Have the national CIRT groups made an issue about needing to block non-existent domains? Because a spammer can create a non-existent government agency like "irs.audit.gov", this email weakness becomes a national security issue and should be handled as a CVE. This should get the vendors moving. Has it been done? If not, perhaps Mr Levy would be willing to start the process on behalf of uk.gov. Doug Foster
---------------------------------------- From: "Scott Kitterman" <skl...@kitterman.com> Sent: Sunday, April 7, 2019 10:00 PM To: dmarc@ietf.org Subject: Re: [dmarc-ietf] Rethinking DMARC for PSDs On Sunday, April 07, 2019 08:50:44 PM John Levine wrote: > In article <c588c5eeec224162bffd080693c70...@bayviewphysicians.com> you write: > > The problem: > > Spammers use non-existent domains to achieve identity spoofing, such as > > > >tax.example.gov.uk > > > > This is primarily a reception problem, because many recipient mail filters > > > >are not equipped to block this type of fraud. .. > > Right, and we can stop right there. > > A decent spam filter will treat a nonexistent From: domain or envelope > bounce address as extremely suspicious and send the message into spam > folder purgatory. If someone's filters aren't doing that, it is > unlikely that they're paying much if any attention to DMARC, and no > amount of fiddling with DMARC will make any difference. > > My mail server rejects anything with a non-existent bounce address at > SMTP time and I don't think it's ever rejected anything my users would > want. > > The solution to this problem is for mail systems to fix their filters, > not to invent yet another mail-breaking hack that they won't use > anyway. Which mail breaking hack is that? Since PSD DMARC almost entirely applies to domains that don't send mail, I don't think it breaks anything. It is in part a tool to make hard rejects easier for receivers that don't typically reject solely due to non-existence and in part a tool to provide feedback to PSD operators so they can understand patters of abuse in their namespace. As I understand it, rejecting mail from non-existent domains is a long standing, well-known tool for receivers. I hear you saying it works for you in your circumstances, but that doesn't mean it scales. Given that rejecting non-existent domains is a well established option, but not everyone does it, what basis for optimism do you have that 'fix their filters' will change anything? If fixing filters was enough, would anyone bothered to have published: $ dig txt _dmarc.gov.uk +short "v=DMARC1\;p=reject\;sp=none\;adkim=s\;aspf=s\;fo=1\;rua=mailto:dmarc- r...@dmarc.service.gov.uk\;ruf=mailto:dmarc-...@dmarc.service.gov.uk"; All PSD DMARC would do is make that record apply to domains lower in the tree without their own DMARC record. It's not that complicated. Fielding of DMARC did a huge amount of damage to the e-mail ecosystem that I'm not convinced it will ever fully recover from, but PSD DMARC doesn't add to it. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
