[dmarc-ietf] Barry Leiba's No Objection on draft-ietf-dmarc-eaiauth-05: (with COMMENT)

2019-04-07 Thread Barry Leiba via Datatracker 
Barry Leiba has entered the following ballot position for
draft-ietf-dmarc-eaiauth-05: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dmarc-eaiauth/



--
COMMENT:
--

— Section 4 —

   An IDN in MAIL FROM can
   be either U-labels or A-labels.

There’s a number agreement error here.  Make it “...can use...,” (or “can
include”) and I think that fixes it.


___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] Rethinking DMARC for PSDs

2019-04-07 Thread Scott Kitterman 
On Sunday, April 07, 2019 08:50:44 PM John Levine wrote:
> In article  you 
write:
> > The problem:
> > Spammers use non-existent domains to achieve identity spoofing, such as
> >
> >tax.example.gov.uk
> >
> > This is primarily a reception problem, because many recipient mail filters
> >
> >are not equipped to block this type of fraud. ..
> 
> Right, and we can stop right there.
> 
> A decent spam filter will treat a nonexistent From: domain or envelope
> bounce address as extremely suspicious and send the message into spam
> folder purgatory.  If someone's filters aren't doing that, it is
> unlikely that they're paying much if any attention to DMARC, and no
> amount of fiddling with DMARC will make any difference.
> 
> My mail server rejects anything with a non-existent bounce address at
> SMTP time and I don't think it's ever rejected anything my users would
> want.
> 
> The solution to this problem is for mail systems to fix their filters,
> not to invent yet another mail-breaking hack that they won't use
> anyway.

Which mail breaking hack is that?  Since PSD DMARC almost entirely applies to 
domains that don't send mail, I don't think it breaks anything.  It is in part 
a tool to make hard rejects easier for receivers that don't typically reject 
solely due to non-existence and in part a tool to provide feedback to PSD 
operators so they can understand patters of abuse in their namespace.

As I understand it, rejecting mail from non-existent domains is a long 
standing, well-known tool for receivers.  I hear you saying it works for you 
in your circumstances, but that doesn't mean it scales.  Given that rejecting 
non-existent domains is a well established option, but not everyone does it, 
what basis for optimism do you have  that 'fix their filters' will change 
anything?

If fixing filters was enough, would anyone bothered to have published:

$ dig txt _dmarc.gov.uk +short
"v=DMARC1\;p=reject\;sp=none\;adkim=s\;aspf=s\;fo=1\;rua=mailto:dmarc-
r...@dmarc.service.gov.uk\;ruf=mailto:dmarc-...@dmarc.service.gov.uk;

All PSD DMARC would do is make that record apply to domains lower in the tree 
without their own DMARC record.  It's not that complicated.

Fielding of DMARC did a huge amount of damage to the e-mail ecosystem that I'm 
not convinced it will ever fully recover from, but PSD DMARC doesn't add to 
it.

Scott K

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] Rethinking DMARC for PSDs

2019-04-07 Thread John Levine 
In article  you write:
> The problem:
>   Spammers use non-existent domains to achieve identity spoofing, such as 
>tax.example.gov.uk 
> This is primarily a reception problem, because many recipient mail filters 
>are not equipped to block this type of fraud. ..

Right, and we can stop right there.

A decent spam filter will treat a nonexistent From: domain or envelope
bounce address as extremely suspicious and send the message into spam
folder purgatory.  If someone's filters aren't doing that, it is
unlikely that they're paying much if any attention to DMARC, and no
amount of fiddling with DMARC will make any difference.

My mail server rejects anything with a non-existent bounce address at
SMTP time and I don't think it's ever rejected anything my users would
want.

The solution to this problem is for mail systems to fix their filters,
not to invent yet another mail-breaking hack that they won't use
anyway.

R's,
John


___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

[dmarc-ietf] Rethinking DMARC for PSDs

2019-04-07 Thread Douglas E. Foster 
I understand how much work it takes to create consensus toward an IETF 
standard, but I suggest that the problem needs to be re-examined because 
DMARC for PSDs seems to be neither the sufficient solution nor the 
necessary one.
  
 The problem:
Spammers use non-existent domains to achieve identity spoofing, such as 
tax.example.gov.uk 
 This is primarily a reception problem, because many recipient mail filters 
are not equipped to block this type of fraud.  However, domain owners are 
also concerned about protecting their reputation from fraudulent material 
sent using their identity.
  
 These two sender-receiver combinations are already protected from the 
problem:
Recipients with DMARC enforcement enabled if the message comes from a 
parent domain with DMARC-enforcing policy.  Recipients who filter for 
non-existent domains, regardless of parent domain or receiver DMARC 
capability. 
 These three sender-receiver combinations currently have no protection:
Any recipient when the sender does not request DMARC enforcement (and 
non-existent domain filtering is also off.) Any recipient who lacks both 
DMARC enforcement capability and non-existent domain filtering..Any 
recipient when the parent domain is a PSD (and non-existent domain 
filtering is also off.) 
 The DMARC for PSD standard will only protect the last category of 
unprotected recipients.
  
 What can we assume about legitimate usage of non-existent subdomains?
Non-existent subdomains support application-generated messages, not 
personal ones.  Some messages will be transactional, where the recipient 
expects the message and will whitelist as necessary to ensure delivery. 
Some message will be marketing related, as a tool to support data 
collection related to specific marketing campaigns.  The recipient probably 
does not expect the traffic, and is not likely to whitelist the traffic.   
The sender relies on the probability that most recipients do not filter on 
non-existent domains, so their non-standard business practice has minimal 
consequences for the sender.Possibly, some government cyber-warfare or 
cyber-intelligence operations use this feature.   Whether this is 
legitimate or not depends on the government involved.   It is unlikely that 
the recipient will consider the usage appropriate. 
 Is there justification for IETF to tolerate or tacitly permit messages 
from non-existent domains?
No.   Before SPF, there was no method for a sender to announce a 
transmit-only domain, but that problem was solved a long time ago.   Based 
on existing IETF standards, it is reasonable to conclude that:  
If a 
domain has not published either an MX record or a SPF record, then it is 
not a legitimate source of email.   Obviously, domains with no NS record 
are also included   

 Given all of the above, I hope the real solution is clear:
We need to encourage recipients to block messages from non-existent 
domains (any domain that has no MX or SPF record published.)  Whitellisting 
should be used for exceptions.  Domain registration is not difficult and 
involves minimal cost, so there is no real justification for legitimate 
senders to maintain sloppy business practices. 
 Implementation methods:
Obtain a quorum of major mail-receiving organizations to announce that 
they will no longer accept messages from domains that are non-existent or 
not mail-enabled via an MX or SPF record  (effective no later than 
mm/dd/).  Exceptions require application on  their registered-sender 
site, with justification.   I expect that Google GMail and Microsoft 
LiveMail would be sufficient to be considered a quorum, and I assume they 
are represented on this distribution list. .The government domains could 
decide whether the best political strategy is to join the initial 
announcement or to mimic it shortly thereafter.
Encourage mail filter vendors to provide non-existent domain 
filtering 
capability in their products, with the ability to confirm whitelisting as 
requested by the system administrator.   .The major cloud-based email 
filtering services can add this protection to their clients, if it is not 
already present in their products.   This brings another large group of 
recipients under protection 
To ensure that every recipient can implement non-existent 
domain 
filtering, it would be beneficial if non-existent domain checking becomes 
implemented as a Reputation Block List:   When an email filter requests an 
RBL check on the domain name, the RBL checks for existence of at least one 
MX or SPF record.  If none is found a reject address is returned.  Since 
every email filtering product that I have encountered has support for RBL 
checking, this provides potential coverage for all recipients everywhere, 
and quickly.
If IETF wants to provide a standards-based mechanism for 
mail-enabling 
a