interesting, 
but don't get hypnotised by them.
- How much is on-domain (vs. cousin-domain) impersonation costing you in 
fraud/support/churn losses? If it's costing you thousands of dollars a month, 
then by all means bring in the professionals. If you can't price it, or you 
haven't done so yet, or it's a trivial amount, then you're probably done.

- Roland


Roland Turner
Labs Director
Mobile: +65 9670 0022
3 Phillip Street, #13-03 Royal Group Building, Singapore 048693


www.trustsphere.com





From: dmarc-discuss  on behalf of Ben 
Greenfield via dmarc-discuss 
Sent: Sunday, 7 February 2016 18:42
To: dmarc-discuss
Subject: [dmarc-discuss] Experience 16 days with DMARC

First off I think DMARC is great and I’m happy with and want to try to use the 
information to protect my domain name.

I have been using dmarcian.com to analyze the reports and any terminology I use 
should be considered in the context of their tools. Their tools are all I know… 
so far.

Since I started receiving DMARC reports and tracked down a few specific domain 
names from DMARC reports to actual emails, I’m comfortable with most of the 
traffic I see in Forwarders categories and it’s great to see some with 100% 
DKIM survival.

I’m assuming that most of the servers in the category of forwarder are just 
moving mail around the world.

Threat/Unknown I take this to mean emails that have my domain in the from field 
and our trying to delivery the forged email.

This had fluctuated from around 4200 when I started on jan. 22nd to a low of 
1900 email on jan. 30th this had a steady climb of up to 5985 on feb. 4th 
before spiking to 15,516 on feb. 5th.

I see these fluctuations reflected in spam cop’s spam volume. Almost all the 
heavy traffic is coming from in order:

Vietnam
India
Brazil
UA
Russia


Is there anything I should be doing to try to clean up this problem?
Is DMARC the best I can do right now?

Thanks,
Ben





___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

[Roland Turner via dmarc-discuss]

Scott,

You're [still!] confusing multiple conceptions of trust, including at least:

1) trust in the intention and ability of multiple upstream forwarders to 
ARC-sign correctly,
2) trust in the lack of intention to abuse by the organisation at the other end 
of the SMTP connection, and
3) trust in the intention and ability of the organisation at the other end of 
the SMTP connection to make exactly the same decision about disposition of a 
particular message (in fact: of all messages) as you would.

Implicit in (3) are two additional assumptions that may or may not be true:
a) that the organisation at the other end of the SMTP connection has exactly 
one level of confidence in message disposition (this is patently not true; 
larger senders/forwarders routinely maintain discernibly separate pools in 
order to help receivers make better choices), and
b) that you have exactly one level of confidence in message disposition (this 
may well be true of you personally as it is of me, but it certainly isn't for 
larger forwarders).

For larger receivers, the ability to see upstream (only possible when they 
trust at least one of the upstream intermediaries to ARC sign correctly) allows 
better decision-making (e.g. about DMARC overrides) than does your apparent 
"the organisation at the other end of the SMTP connection is good/bad" 
dichotomy. Note in particular that the ability to test ARC signatures from 
forwarders upstream of the organisation at the other end of the SMTP connection 
allows for DMARC overrides to happen, specifically, in the situation where the 
receiver doesn't trust the organisation at the other end of the SMTP 
connection. Adding ARC makes this possible more frequently than DMARC+SPF+DKIM 
does.

- Roland




Roland Turner
Labs Director
Mobile: +65 9670 0022
3 Phillip Street, #13-03 Royal Group Building, Singapore 048693


www.trustsphere.com





From: dmarc-discuss  on behalf of Scott 
Kitterman via dmarc-discuss 
Sent: Monday, 8 February 2016 03:43
To: dmarc-discuss@dmarc.org
Subject: Re: [dmarc-discuss] introduction to the list-virtual server &  mailman 
questions

To start with, you'll have to explain why receivers should trust a sender to
not lie about where they got the mail from in an ARC header field if they don't
already trust the sender.

Scott K

On Sunday, February 07, 2016 11:14:12 AM Franck Martin via dmarc-discuss
wrote:
> ARC will help, but there are many mailing lists that don't have DKIM or
> even SPF. So even if ARC is available tomorrow, it may take years before
> mailing lists adopt any solution. So someone will have to make a stand, to
> get operators to deploy something.
>
> On Sun, Feb 7, 2016 at 10:10 AM, Al Iverson via dmarc-discuss <
>
> dmarc-discuss@dmarc.org> wrote:
> > The mailing list question can be a bit tricky. Yeah, the DKIM
> > signature is supposed to transport just fine, unless your MLM rewrites
> > any header or content that breaks the signature. And when you deal
> > with that, eventually you're going to run into list subscribers whose
> > posts get rejected by some other subscribers, due to the poster's
> > domain having a P=reject DMARC policy.
> >
> > I would say there's not a clear consensus on how best to handle
> > mailing lists in a DKIM+DMARC world. A bunch of email folks are
> > working on a standard called Authenticated Received Chain (ARC) that
> > would in theory help to address issues with mailing lists. (See
> > http://arc-spec.org/ ). But, we're a ways from being able to call that
> > a solution.
> >
> > I'm a mailing list operator myself, at probably about the same level
> > you are. (Instead of Mailman, I run a custom MLM that I wrote myself,
> > mostly as a programming exercise.) What I have chosen to do is strip
> > an existing DKIM signature, rewrite the from address if it appears to
> > be a domain that has a restrictive DMARC policy, and then sign it with
> > DKIM as the list domain. This works well for me, but not everybody
> > agrees that it's the best path. I'm not the only one to have done
> > something similar; Yahoo Groups, Google Groups Mail-list.com and
> > OnlineGroups.net all send as the group instead of as the poster either
> > all the time or as needed; and mailman can be configured similarly.
> >
> > Here's a link to an overview of the various issues in play for mailing
> > lists, and info on what I and others have chosen to do to address it.
> > http://www.spamresource.com/2015/02/dmarc-mailing-lists-roundup.html
> >
> > Here's where to go to learn more about what you can do with Mailman:
> > http://wiki.list.org/DEV/DMARC
> >
> > Note: There will probably be at least one really angry reply to this
> > post telling me how horrible this is and that I broke mailing lists.
> > It'll be a rehash of an argument from more than a year ago. Truth be
> >