Re: [dmarc-discuss] FBL via DMARC?

[Roland Turner via dmarc-discuss]

I should have pointed out first that this question is unrelated to DMARC. At 
best, we're discussing a comparable "put a record in the DNS" configuration 
mechanism for requesting abuse reports. Note in particular that "put abuse 
contacts into abuse.net" already exists, and isn't being overwhelmed.


The principal means of addressing the privacy issues is the FBL signup process 
in which (a) the requester enters into an NDA and (b) the FBL service provider 
(typically a contractor to the receiver, rather than the receiver themselves) 
vets the applicant organisation and the individual's likely competence to 
execute the NDA. This can't be entirely automated, meaning that the benefits of 
universal access that DMARC provides aren't achievable.


- Roland


From: Gil Bahat 
Sent: Tuesday, 29 November 2016 13:33
To: Roland Turner
Cc: DMARC Discussion List
Subject: Re: [dmarc-discuss] FBL via DMARC?

Hi,

these are all solvable while still remaining within the DMARC domain: e.g. 
enabling detailed reports only after a specific signup procedure.

most large receivers do have a feedback loop in place, even though not all of 
them standard. standardization would be really helpful as well as allow better 
and easier FBL management.
I'd really like to see this in the DMARC standard, even if not everyone will 
apply it (e.g. DMARC failure reports). The privacy considerations are also 
apparently a non-issue as the overwhelming majority of mail providers (infact 
everyone but google) provide email-level FBL reports - Yahoo, Hotmail, AOL, 
mail.ru, yandex, italia online, ...
[http://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/Mail.Ru_logo.svg/240px-Mail.Ru_logo.svg.png]

Mail.Ru: ?, ? ? ?, ???, 
mail.ru
? Mail.Ru - ?? ?? ?, ??? ? ??? ?, 
?? ...


Gil

On Tue, Nov 29, 2016 at 6:55 AM, Roland Turner via dmarc-discuss 
> wrote:

I'd hazard a guess that confidentiality constraints get in the way here, for 
the same reason that most receivers won't provide DMARC failure reports, only 
aggregate reports.


Note that the feedback mechanism for receivers who wish to volunteer reports 
already exists - and is the origin of DMARC's ARF - that being to send to abuse 
contacts for the domain or the originating IP address. Those same 
confidentiality constraints mean that few receivers do so.


A further concern for spam filters in particular is that a receiver has to be 
confident that the domain-owner is a legitimate sender; if not, the abuse 
reports are a tuning tool for a spammer. No receiver wants to help this happen.


- Roland


From: dmarc-discuss 
> on 
behalf of Jonathan Knopp via dmarc-discuss 
>
Sent: Tuesday, 29 November 2016 12:22
To: dmarc-discuss@dmarc.org
Subject: [dmarc-discuss] FBL via DMARC?

Has there been any discussion about using DMARC to configure spam complaint 
feedback loops? Currently it is only feasible to register for the big ESPs and 
can be tough to keep them up to date. DMARC could make this automatic and 
universal. It would be well within DMARC's mandate of domain reputation 
protection since it would let you know quickly when someone has infiltrated 
your systems and is sending spam via your legitimate email path.
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] FBL via DMARC?

[Roland Turner via dmarc-discuss]

I'd hazard a guess that confidentiality constraints get in the way here, for 
the same reason that most receivers won't provide DMARC failure reports, only 
aggregate reports.


Note that the feedback mechanism for receivers who wish to volunteer reports 
already exists - and is the origin of DMARC's ARF - that being to send to abuse 
contacts for the domain or the originating IP address. Those same 
confidentiality constraints mean that few receivers do so.


A further concern for spam filters in particular is that a receiver has to be 
confident that the domain-owner is a legitimate sender; if not, the abuse 
reports are a tuning tool for a spammer. No receiver wants to help this happen.


- Roland


From: dmarc-discuss  on behalf of Jonathan 
Knopp via dmarc-discuss 
Sent: Tuesday, 29 November 2016 12:22
To: dmarc-discuss@dmarc.org
Subject: [dmarc-discuss] FBL via DMARC?

Has there been any discussion about using DMARC to configure spam complaint 
feedback loops? Currently it is only feasible to register for the big ESPs and 
can be tough to keep them up to date. DMARC could make this automatic and 
universal. It would be well within DMARC's mandate of domain reputation 
protection since it would let you know quickly when someone has infiltrated 
your systems and is sending spam via your legitimate email path.
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] FBL via DMARC?

[Jonathan Knopp via dmarc-discuss]

Has there been any discussion about using DMARC to configure spam complaint 
feedback loops? Currently it is only feasible to register for the big ESPs and 
can be tough to keep them up to date. DMARC could make this automatic and 
universal. It would be well within DMARC's mandate of domain reputation 
protection since it would let you know quickly when someone has infiltrated 
your systems and is sending spam via your legitimate email path.
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Getting to reject, was :Re: FortiNet’s FortiMail DMARC implementation

[Al Iverson via dmarc-discuss]

Carl, this is great to hear. Thanks for sharing with us.

Best regards,
Al Iverson

--
Al Iverson
www.aliverson.com
(312)725-0130


On Fri, Nov 25, 2016 at 4:36 AM, Carl Windsor via dmarc-discuss
 wrote:
>>I would suggest a note saying that Fortinet's implementation is
>>known to be fatally buggy.
>
> Hi DMARC Group, I am the Product Manager @ Fortinet for FortiMail and can
> confirm that this was not by design but a bug.  As of 5.3 interim build 625
> we respect the p=none directive and this will be rolled in to the next patch
> release (5.3.8).
>
> Carl Windsor
>
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Getting to reject, was :Re: FortiNet’s FortiMail DMARC implementation

[Petr Novák via dmarc-discuss]

Well just so you know, I reported this bug to FortiNet almost a year
ago 2015-12-09. That was when FortiMail got the DMARC 
implementation(firmware 5.3.0). Since that time we contacted their 
support, which gave us the answer I posted. So we tried to change it by 
contacting local Fortinet's representative but all he could do was 
create a new feature request.


The problem is, when Fortinet's engineering says it's by desing and not 
a bug there is nothing you can do to change that or maybe I just didn't 
have the right contacts high enough :).  Anyway I am glad they will fix it.



Regards
  Petr

Dne 28.11.2016 v 10:59 Roland Turner via dmarc-discuss napsal(a):

Petr,

Do you also kick small dogs? I'd suggest that a 2-week turnaround on
a bug that's non-critical for Fortinet's customers is pretty
impressive.

On the meaning of "by design", there are of course multiple designs
(intentions) present. Surely you're familiar with the tree-swing
project management cartoon? You know this happens all the time in
real engineering organisations, right?

http://www.tamingdata.com/wp-content/uploads/2010/07/tree-swing-project-management-large.png

 - Roland

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Getting to reject, was :Re: FortiNet’s FortiMail DMARC implementation

[Roland Turner via dmarc-discuss]

Petr,

Do you also kick small dogs? I'd suggest that a 2-week turnaround on a bug 
that's non-critical for Fortinet's customers is pretty impressive.

On the meaning of "by design", there are of course multiple designs 
(intentions) present. Surely you're familiar with the tree-swing project 
management cartoon? You know this happens all the time in real engineering 
organisations, right?

http://www.tamingdata.com/wp-content/uploads/2010/07/tree-swing-project-management-large.png

- Roland



From: dmarc-discuss  on behalf of Petr Novák 
via dmarc-discuss 
Sent: Friday, 25 November 2016 17:57
To: dmarc-discuss@dmarc.org
Subject: Re: [dmarc-discuss] Getting to reject, was :Re: FortiNet’s FortiMail 
DMARC implementation
    
Well if it wasn't by design then how do you explain this reply from your
support team. quote:

"I've got feedback from engineering on this.
The current behavior is by design, the action for DMARC check failure is 
driven by the action next to the DMARC check (action-dmarc) no matter 
the DMARC policy (p=) setting."

Which then continued with:

"Thank you for the feedback. I agree that it would be nice to respect 
the "none" or give more control over what action should be done in which 
case.
But as per update from engineering the current FortiMail behavior is by 
design and there is no current plan to change the behavior."


Anyway I am glad that it will be fixed.

Regards
   Petr

Dne 25.11.2016 v 10:36 Carl Windsor via dmarc-discuss napsal(a):
> Hi DMARC Group, I am the Product Manager @ Fortinet for FortiMail and can 
> confirm that this was not by design but a bug.  As of 5.3 interim build 625 
> we respect the p=none directive and this will be rolled in to the next patch 
> release (5.3.8).
>
> Carl Windsor
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)