Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis

That reads to me as guidance for DMARC implementers on how to integrate SPF and DKIM results for the purposes of DMARC. I think that's in scope for DMARCbis. There's a multitude of ways people can screw these things up and we won't be able to cover them all. The guidance needs to be somewhat

Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis

1) a receiver that will forward quarantined messages, and do so without changing the bounce address. Solution: Don't Do That. That's a confounding issue but not the root problem I think. Even if Microsoft were to implement keeping the bounce address, it just means that the spammer has to

Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis

I don't think having this language is saying you can't do SPF. Rather this is about preventing new spoofing attacks on DMARC aligned identity. In particular where previously this attack was not possible on forwarders that honored the p=reject policy, now that they will downgrade to quarantine,

Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis

On Sat, Aug 5, 2023 at 1:01 PM John Levine wrote: > It appears that Tim Wicinski said: > >A malicious sender needs two properties to perform such a SPF upgrade > >attack: > > > >1) a receiver that will forward quarantined messages, and > > do so without changing the bounce address.

Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis

I am reluctant to consider DMARCbis ready to button-up unless we have at least a rough idea of how an evaluator uses it safely and appropriately in the real world. Doug On Sun, Aug 6, 2023, 2:38 PM Scott Kitterman wrote: > On Sunday, August 6, 2023 2:10:35 PM EDT Hector Santos wrote: > > >

Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis

On Fri, Aug 4, 2023 at 2:11 PM Scott Kitterman wrote: > > > On August 4, 2023 4:15:35 PM UTC, Wei Chuang 40google@dmarc.ietf.org> wrote: > >I noted at the DMARC session -117, that with the p=reject downgrade to > >quarantine language, this increases the risk of SPF upgrade attacks due to >

Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis

On Sunday, August 6, 2023 2:10:35 PM EDT Hector Santos wrote: > > On Aug 5, 2023, at 5:37 PM, Scott Kitterman wrote: > > > > On Saturday, August 5, 2023 3:59:02 PM EDT John Levine wrote: > >> It appears that Scott Kitterman said: > When receivers apply the "MUST NOT reject" in Section 8.6

Re: [dmarc-ietf] Proposal for auth policy tag in draft-ietf-dmarc-dmarcbis

On Sun, Aug 6, 2023 at 8:50 AM Alessandro Vesely wrote: > On Sun 06/Aug/2023 11:38:18 + Tim Wicinski wrote: > > > On Sun, Aug 6, 2023 at 7:14 AM Alessandro Vesely wrote: > >> On Sat 05/Aug/2023 22:24:28 + Tim Wicinski wrote: > >>> > >>> [...] > >>> > >>> 5.3. General Record Format >

Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis

> On Aug 5, 2023, at 5:37 PM, Scott Kitterman wrote: > > On Saturday, August 5, 2023 3:59:02 PM EDT John Levine wrote: >> It appears that Scott Kitterman said: When receivers apply the "MUST NOT reject" in Section 8.6 to accept unauthenticated messages as quarantined messages,

Re: [dmarc-ietf] Proposal for auth policy tag in draft-ietf-dmarc-dmarcbis

On Sun 06/Aug/2023 11:38:18 + Tim Wicinski wrote: On Sun, Aug 6, 2023 at 7:14 AM Alessandro Vesely wrote: On Sat 05/Aug/2023 22:24:28 + Tim Wicinski wrote: [...] 5.3. General Record Format auth: (comma-separated plain-text list of dmarc-methods; OPTIONAL; default is "spf,dkim")

Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis

On August 6, 2023 11:02:04 AM UTC, Alessandro Vesely wrote: >On Sat 05/Aug/2023 21:37:31 + Scott Kitterman wrote: >> On Saturday, August 5, 2023 3:59:02 PM EDT John Levine wrote: >>> It appears that Scott Kitterman said: > When receivers apply the "MUST NOT reject" in Section 8.6 to

Re: [dmarc-ietf] Proposal for auth policy tag in draft-ietf-dmarc-dmarcbis

On Sun, Aug 6, 2023 at 7:14 AM Alessandro Vesely wrote: > On Sat 05/Aug/2023 22:24:28 + Tim Wicinski wrote: > > > > [...] > > > > 5.3. General Record Format > > > > > > auth: (comma-separated plain-text list of dmarc-methods; OPTIONAL; > default is "spf,dkim") > > > > Indicates the

Re: [dmarc-ietf] Proposal for auth policy tag in draft-ietf-dmarc-dmarcbis

On Sat 05/Aug/2023 22:24:28 + Tim Wicinski wrote: [...] 5.3. General Record Format auth: (comma-separated plain-text list of dmarc-methods; OPTIONAL; default is "spf,dkim") Indicates the supported authentication methods. The order of the list is not significant and

Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis

On Sat 05/Aug/2023 21:37:31 + Scott Kitterman wrote: On Saturday, August 5, 2023 3:59:02 PM EDT John Levine wrote: It appears that Scott Kitterman said: When receivers apply the "MUST NOT reject" in Section 8.6 to accept unauthenticated messages as quarantined messages, receivers SHOULD

[dmarc-ietf] Messages from the dmarc list for the week ending Sun Aug 6 06:00:05 2023

Count| Bytes | Who ++--- 56 ( 100%) | 517888 ( 100%) | Total 7 (12.5%) | 51382 ( 9.9%) | Scott Kitterman 6 (10.7%) | 85255 (16.5%) | Tim Wicinski 6 (10.7%) | 37521 ( 7.2%) | Alessandro Vesely 5 ( 8.9%) | 37075 ( 7.2%) | Murray S.