> -----Original Message----- > From: Dave Crocker <dcroc...@gmail.com> > Sent: 25 June 2020 14:36 > To: David I <davi...@ncsc.gov.uk> > Cc: IETF DMARC WG <dmarc@ietf.org> > Subject: Re: [dmarc-ietf] What if... Sender: > > On 6/25/2020 1:54 AM, David I wrote: > > Without forcing alignment to 'From', an attacker can set their own 'Sender', > set a 'From' they're not entitled to use that's of a trusted contact, and the > DMARC associated with the abused domain in the 'From' has no effect and > can't be used for filtering. So while you could so a similar filter on > Sender, it > wouldn't be as useful, and would provide less security benefit. > > Why is it useful in the From:? Seriously.
Because the claimed author is an important aspect of any kind of trust calculation on an email, human or automated. So an aligned, authenticated 'From' is a strong signal. > > Since the utility of DMARC has nothing to do with recipient end-user > decision-making, I don't really understand this assertion. The DMARC spec suggests for p=quarantine that unauthenticated mail ends up in a spam folder. It's assumed that users are less likely to open and trust mail in their spam folder (though it's not 100% of course). So yes, the utility of DMARC has something to do with end-user decision making. why is DMARC's use of From: automatically better than > having DMARC use Sender:? Because the From field is used by software to understand where an email came from, and apply UI, filters, and warnings. I'd be fine if both had to align - that would seem likely to work for the secretary usecase for Sender in RFC 5322, and intra-company mailing lists, but not the generic mailing list case. > > Attackers do all sorts of bad things. Some of those bad things don't actually > matter. They might be unauthorized, ill-intended, and even make you or me > uncomfortable. But they don't actually have any effect on getting bad mail > delivered to recipients nor an effect on those recipients. Bad actors try all > sorts of stuff. Agreed. It's possible for bad actors to compromise mailboxes to bypass current DMARC based filtering. So is DMARC pointless? No, because it increases the cost and complexity of the attack, which is a positive thing. > > So pointing out what an attacker might or will do doesn't end the argument. > What matters is the /effect/ of their actions, not the theory of their > actions. The effect would be to phish people more successfully by evading the current DMARC checks on From alignment and filters/detections based on cousin domains. > > > >> I suspect that very little -- if any -- of the current use of DMARC > >> relies on an end-user's address book. > >> > >> It's definitely the case that there are popular email services doing > filtering/alerting based on addressbooks/known contacts, and I'm confident > that DMARC's ability to force use of cousin/alternative domains makes this > more effective. > > I did not say that address books are not used in some filtering work. > > I said that I doubted that it is relevant to DMARC use. Feel free to document > counter-examples. Not sure how to do that because it's an indirect effect. DMARC forces bad actors to cousin domains, and the filtering is on that. Will give it some thought. David This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfo...@ncsc.gov.uk. All material is UK Crown Copyright © _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
