On Thu 24/Nov/2022 22:57:51 +0100 Dotzero wrote:
On Thu, Nov 24, 2022 at 2:22 PM Neil Anuskiewicz <n...@marmot-tech.com> wrote:
On Nov 24, 2022, at 7:10 AM, Dotzero <dotz...@gmail.com> wrote:
On Tue, Nov 15, 2022 at 12:29 PM Douglas Foster
<dougfoster.emailstanda...@gmail.com> wrote:
Your solution is straightforward, but I am not sold.
DMARC PASS means that the message is free of author impersonation. This
can only be true if all authors are verifiable and verified.
This is absolutely not true. An attacker can use homoglyphs, cousin
domains and other means of impersonating a sender. An attacker can
impersonate a sender within the same domain and DMARC will happily give a
pass because the right hand side of the from address matches. Author !=
sending domain. DMARC only addresses direct domain impersonation.
Can we assume that in the context of DMARC, passing means passing with
alignment when it stops exact domain impersonation. I think we can assume
that nobody on this list thinks me using my own passing spf and dkim with
sketchythreatactor.com and spoofing your header from isn’t what anyone
means by pass in this context. If the effect can stop impersonation it’s
ipso facto in alignment.
In the context of a standards working group, no, we cannot assume anything.
There have been plenty of misstatements and factually incorrect statements
in this group. This includes "DMARC PASS means that the message is free of
author impersonation". DMARC pass means it passed DMARC validation. If a
homoglyph From email address passes DMARC validation, there has indeed been
impersonation of the purported From address. And for purposes of DMARC,
Author is not necessarily the same as From. We've had that discussion
multiple times before.
Some mail sites don't allow users to arbitrarily change From:. That way, the
authenticity of the identity is granted. Other mail sites allow to freely set
From:. Since they sign it, it goes without saying that any question about true
identity of the author passes through the domain admin.
About homoglyphs, there are studies on the subject. For example, it is
possible to distinguish mixed alphabets. It is a hard task. Certainly, it
makes no sense working on it until the mode is to not reject blatant
impersonations. In a sense, we're working at the preparatory step.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc