On 31/05/18 23:13, Alessandro Vesely via dmarc-discuss wrote:
1: Granted, the list becomes a priority list for compromise attempts
no spam indicator implies that the upstream ARC chain is faked.>>> You've lost
me:
difficulty of substantiating statements like "I trust these guys not
to lie in ARC signing/sealing".>
This is the bit where I'm not following you. Failing to provide neighbourly
attention to the stream of mail coming out of your mail-server and failure to
accurately ARC sign appear to be orthogonal concerns. (They might be loosely
correlated to your level of diligence certainly, but are not otherwise causally
related.)
They'd better be more than loosely correlated. If you keep them orthogonal,
you cannot make consistent assessments:
My filtering ability is visible to the people I forward to. Although targets
don't see what I spare them, they can imagine. If you receive spam from me,
you lower my reputation. Easy.
OTOH, my good faith ARC signing has to be assumed. To prove the opposite, you
start with a message I forward to you; say it ARC-claims I received it from X.
Afterwards, you need to contact X and have them deny they ever sent it. A
rather impractical method, especially since you need an X such that you can
trust their word against mine. How come?
Orthogonality is broken by mandating filter-before-forward. That way,
receivers of ARC-signed, obvious spam can infer that the corresponding ARC
signature is faked. The better the filtering, the stronger the trust, and the
more evident will a possible ARC key compromise be. So, if you pardon my
geometry-fictional wording, the "trust not to lie in ARC signing/sealing" gets
measured by assessing its projection onto the filtering axis.
OK, I see what you're getting at (and therefore why you mentioned spam
traps). As a [large] receiver, I would not be tackling it in this way at
all, mostly because I don't get to ask any of the Xs what the truth is,
but also because spam filtering and ARC signing really are largely
orthogonal capabilities[1] (and to the extent that they're not, there's
too much noise to make good use of the results). I would instead - to
further extend the use of over-specified geometric analogies - be
performing something akin to gravitational lensing:
* For each of [tens of] thousands of domain names[2], I have from
their email received directly an assessment of their expertise at
ensuring that their email can be authenticated, broken down by
stream (IP address, subnet, service provider, etc.).
* For each forwarder, I can see how they're reporting authentication
results for many of the same senders at the same IP addresses,
assuming that SPF authentication results are included in ARC.
* From this I can determine whether the forwarder is ARC-signing
correctly. Note that this is different to comparing the forwarder's
probabilistic spam filtering with my own; in the ARC-signing case
there are correct actions and incorrect actions, and a large
receiver has enough information to tell which a forwarder is doing.
Note that none of these steps has any relationship with spam which -
given that spammers can (and do) cause their email to authenticate, and
legitimate senders can (and do) fail to do so - is as it should be.
- Roland
1: Yes, it is likely that forwarders who are exceptionally good at spam
filtering will tend to be really good at ARC signing, but most of the
important information is about forwarders who aren't exceptionally good
at filtering, so this correlation appears largely unimportant.
2: or registrants, to the extent that this information becomes available
again once ICANN stops arguing absurdities in front of European courts
and focuses on the actual problem
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
