Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields
On 6/6/20 2:42 PM, Scott Kitterman wrote: > On Saturday, June 6, 2020 5:26:08 PM EDT Dave Crocker wrote: >> On 6/6/2020 2:23 PM, Scott Kitterman wrote: >>> If things like DMARC, SPF, and DKIM do nothing more than get abusers to >>> use >>> different domains than they would otherwise, I think that's a win. >> The issue here is DMARC, not SPF or DKIM, since DMARC is the only one of >> the 3 that restricts the choice of domain name. >> >> With that in mind, I'll ask you why you think the kind of change you >> cite is a win. > 1. I think the domain displayed to the end user matters. In my sample size > of 1, it matters to me. I know I'm not the average user, but independent of > the question of how many users it matters to, there are some. Same with me, but again I'm not the average user. > > 2. When abusers use different domains to send mail, it adds more information > for filters to work on, so even if this is all about filtering, that works > better too. But when abusers use different domains, the DMARC policy that applies is controlled by them and is therefore meaningless. And the reports, if any (probably none), are sent back to the attacker or their designate. Filtering might be done based on the DKIM signing domain or the envelope-from domain if SPF is used, but neither of those require DMARC. -Jim ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields
On Saturday, June 6, 2020 5:26:08 PM EDT Dave Crocker wrote: > On 6/6/2020 2:23 PM, Scott Kitterman wrote: > > If things like DMARC, SPF, and DKIM do nothing more than get abusers to > > use > > different domains than they would otherwise, I think that's a win. > > The issue here is DMARC, not SPF or DKIM, since DMARC is the only one of > the 3 that restricts the choice of domain name. > > With that in mind, I'll ask you why you think the kind of change you > cite is a win. 1. I think the domain displayed to the end user matters. In my sample size of 1, it matters to me. I know I'm not the average user, but independent of the question of how many users it matters to, there are some. 2. When abusers use different domains to send mail, it adds more information for filters to work on, so even if this is all about filtering, that works better too. Scott K ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields
On Fri, Jun 5, 2020 at 5:26 PM Jim Fenton wrote: > On 6/4/20 10:39 PM, Dotzero wrote: > > > The goal of DMARC was (and is) to mitigate direct domain abuse. Nothing > more and nothing less. It helps receiving systems identify a (correctly) > participating domain's mail. That is why a DMARC policy is often described > as a sending domain's request and local policy is so important (and can > override that request). > > I'm not clear on what kind of direct domain abuse you're referring to. If > we accept that domain names are either not visible or are ignored by the > recipient, the domain name doesn't matter much as long as the attacker can > get their message delivered, and DMARC doesn't apply because they're using > their domain. > > > The type of direct domain abuse where someone attempts to send a message using in the From email address field. As I wrote earlier, the combination of SPF/DKIM/DMARC is a tool that accomplishes a narrow goal. It is not a silver bullet that solves all forms of abuse. It can be used to mitigate a specific type of abuse. > For attackers that deploy DMARC it simply means that they are self > identifying their malicious messages as theirs. > > No, DKIM and SPF do that. DMARC doesn't have anything to do with > identifying messages. > > > As with SPF and DKIM, some abusers were quick to implement DMARC in addition to SPF and/or DKIM on the theory that it makes their email appear more legitimate to receivers. Just one more nail in the coffin. > For Sending domains, SPF/DKIM/DMARC is only one set of tools in protecting > their brand from abuse. It protects end users from abuse. In fact, in many > cases the individuals most susceptible to falling prey to such abuse may > not even be customers of that sending domain. No, that greeting card you > received isn't legit (Nobody loves you). No, that retailer isn't giving you > a $200 gift card. This is why other tools like takedowns are so important > and why the removal of registrant information from domain registrations has > enabled abusers. > > So maybe the core question here is, does the identity in the domain name > matter or not? It does to me personally because I look at it (whenever I > can -- my iPhone doesn't make it easy to display) and I pay attention to > it. But I know I'm not a typical user, and I also see increasing evidence > of mail client software that doesn't show anything but the Friendly Name. > So is there a "brand" associated with the email domain name any more? > There is. Don't get hun up on what is displayed to the end user. Think about the reporting aspect. In my previous incarnation we were able to initiate takedowns and/or blocking by 3rd parties much more quickly based on DMARC reports than simply waiting for end user complaints to customer service or abuse@. > If the domain name doesn't matter, the binding to the From/Signer address > doesn't either. > > -Jim > It does matter for the specific abuse scenario. Those particular abusive mail streams never get to the end user recipient. I'm basing this on my experience on a corpus of billions of emails sent for what had been previously highly abused domains/brands. For other types of abuse we implemented other types of mitigation approaches. Collectively those approaches reduced abuse by over 95%. The goal was to reduce ROI for the bad guys to the point that they would look for greener pastures. You are implying/assuming that DMARC solves the problem of a wider scope of abusive email types than it does. The Display Name (Mail From) is a particularly thorny problem to solve in that it is not tied to anything in that it is a free form field into which anything can be entered. Michael Hammer ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields
On 6/6/2020 2:23 PM, Scott Kitterman wrote: If things like DMARC, SPF, and DKIM do nothing more than get abusers to use different domains than they would otherwise, I think that's a win. The issue here is DMARC, not SPF or DKIM, since DMARC is the only one of the 3 that restricts the choice of domain name. With that in mind, I'll ask you why you think the kind of change you cite is a win. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields
On Saturday, June 6, 2020 4:45:11 PM EDT John Levine wrote: > In article , > > Scott Kitterman wrote: > >I think the market has spoken on the utility of DMARC. > > There's no question that it was highly successful at Yahoo and AOL > after they let crooks steal their address books at reducing the amount > of spam their users received that forged addresses in those stolen > address books. Of course, if you are not Verizon Media, who cares? > > I gather it is also quite effective against phishes that for some > reason put the actual target's domain in the From: address, but > at this point I don't know how common that is relative to phishes > that put it in the From: comment, viz. Jim's question. I'm not sure how important a question it is. It used to be quite common. If it's not anymore (I don't have access to a current data set big enough to really have an opinion), then I'd suggest that it's because abusers are, at least to some degree, deterred from doing so. If things like DMARC, SPF, and DKIM do nothing more than get abusers to use different domains than they would otherwise, I think that's a win. Unfortunately it's quite difficult to measure the deterrent effect associated with these mechanisms. I would expect that using different domains would make the filtering problem easier to solve, so even if the domain presented to end user doesn't matter (I think it does, but meh), pushing abusive mail to use other domains helps solve the filtering problem. Scott K ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields
In article , Scott Kitterman wrote: >I think the market has spoken on the utility of DMARC. There's no question that it was highly successful at Yahoo and AOL after they let crooks steal their address books at reducing the amount of spam their users received that forged addresses in those stolen address books. Of course, if you are not Verizon Media, who cares? I gather it is also quite effective against phishes that for some reason put the actual target's domain in the From: address, but at this point I don't know how common that is relative to phishes that put it in the From: comment, viz. Jim's question. R's, John -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields
On June 6, 2020 7:25:56 PM UTC, Jim Fenton wrote: >On 6/5/20 3:37 PM, Scott Kitterman wrote: >> On Friday, June 5, 2020 5:26:19 PM EDT Jim Fenton wrote: >>> >>> So maybe the core question here is, does the identity in the domain >name >>> matter or not? It does to me personally because I look at it >(whenever I >>> can -- my iPhone doesn't make it easy to display) and I pay >attention to >>> it. But I know I'm not a typical user, and I also see increasing >>> evidence of mail client software that doesn't show anything but the >>> Friendly Name. So is there a "brand" associated with the email >domain >>> name any more? >>> >>> If the domain name doesn't matter, the binding to the From/Signer >>> address doesn't either. >> If the domain name didn't matter, no one would bother to use 'real' >domains in >> abusive mail. They demonstrably do, so while one might have >differences of >> opinion about how important they are (every MUA I use displays them, >so let's >> also not draw too hasty conclusions about them not being displayed) I >don't >> think it's a supportable that they don't matter. > >And I receive a good deal of email with friendly names like "DHL >Express" or the names of friends (who apparently have suffered address >book compromise) but completely unrelated domain names. > >I phrased my comment as a question because I really don't know the >answer to this, and have been reading comments from people asserting >opinions on both sides. It would simplify the discussion if the WG >could >reach rough consensus on this. And if the domain name doesn't matter, >the WG really needs to rethink the utility of DMARC. I think the market has spoken on the utility of DMARC. Scott K ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields
On 6/5/20 3:37 PM, Scott Kitterman wrote: > On Friday, June 5, 2020 5:26:19 PM EDT Jim Fenton wrote: >> >> So maybe the core question here is, does the identity in the domain name >> matter or not? It does to me personally because I look at it (whenever I >> can -- my iPhone doesn't make it easy to display) and I pay attention to >> it. But I know I'm not a typical user, and I also see increasing >> evidence of mail client software that doesn't show anything but the >> Friendly Name. So is there a "brand" associated with the email domain >> name any more? >> >> If the domain name doesn't matter, the binding to the From/Signer >> address doesn't either. > If the domain name didn't matter, no one would bother to use 'real' domains > in > abusive mail. They demonstrably do, so while one might have differences of > opinion about how important they are (every MUA I use displays them, so let's > also not draw too hasty conclusions about them not being displayed) I don't > think it's a supportable that they don't matter. And I receive a good deal of email with friendly names like "DHL Express" or the names of friends (who apparently have suffered address book compromise) but completely unrelated domain names. I phrased my comment as a question because I really don't know the answer to this, and have been reading comments from people asserting opinions on both sides. It would simplify the discussion if the WG could reach rough consensus on this. And if the domain name doesn't matter, the WG really needs to rethink the utility of DMARC. -Jim ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
