Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

2020-11-24 Thread John Levine
In article  you write:
>On Tue 24/Nov/2020 13:52:43 +0100 Brotman, Alex wrote:
>> I had one spam message that had 13 parts.  It included both "_mta-sts" and 
>> "mta-sts" in there, as well as
>"mail" nine times.  The last two parts were the org domain.
>
>If the message happened to authenticate, negative reputation is better added 
>to 
>that org domain rather than to .com or to some random mta-sts.mail.something.

Why would you think that spam was sent by the actual holder of that
org domain? Since the address contained an underscore, it's invalid
anyway so you could probably reject the message without a lot of extra
checks.

>IOW, if we need the OD anyway for alignment, there's no point in discovery 
>DMARC records by tree walk.

My plan is that whatever you discover by the tree walk replaces the OD.  In the 
likely
common case that the tree walk ends at _dmarc. you get the same 
result either
way.

R's,
John

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc


Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

2020-11-24 Thread Alessandro Vesely

On Tue 24/Nov/2020 13:52:43 +0100 Brotman, Alex wrote:

I had one spam message that had 13 parts.  It included both "_mta-sts" and "mta-sts" in 
there, as well as "mail" nine times.  The last two parts were the org domain.



If the message happened to authenticate, negative reputation is better added to 
that org domain rather than to .com or to some random mta-sts.mail.something.


IOW, if we need the OD anyway for alignment, there's no point in discovery 
DMARC records by tree walk.



Best
Ale
--




















___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc


Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

2020-11-24 Thread Brotman, Alex
I was sort of curious yesterday and checked as well.  Most were four or less.  
I had a number that were five or six.  A couple dozen were at eight.  I had one 
spam message that had 13 parts.  It included both "_mta-sts" and "mta-sts" in 
there, as well as "mail" nine times.  The last two parts were the org domain.

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

> -Original Message-
> From: dmarc  On Behalf Of John Levine
> Sent: Monday, November 23, 2020 4:06 PM
> To: dmarc@ietf.org
> Cc: eric.b.chudow....@mail.mil
> Subject: Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-
> ietf-dmarc-psd
>
> In article
> <553d43c8d961c14bb27c614ac48fc0312811f...@umechpa7d.easf.csd.dis
> a.mil> you write:
> >-=-=-=-=-=-
> >
> >Even for .mil, the vast majority of email domains are fairly short with
> >four or fewer labels. Most of the other ones tend to be individual servers 
> >that
> send automatic performance emails, and I think should be considered more of
> an edge case and less of our concern.
>
> I scraped my logs for the past few months and that's what I found.
> Nearly everything was four labels or less. Spot checking the few five-label
> names, I found that most of the mail was all from MAILER-DAEMON@ mailhost-name> and it appeared to be spam blowback.  There was a trickle of
> what looked like real mail from stumail.zcs.k12.in.us and 
> feedback.retail.voice-
> your-views.hsbc.com,
>
> I found nothing at all with six labels or longer.
>
> So if we made the tree walk limit six or seven I think we'd be unlikely to 
> lose any
> mail that anyone would miss.
>
> R's,
> John
>
>
> ___
> dmarc mailing list
> dmarc@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dmarc__;!
> !CQl3mcHX2A!TIKw8O7ptxZvJLkZ0GxAxe4haD43V7NWTdLfVAZUiJUaCqFVIV1co
> wazKVYiV8c2YXTskHmvzw$

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc


Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

2020-11-23 Thread John Levine
In article 
<553d43c8d961c14bb27c614ac48fc0312811f...@umechpa7d.easf.csd.disa.mil> you 
write:
>-=-=-=-=-=-
>
>Even for .mil, the vast majority of email domains are fairly short with four 
>or fewer labels. Most of the other ones tend to be
>individual servers that send automatic performance emails, and I think should 
>be considered more of an edge case and less of our concern.

I scraped my logs for the past few months and that's what I found.
Nearly everything was four labels or less. Spot checking the few
five-label names, I found that most of the mail was all from
MAILER-DAEMON@ and it appeared to be spam
blowback.  There was a trickle of what looked like real mail
from stumail.zcs.k12.in.us and feedback.retail.voice-your-views.hsbc.com,

I found nothing at all with six labels or longer.

So if we made the tree walk limit six or seven I think we'd be
unlikely to lose any mail that anyone would miss.

R's,
John


___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc


Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

2020-11-23 Thread Jesse Thompson
On 11/23/20 8:28 AM, eric.b.chudow.civ=40mail@dmarc.ietf.org wrote:
> Even for .mil, the vast majority of email domains are fairly short with four 
> or fewer labels. Most of the other ones tend to be individual servers that 
> send automatic performance emails, and I think should be considered more of 
> an edge case and less of our concern. 

This is the case for us as well (e.g. our comp sci high throughput compute 
cluster servers send automatic emails to both internal and external research 
collaborators).  I suppose universities are different than the military since 
the military probably doesn't want their servers to be sending email 
externally, whereby with a research university cross-institutional 
collaboration is inherent.

I suppose I consider it an edge case too (a large edge case - I see over 200 of 
these 4th level domains in or DMARC aggregate reports for the example cluster I 
cite), but the long tail of servers also aren't likely to change the way they 
are sending email nor will sysadmins implement SPF/DKIM for every server 
hostname, etc, so these subdomains are a blocker for publishing sp=reject at 
the org domain (hence a concern within the context of tree walking).

While I understand that there are implementation challenges that may make this 
infeasible, what I would *like* to do is ask each of these departments/research 
teams to publish sp=none at their 3rd level domains (and take over DMARC 
responsibilities for their parts of the tree) so that we can publish sp=reject 
at the org domain to protect/manage the rest of the university.

Jesse

P.S. Here are some stats.  Unique domains used in the RFC5322.From resulting 
from mail sent externally to DMARC reporting organizations in the past 2 weeks:
23 2nd level (org domains)
464 3rd level (359 are subdomains of wisc.edu)
522 4th level (all are subdomains of wisc.edu)
13 5th level
2 6th level

> 
>  
> 
> Thanks,
> 
>  
> 
> Eric Chudow
> 
> DoD Cybersecurity Mitigations
> 
>  
> 
> --
> *From:* Laura Atkins [la...@wordtothewise.com]
> *Sent:* Monday, November 23, 2020 8:19 AM
> *To:* Murray S. Kucherawy
> *Cc:* IETF DMARC WG
> *Subject:* Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for 
> draft-ietf-dmarc-psd
> 
> 
> 
>> On 22 Nov 2020, at 06:06, Murray S. Kucherawy > <mailto:superu...@gmail.com>> wrote:
>>
>> On Sat, Nov 21, 2020 at 6:23 PM John Levine > <mailto:jo...@taugh.com>> wrote:
>>
>> It is my impression that most real From: domains are pretty short. I
>> don't think I've ever seen one more than four labels long that wasn't
>> deliberately contrived. Anyone got data on that?
>>
>>
>> I'd bet there are some in .gov or .mil, especially the latter, but otherwise 
>> I think the longest one I've seen is five, and that was not a host that 
>> receives mail.
>>
>> I'm sure we can all scrape our own mail logs for evidence either way.
> 
> This might be a place where one (or more) of the big ESPs can help. They’re 
> going to have billions of email addresses and know which ones have MXs. I’m 
> happy to ask for that data if it would be of use. 
> 
> laura 
> 
> -- 
> Having an Email Crisis?  We can help! 800 823-9674 
> 
> Laura Atkins
> Word to the Wise
> la...@wordtothewise.com <mailto:la...@wordtothewise.com>
> (650) 437-0741
> 
> Email Delivery Blog: https://wordtothewise.com/blog 
> <https://wordtothewise.com/blog>
> 
> 
> 
> 
> 
> 
> 
> 
> ___
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
> 
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc


Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

2020-11-23 Thread Chudow, Eric B CIV NSA DSAW (USA)
Even for .mil, the vast majority of email domains are fairly short with four or 
fewer labels. Most of the other ones tend to be individual servers that send 
automatic performance emails, and I think should be considered more of an edge 
case and less of our concern.



Thanks,



Eric Chudow

DoD Cybersecurity Mitigations




From: Laura Atkins [la...@wordtothewise.com]
Sent: Monday, November 23, 2020 8:19 AM
To: Murray S. Kucherawy
Cc: IETF DMARC WG
Subject: Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for 
draft-ietf-dmarc-psd



On 22 Nov 2020, at 06:06, Murray S. Kucherawy 
mailto:superu...@gmail.com>> wrote:

On Sat, Nov 21, 2020 at 6:23 PM John Levine 
mailto:jo...@taugh.com>> wrote:
It is my impression that most real From: domains are pretty short. I
don't think I've ever seen one more than four labels long that wasn't
deliberately contrived. Anyone got data on that?

I'd bet there are some in .gov or .mil, especially the latter, but otherwise I 
think the longest one I've seen is five, and that was not a host that receives 
mail.

I'm sure we can all scrape our own mail logs for evidence either way.

This might be a place where one (or more) of the big ESPs can help. They’re 
going to have billions of email addresses and know which ones have MXs. I’m 
happy to ask for that data if it would be of use.

laura

--
Having an Email Crisis?  We can help! 800 823-9674

Laura Atkins
Word to the Wise
la...@wordtothewise.com<mailto:la...@wordtothewise.com>
(650) 437-0741

Email Delivery Blog: https://wordtothewise.com/blog







___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc


Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

2020-11-23 Thread Douglas E. Foster
My longest addresses are from SalesForce.com, with 6 segments.
Relatively small dataset.



From: Laura Atkins 
Sent: 11/23/20 8:19 AM
To: "Murray S. Kucherawy" 
Cc: IETF DMARC WG 
Subject: Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for 
draft-ietf-dmarc-psd

On 22 Nov 2020, at 06:06, Murray S. Kucherawy  wrote:

On Sat, Nov 21, 2020 at 6:23 PM John Levine  wrote:
It is my impression that most real From: domains are pretty short. I
don't think I've ever seen one more than four labels long that wasn't
deliberately contrived. Anyone got data on that?

I'd bet there are some in .gov or .mil, especially the latter, but otherwise I 
think the longest one I've seen is five, and that was not a host that receives 
mail.

I'm sure we can all scrape our own mail logs for evidence either way.

This might be a place where one (or more) of the big ESPs can help. They're 
going to have billions of email addresses and know which ones have MXs. I'm 
happy to ask for that data if it would be of use.

laura

--
Having an Email Crisis?  We can help! 800 823-9674

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741

Email Delivery Blog: https://wordtothewise.com/blog
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc


Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

2020-11-23 Thread Laura Atkins


> On 22 Nov 2020, at 06:06, Murray S. Kucherawy  wrote:
> 
> On Sat, Nov 21, 2020 at 6:23 PM John Levine  > wrote:
> It is my impression that most real From: domains are pretty short. I
> don't think I've ever seen one more than four labels long that wasn't
> deliberately contrived. Anyone got data on that?
> 
> I'd bet there are some in .gov or .mil, especially the latter, but otherwise 
> I think the longest one I've seen is five, and that was not a host that 
> receives mail.
> 
> I'm sure we can all scrape our own mail logs for evidence either way.

This might be a place where one (or more) of the big ESPs can help. They’re 
going to have billions of email addresses and know which ones have MXs. I’m 
happy to ask for that data if it would be of use. 

laura 

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: https://wordtothewise.com/blog 







___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc


Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

2020-11-21 Thread Murray S. Kucherawy
On Sat, Nov 21, 2020 at 6:23 PM John Levine  wrote:

> It is my impression that most real From: domains are pretty short. I
> don't think I've ever seen one more than four labels long that wasn't
> deliberately contrived. Anyone got data on that?
>

I'd bet there are some in .gov or .mil, especially the latter, but
otherwise I think the longest one I've seen is five, and that was not a
host that receives mail.

I'm sure we can all scrape our own mail logs for evidence either way.

-MSK
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc


Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

2020-11-21 Thread John Levine
In article  
you write:
>Someone in DNSOP, I think, proposed doing the tree walk in the other
>direction.

Turns out that won't work because here's what you'd be checking:

> _dmarc.paypal.com
> _dmarc.baz.paypal.com
> _dmarc.bar.baz.paypal.com
> _dmarc.foo.bar.baz.paypal.com

You can have a NXDOMAIN at _dmarc.paypal.com but a TXT record at
_dmarc.bar.baz.paypal.com. You could certainly add heuristics and
check plain baz.paypal.com to see if it gives you an NXDOMAIN stop but
I have no reason to think that on average it'd actually save queries.

It is my impression that most real From: domains are pretty short. I
don't think I've ever seen one more than four labels long that wasn't
deliberately contrived. Anyone got data on that?

R's,
John
r...@18.183.57.64.in-addr.arpa

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc