On Wed, Sep 21, 2022 at 2:47 AM Alessandro Vesely via mailop < mailop@mailop.org> wrote:
> On Tue 20/Sep/2022 16:59:36 +0200 John R Levine via mailop wrote: > >>> As I think I've mentioned many times before, the problem that ARC > solves is > >>> that legit lists leak spam because they often do no filtering other > than > >>> checking that the From: address is a subscriber. ... > >> > >> Maybe the lists I hang out at have superior filtering than average, or > maybe > >> it's because I ignore big gorillas' point of view, but I hardly see how > that > >> helps. ... > > > > People from Google have told me that's why they want ARC rather than > just > > whitelisting mail from lists. > > > > If you think they're lying, not much I can do about that. > > > I never said I don't believe. I said I cannot understand how can they > better > filtering by knowing the Authentication-Results: obtained by the MLM. > Wouldn't > a MLM reject a post arriving with dmarc=fail and p=reject? (And I'd > presume > they moderate failures with p=quarantine.) > Even if you assume that the MLM implements DMARC, the problem is the next hop. If the MLM doesn't rewrite the from, but does modify the message, then it's guaranteed to fail DMARC on the next hop. What ARC allows us to do is go, do we trust the MLM? Then we can look at the AuthRes and see if DKIM/SPF passed. Now, we could just trust the MLM and ignore DMARC and re-use the AuthRes header, but it's not overly clear what AuthRes header to use, and that only works for one hop. We did at one point consider a "relay uses DKIM and re-use the AuthRes" but that has several failure scenarios that ARC does not. What I read in assorted messages by Brandon is that they consider all > signals > together, assigning weights extrapolated from a worldwide set of user > behavior. > Of course I don't understand how that works. I wonder if they do. > Slavko > said he tried that sort of thing using rspamd but it didn't work. So, how > can > ARC be used by mere mortals? > That's how the ML models work, they are not the only mechanisms that we use. And ARC is, unfortunately, not really used yet (last I knew). > You said you plan to start by believing ARC from everyone, and un-trust > sites > that show up sending ARC'ed spam where the chain looks dodgy. Good luck! > I do > blacklist domains that send blatant spam and find it very ineffective. > For the smallest senders, the easiest thing to do is add ARC domains to allow/deny lists. It would be fairly simple to do so since a single user will get a fairly limited set of relays/MLMs. You could partially automate the allowlist by watching for mail that your users send that comes back via ARC, comparing, and considering that as validation and allowlist. If you have volume, you can extend that to all users, and share the result, ie match up the sender and receiver on your system, with the ARC signing domains in between them. There may need to be some level of protection for deliberate bad actors, I haven't really thought that completely through. Another option is to use spam percentage as a proxy for trust, ie send the mail through your spam detector, and keep a reputation for the ARC signing domain (some incremental way of keeping track of spam/ham percentage with an exponential decay). This is what likely maps most directly for existing large scale antispam systems. Another option would be a shared system like DNSWL. At scale, I think you can do a decent job with this. The unfortunate part is that none of this will help for spear phishing. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
