On Fri, Jun 5, 2020 at 5:26 PM Jim Fenton <fen...@bluepopcorn.net> wrote:
> On 6/4/20 10:39 PM, Dotzero wrote: > > > The goal of DMARC was (and is) to mitigate direct domain abuse. Nothing > more and nothing less. It helps receiving systems identify a (correctly) > participating domain's mail. That is why a DMARC policy is often described > as a sending domain's request and local policy is so important (and can > override that request). > > I'm not clear on what kind of direct domain abuse you're referring to. If > we accept that domain names are either not visible or are ignored by the > recipient, the domain name doesn't matter much as long as the attacker can > get their message delivered, and DMARC doesn't apply because they're using > their domain. > > > The type of direct domain abuse where someone attempts to send a message using <fen...@bluepopcorn.net> in the From email address field. As I wrote earlier, the combination of SPF/DKIM/DMARC is a tool that accomplishes a narrow goal. It is not a silver bullet that solves all forms of abuse. It can be used to mitigate a specific type of abuse. > For attackers that deploy DMARC it simply means that they are self > identifying their malicious messages as theirs. > > No, DKIM and SPF do that. DMARC doesn't have anything to do with > identifying messages. > > > As with SPF and DKIM, some abusers were quick to implement DMARC in addition to SPF and/or DKIM on the theory that it makes their email appear more legitimate to receivers. Just one more nail in the coffin. > For Sending domains, SPF/DKIM/DMARC is only one set of tools in protecting > their brand from abuse. It protects end users from abuse. In fact, in many > cases the individuals most susceptible to falling prey to such abuse may > not even be customers of that sending domain. No, that greeting card you > received isn't legit (Nobody loves you). No, that retailer isn't giving you > a $200 gift card. This is why other tools like takedowns are so important > and why the removal of registrant information from domain registrations has > enabled abusers. > > So maybe the core question here is, does the identity in the domain name > matter or not? It does to me personally because I look at it (whenever I > can -- my iPhone doesn't make it easy to display) and I pay attention to > it. But I know I'm not a typical user, and I also see increasing evidence > of mail client software that doesn't show anything but the Friendly Name. > So is there a "brand" associated with the email domain name any more? > There is. Don't get hun up on what is displayed to the end user. Think about the reporting aspect. In my previous incarnation we were able to initiate takedowns and/or blocking by 3rd parties much more quickly based on DMARC reports than simply waiting for end user complaints to customer service or abuse@. > If the domain name doesn't matter, the binding to the From/Signer address > doesn't either. > > -Jim > It does matter for the specific abuse scenario. Those particular abusive mail streams never get to the end user recipient. I'm basing this on my experience on a corpus of billions of emails sent for what had been previously highly abused domains/brands. For other types of abuse we implemented other types of mitigation approaches. Collectively those approaches reduced abuse by over 95%. The goal was to reduce ROI for the bad guys to the point that they would look for greener pastures. You are implying/assuming that DMARC solves the problem of a wider scope of abusive email types than it does. The Display Name (Mail From) is a particularly thorny problem to solve in that it is not tied to anything in that it is a free form field into which anything can be entered. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
