[dmarc-discuss] What bad stuff can a broken DMARC record cause?

2022-04-22 Thread John R Levine via dmarc-discuss 
Someone I know asked me what sort of bad things could happen if one 
published a broken DMARC record.  Obviously, if your record is bad people 
won't follow your policies and you won't get your reports, but anything 
else?  Have you ever heard of MTAs burping on a bad DMARC record?


I've looked at the C OpenDMARC and perl Mail::DMARC libraries and they 
both seem pretty sturdy: fetch a TXT record and if they find one, look 
for 
the tags they want and ignore everything else.


As an experiment, I added 32K of junk to the _dmarc.johnlevine.com TXT 
record and as far as I can tell, it's made no difference.  I still get the 
same reports saying the same things.  DNS libraries need to use TCP to 
fetch it but they all seem able to do that.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] [Ext] Re: [Ext] RE: [Ext] Re: Some DMARC adoption data

2022-02-11 Thread John R Levine via dmarc-discuss 

Null MX doesn’t stop anyone from spoofing your domain to send email though.


Yes, I know, I wrote the RFC about it.

SPF, DMARC are tools that work together to protect your domain and your 
reputation. If SPF was the magic bullet then nothing else would be needed.

The basic problem with SPF is that it can't describe all of the ways that 
people send mail. But it says "I send no mail at all" just fine.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] [Ext] RE: [Ext] Re: Some DMARC adoption data

2022-02-11 Thread John R Levine via dmarc-discuss 

By that logic if you have SPF -all you don’t need anything else to protect your 
domain. Why even bother with DMARC at all?


As I said, if you don't send any mail at all, a null MX is useful but I 
don't see much point to DMARC.  It's not a magic bullet.


I suppose there are systems that look at DMARC but not at SPF -all but I 
don't know of many.


R's,
John


From: John R Levine 
Sent: Friday, February 11, 2022 7:54:55 PM
To: Chris Sweeney ; dmarc-discuss@dmarc.org 

Cc: ves...@tana.it 
Subject: [Ext] RE: [Ext] Re: [dmarc-discuss] Some DMARC adoption data

[EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the 
sender and know the content is safe.


That's the point though, even if you don't send email from a domain it should 
have a SPF and DMARC record to prevent someone from spoofing your domain.


If you have SPF -all and a null MX, you shouldn't need a DMARC record.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly


-Original Message-
From: dmarc-discuss  On Behalf Of John Levine 
via dmarc-discuss
Sent: Friday, February 11, 2022 2:25 PM
To: dmarc-discuss@dmarc.org
Cc: ves...@tana.it
Subject: [Ext] Re: [dmarc-discuss] Some DMARC adoption data

[EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the 
sender and know the content is safe.

It appears that Alessandro Vesely via dmarc-discuss  said:

Study on Domain Name System (DNS) abuse : technical report. Appendix 1,
2022
https://data.europa.eu/doi/10.2759/473317

Chapter 17 of the Appendix (2nd link above) contains data on SPF and DMARC.

The DMARC part says that 8,129,795 out of 246,425,997 domains exhibit a
DMARC record (3.3%).  Parsing DMARC records shows that 49.68% of the
domain names with the DMARC record has p=none, 11.20% have
p=quarantine, and 37.14% have p=reject.


I wish they'd also looked at how many domains have MX records, or had SPF -all.

I can't get too worried about no DMARC on a domain that doesn't send or recieve 
mail.


---
Is it necessary to print this email? If you care about the environment like we 
do, please refrain from printing emails. It helps to keep the environment 
forested and litter-free.
The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of this 
message with any third party, without a written consent of the sender. If you 
received this message by mistake, please reply to this message and follow with 
its deletion, so that we can ensure such a mistake does not occur in the future.



Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] [Ext] Re: Some DMARC adoption data

2022-02-11 Thread John R Levine via dmarc-discuss 

That's the point though, even if you don't send email from a domain it should 
have a SPF and DMARC record to prevent someone from spoofing your domain.


If you have SPF -all and a null MX, you shouldn't need a DMARC record.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly


-Original Message-
From: dmarc-discuss  On Behalf Of John Levine 
via dmarc-discuss
Sent: Friday, February 11, 2022 2:25 PM
To: dmarc-discuss@dmarc.org
Cc: ves...@tana.it
Subject: [Ext] Re: [dmarc-discuss] Some DMARC adoption data

[EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the 
sender and know the content is safe.

It appears that Alessandro Vesely via dmarc-discuss  said:

Study on Domain Name System (DNS) abuse : technical report. Appendix 1,
2022
https://data.europa.eu/doi/10.2759/473317

Chapter 17 of the Appendix (2nd link above) contains data on SPF and DMARC.

The DMARC part says that 8,129,795 out of 246,425,997 domains exhibit a
DMARC record (3.3%).  Parsing DMARC records shows that 49.68% of the
domain names with the DMARC record has p=none, 11.20% have
p=quarantine, and 37.14% have p=reject.


I wish they'd also looked at how many domains have MX records, or had SPF -all.

I can't get too worried about no DMARC on a domain that doesn't send or recieve 
mail.


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Heterogeneity in handling non-OD inputs among web-based DMARC checking tools

2021-12-31 Thread John R Levine via dmarc-discuss 

On Fri, 31 Dec 2021, su...@banbreach.com wrote:

By planned changes, are you referring to draft-ietf-dmarc-dmarcbis-04?


Yes.


When you say this is not a bug, do you mean "this is not a bug in the RFC" or 
"this is not a bug in the
dmarc checker tool"?


No.  I mean that it is not a bug that it will blur the distinction between 
org domain and PSD.


From what you've said, it sounds like some of the checkers are buggy, or 
at least reporting sloppily.  The one that said a record was "empty" when 
in fact it did not exist sounds like sloppy coding to me.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Thoughts for new value 'p=nomail'

2020-08-31 Thread John R Levine via dmarc-discuss 

On Mon, 31 Aug 2020, Brandon Long wrote:
Hmm, DMARC is for the header from domain, however, I wonder if folks 
usually only do the spf lookup on the mail from argument, which may not 
be aligned and therefore doesn't hit that.


And then how would this also play with say the Sender: header override 
draft, would you expect to listen to the SPF for the header from domain 
saying "no mail" or allow override?


We can get awfully meta here.  Imagine an executive who has her assistant 
send all her mail, so the address in the From: line never sends any mail, 
although you can send mail to her.  So SPF -all would be right even though 
the address is OK.



Agreed with the general case of "I really mean it" though.


But this gets into "who cares what you think" territory (generic you, not 
Brandon you.)


I think the least wrong thing to validate the From header is to check for 
a null MX.  I realize that a lot of bulk mail is sent with From addresses 
that don't work ("please do not reply to this message, because we do not 
care what you want"), but I expect they're unlikely to publish null MX.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DKIM Pass for unauthorized servers?

2020-06-22 Thread John R Levine via dmarc-discuss 

My dmarc = v=DMARC1; p=reject; rua=mailto:dmarc_rep...@bexx.com; 
ruf=mailto:dmarc_foren...@bexx.com; fo=1

Is this incorrect?


I wouldn't use p=reject but the syntax looks fine.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] DMARC vs DKIM keys with s=mtasts

2020-03-29 Thread John R Levine via dmarc-discuss 
While fiddling with scripts to analyze mta-sts reports, I noticed some 
peculiar DKIM validation failures in reports from socketlabs.  RFC 8460 
which defines the reports says that mail reports have to be DKIM signed 
and the DKIM validation key should say "s=tlsrpt" rather than the usual 
s=email or default s=*.  Socketlabs' keys do indeed have s=tlsrpt so the 
signature validation fails.


The C libopendkim and perl Mail::DKIM libraries have hard-coded tests for 
'email' or '*'.  Python dkimpy has a kludge that accepts 'tlsrpt' along 
with the other two.  None of them have a way to say to look for a service 
type other than 'email',


Beyond the kludge in dkimpy I don't see how to make mta-sts work properly 
with DMARC other than by even more grotesque kludges.


I suppose I could imagine defining an ad-hoc list of local addresses that 
expect special DKIM service types, and somehow have the DKIM libraries 
adjust the service type depending on the current RCPT TO, but ugh.  I also 
suppose we could encourage socketlabs to add another signature with the 
same d= but an s=email key.


At the moment it's OK-ish because socketlabs' mail is SPF aligned, so even 
if I were enforcing their p=reject policy, they'd pass.  I have also seen 
no fake mta-reports at all, and I'm finding it hard to imagine a plausible 
threat model in which a bad guy could get the required signature with 
s=email but not s=tlsrpt.


RFC 8460 says the key SHOULD have s=tlsrpt and the recipient MAY ignore 
reports without that service type.  I'm inclined to consider that an error 
in view of experience with it.  Different service types are for messages 
delivered some way other than SMTP.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] What is the end goal of DMARC?

2018-10-17 Thread John R Levine via dmarc-discuss 

On Wed, 17 Oct 2018, Alessandro Vesely wrote:

wildcard *.dmarc.fail addresses and they work fine.  My mail server
knows what's been rewritten recently and rejects everything else.


Wildcard *.trailing.parts doesn't work, but is existent.


I have a wildcard MX for *.dmarc.fail pointing at my mail server and it 
works just like it is supposed to.  I can believe that some people don't 
understand how to set up a mail server this way but that's a different 
problem.



Hm... Suppose someone worked out reputation mechanics at some large mailbox
providers, so as to be able to craft messages that ruin a mail site reputation
to the point of rejecting messages from that site.  Now, suppose also that a
mailing list, key for the next presidential campaign, counts various users of
those mailbox providers among its subscribers.  Would you still recommend that
they adopt your Perl script?


Since I have no idea how the largely implausible first part of your 
question relates to the utterly implausible second part, it's not a 
question I can answer.


R's,
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Anti-DMARC rewrites, was What is the end goal of DMARC?

2018-10-14 Thread John R Levine via dmarc-discuss 

On Sun, 14 Oct 2018, Al Iverson wrote:
other than to the mailing list or to the owner. If you've addressed 
that, too, great, but it doesn't feel easy or scalable.


Of course we have.  The rewritten address forwards to the real address for 
a few days.  This means that the user's name and address appear in the 
From: header where they belong, and replies also work the way they're 
supposed to, without having to hijack the Reply-To header.


It's certainly not perfect, but it's a lot better than putting the list 
address in the From: so you can't tell who messages are from and replies 
are backward.


As far as easy or scalable, the code to do this is about 300 lines of perl 
(it adds ARC headers, too) and the IETF uses it on all of their lists, at 
least a thousand of them.


R's,
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"

2018-10-09 Thread John R Levine via dmarc-discuss 

On Tue, 9 Oct 2018, Al Iverson wrote:

If you treat quarantine differently than none, you’re sending me misleading 
data in the reports you send (if of course



Sorry, but that is just wrong.  I publish p=none because that is my
policy.


It's not wrong from my perspective. It's exactly what I see in practice from 
ISPs and companies.


I'm not opposed to having some way to say pretend that I'm publishing a 
more restrictive policy, but I'd be rather annoyed if p=none were hijacked 
so there's no way to say my mail comes from different places and that's 
OK.


I don't care what the details are.  Maybe we can publish an update that 
formalizes the pct=0 hack, or add p=pseudoquarantine.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Hotmail violating DMARC specification (fwd)

2018-09-25 Thread John R Levine via dmarc-discuss 

In article <530ab12f-8f41-478f-8e2c-8b276ae9d...@gmail.com>,
Ivan Kovachev via dmarc-discuss  wrote:

I have also run some tests using a DMARC protected domain in reject mode and 
hotmail whether manually forwarding, auto-forwarding or
redirecting the email treats the email in the same way and that is: retains the 
original From domain but the final recipient does the
SPF and DKIM checks on the forwarder ie. hotmail so DMARC fails and emails are 
rejected.


That is DMARC operating as specified.  If you say p=reject and don't
DKIM sign your mail, you're saying that only the IP addresses in your
SPF record can forward it.  The forward issue is not unique to
Hotmail; you'd see the same result from anyone who bounced, relayed,
or otherwise forwarded it.

If that's not what you want, perhaps you should adjust your DMARC policy to say 
what you do want.

R's,
John
--
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] I have a working solution for spam problem. Need your valuable feedback

2018-08-21 Thread John R Levine via dmarc-discuss 

Because I'm introducing a proprietary standard called "Sender Alias Domains
(SAD)" and make use of already popular solutions like SPF, DKIM, DMARC.


As is well known to anyone who is familiar with the history of e-mail, 
it's not hard to keep bad guys out of a small walled garden.  But it 
doesn't scale.


Here endeth the free consulting.  I see that you're sending the same junk 
messages to some IETF lists.  Do yourself a favor, and don't do that.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] I have a working solution for spam problem. Need your valuable feedback

2018-08-21 Thread John R Levine via dmarc-discuss 

My presentation contains 373 slides. My demo video length: 30 minutes.
From where do you really think I got the content?


I looked at the first 50 slides or so, and I get the strong impression that
you're not familiar with US patent 5,930,479, which was filed in 1996 and issued
in 1999 and expired in 2016.

Nothing personal but we've seen a whole lot of FUSSPs over the past 20 years,
and the number that have actually worked is zero.  Why should yours be any
different.

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] I have a working solution for spam problem. Need your valuable feedback

2018-08-21 Thread John R Levine via dmarc-discuss 

Sorry, but this is not relevant to the dmarc discuss list.

I took a look at the web page and stopped after "We are building a Parallel 
Internet" ...




On Wed, 22 Aug 2018, Viruthagiri Thirumavalavan via dmarc-discuss wrote:


 Hello Everyone,

 First of all. I would like to thank you all for developing and contributing
 to DMARC. Because you guys already helped to reduce plenty of spam on the
 Internet and my solution utilises DMARC along with SPF and DKIM

 My name is Viruthagiri Thirumavalavan. I started my research to solve the
 spam problem back in 2013. Five years later I think I have a presentable
 solution.

 Thousands of people tried to solve the spam problem in the past 40 years.
 What makes my solution different is that, unlike others my system works on
 the following principle.

 "Spam should be prevented at the source, not the destination"

 I'm not trying to fight spam with spam filters, but trying to make the
 email address useless in the spammers hands.

 If my system works, then it's going to be the world's first zero spam mail
 system.

 I would be grateful if you guys can give me some feedback by reading my
 presentation..

 The summary can be found in my company's official website. I just put the
 website online.

 https://www.dombox.org/

 Thanks very much :-)

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Email encryption services and DMARC

2018-07-11 Thread John R Levine via dmarc-discuss 

On Wed, 11 Jul 2018, John R Levine wrote:

 If you're going to have a third party send mail for you, why can't you
 just list the third party IP address in your SPF record?


Oh, wait, I got it backward.  On the outbound mail, you're right, it's the 
customer's domain so they can add the IP to the SPF.


On the inbound mail, the customer sees all the mail coming from the third 
party.  In that case either the third party needs to do some filtering, or 
the customer needs to peek at the received headers to do some retroactive 
SPF checking.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

2018-05-25 Thread John R Levine via dmarc-discuss 

On Fri, 25 May 2018, Rolf E. Sonneveld wrote:
I may live in another world or the mailing lists to which I subscribe may be 
different from the ones you subscribe to, but it is my experience that most 
mailing lists didn't implement the From rewriting kludge, but instead 
implemented the 'reject from domains that publish p=reject'.


You definitely live in another world.  Even RIPE and the IETF do rewrites 
now.



Rewriting the From address can be seen as 'breaking the system'.


No kidding.  That's why we hope ARC will work well enough that we don't 
have to.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] 2 questions about evaluating DMARC reports -- recommendations ?

2017-10-27 Thread John R Levine via dmarc-discuss 

bits in a database at https://www.taugh.com/rddmard


Typo.  As you might expect it's really https://www.taugh.com/rddmarc


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DKIM vulnerability overview

2017-10-25 Thread John R Levine via dmarc-discuss 
1. The fact that some folk know about these issues and that they were 
talked about at some point in time and that there is an obscure record of 
those discussions does not mean that these issues are well-documented or 
well-understood broadly.


The guy who wrote the security screed appears to have made not even the 
least attempt to see if these are known issues (google finds them pretty 
fast.)  I don't think I would want to take security advice from someone 
like that.



I haven't bothered with a detailed critique of the paper.


Here you go:

1.  You can add extra Subject and From headers!

2. There are changes that don't change the semantics of the message (much)
   but break the signature!

The first was beaten to death by someone we both know at innumerable IETF, 
M3AAWG, and other meetings.  The other is mentioned in the spec.


We should strongly consider producing such a treatment, with a title 
like "DKIM Pragmatics" or the like.


We could do that but I don't see any reason to think that the people who 
haven't read any of the other good advice would read it.


R's,
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Anything to be done about DMARC failures caused by internal Microsoft forwards?

2017-07-16 Thread John R Levine via dmarc-discuss 

So, what am I trying to accomplish, aside from the trivial goal of
making hackers stop emailing me?


As we hardly need tell you, there's no cure for stupid.  Perhaps a comment 
in your DMARC record saying that bug reports will be met with ridicule, 
and some procmail scripts to ridicule any bug reports that mention DMARC 
would help.



It feels to me like my unease about DMARC stems from the fact that the
folks who wrote the spec and the sites that are enforcing DMARC have a
markedly different philosophy than I do about email.


DMARC was originally intended for places like Paypal that have severe 
forgery problems and consciously are willing to lose some mail in return 
for less forgery.  (It probably helps that the only mail Paypal sends says 
"something happened, log in to your account to see what it is.")  Then AOL 
and Yahoo used it to outsource the costs of having their user address 
books stolen and things went downhill from there.  Now as you've seen it's 
the FUSSP of the month.


I use p=none and ask for reports, which I process automatically with some 
little scripts that put the interesting bits in a mysql database at which 
I very occasionally look.  Sounds like that's right for you, too.


The scripts are here:  https://www.taugh.com/rddmarc/

R's,
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] FBL via DMARC?

2016-11-29 Thread John R Levine via dmarc-discuss 
What would be great is if this RFC could have some language discussing 
having a confirmation dialog to prevent these accidental mistakes from 
happening.


It does.  It says that the whole point of this draft is to have a 
non-interactive unsubscribe that mail systems can do in the background 
when people report mail as spam.


Mailers may not like it, but it's what recipient systems want, and what 
they've told me they're going to do.


R's,
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

2016-02-08 Thread John R Levine via dmarc-discuss 

It is even worse than I thought, you really want to stop efforts in
fighting phish, by muddling the waters between real domains and fake ones


There's no muddling going on.  dmarc.fail is a real domain that should 
have an excellent reputation since it sends no phish.




sigh!

On Sun, Feb 7, 2016 at 1:02 PM, John R Levine  wrote:


mailing list.  For example. mail from mari...@yahoo.com turns into

mari...@yahoo.com.dmarc.fail.

Except that @yahoo.com.dmarc.fail is not a domain that exists, and will

negatively impact the email deliverability.



Why in the world would you say that?  It not only exists, it's DNSSEC
signed which is more than you can say about linkedin.com.

Forwarding email addresses in yahoo.com.dmarc.com exist for a couple of
days after someone at the corresponding yahoo.com address sends mail
through any of my mailing lists, same for any other address in a domain
with a DMARC policy.

R's,
John

; <<>> DiG 9.8.3-P1 <<>> yahoo.com.dmarc.fail mx +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30940
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yahoo.com.dmarc.fail.  IN  MX

;; ANSWER SECTION:
yahoo.com.dmarc.fail.   3585IN  MX  20 mail1.iecc.com.
yahoo.com.dmarc.fail.   3585IN  RRSIG   MX 8 2 3600 2016040300
20160201054514 58563 dmarc.fail.
IZIPS60KsnOEFMX/gYo/3o8zzlIzfhFTrmo2IkbKMLWoWQPIAwXLZRDk
jXXmymrxYSJ1k3yUUVztCSKzDBWFu4WvYiUwpc9NbG3v7DdN1OwUkxcM
RgjmqjMxwPcQI1RFoJkgPD1V3azJDOV/f73bd4HPimVD5r6SP/s/v3gc 1s8=

;; AUTHORITY SECTION:
*.k1602._domainkey.dmarc.fail. 7185 IN  NSECdmarc.fail. TXT RRSIG NSEC
*.k1602._domainkey.dmarc.fail. 7185 IN  RRSIG   NSEC 8 4 7200
2016040300 20160201054514 58563 dmarc.fail.
Ue/IR/Gdy4DJHsEJgToONRMP9j5Skyf8hxIHCCGPTyNc+URgtJFDpilS
21MTC7zuCIt4fIKV8x428VJDzg2fZzMFQNDuMmtvs8aLMVL6TGAfKlVQ
NjbYowFrS6g5xTFpkm5SdJmNnLreymuVksVFeniO2Td2+bn2Vvr7hzfc iAw=
dmarc.fail. 1429IN  NS  sdn.iecc.com.
dmarc.fail. 1429IN  NS  osdn.iecc.com.
dmarc.fail. 1429IN  NS  light.lightlink.com.
dmarc.fail. 1429IN  RRSIG   NS 8 2 3600 2016040300
20160201054514 58563 dmarc.fail.
sZOP1+0qp3pCrk0l9VcEivHak4+v2I32jp9m6iysYTO49m6s6qadiyIy
I3O21vr4Tk5V+XoN9F/zaIctT4nvDH2mIiDN24cB2uGb05zRg809ars5
WqOOBCBkYiKJUNi95LmZ0W2VCXqVwTxEYLC4r9EFoBGEm/dloDcWVjG7 Z6A=

;; Query time: 0 msec
;; SERVER: 192.168.80.2#53(192.168.80.2)
;; WHEN: Sun Feb  7 15:57:10 2016
;; MSG SIZE  rcvd: 707





Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

2016-02-07 Thread John R Levine via dmarc-discuss 

mailing list.  For example. mail from mari...@yahoo.com turns into
mari...@yahoo.com.dmarc.fail.


Except that @yahoo.com.dmarc.fail is not a domain that exists, and will
negatively impact the email deliverability.


Why in the world would you say that?  It not only exists, it's DNSSEC 
signed which is more than you can say about linkedin.com.


Forwarding email addresses in yahoo.com.dmarc.com exist for a couple of 
days after someone at the corresponding yahoo.com address sends mail 
through any of my mailing lists, same for any other address in a domain 
with a DMARC policy.


R's,
John

; <<>> DiG 9.8.3-P1 <<>> yahoo.com.dmarc.fail mx +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30940
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yahoo.com.dmarc.fail.  IN  MX

;; ANSWER SECTION:
yahoo.com.dmarc.fail.   3585IN  MX  20 mail1.iecc.com.
yahoo.com.dmarc.fail.   3585IN  RRSIG   MX 8 2 3600 2016040300 
20160201054514 58563 dmarc.fail. 
IZIPS60KsnOEFMX/gYo/3o8zzlIzfhFTrmo2IkbKMLWoWQPIAwXLZRDk 
jXXmymrxYSJ1k3yUUVztCSKzDBWFu4WvYiUwpc9NbG3v7DdN1OwUkxcM 
RgjmqjMxwPcQI1RFoJkgPD1V3azJDOV/f73bd4HPimVD5r6SP/s/v3gc 1s8=

;; AUTHORITY SECTION:
*.k1602._domainkey.dmarc.fail. 7185 IN  NSECdmarc.fail. TXT RRSIG NSEC
*.k1602._domainkey.dmarc.fail. 7185 IN  RRSIG   NSEC 8 4 7200 2016040300 
20160201054514 58563 dmarc.fail. 
Ue/IR/Gdy4DJHsEJgToONRMP9j5Skyf8hxIHCCGPTyNc+URgtJFDpilS 
21MTC7zuCIt4fIKV8x428VJDzg2fZzMFQNDuMmtvs8aLMVL6TGAfKlVQ 
NjbYowFrS6g5xTFpkm5SdJmNnLreymuVksVFeniO2Td2+bn2Vvr7hzfc iAw=
dmarc.fail. 1429IN  NS  sdn.iecc.com.
dmarc.fail. 1429IN  NS  osdn.iecc.com.
dmarc.fail. 1429IN  NS  light.lightlink.com.
dmarc.fail. 1429IN  RRSIG   NS 8 2 3600 2016040300 
20160201054514 58563 dmarc.fail. 
sZOP1+0qp3pCrk0l9VcEivHak4+v2I32jp9m6iysYTO49m6s6qadiyIy 
I3O21vr4Tk5V+XoN9F/zaIctT4nvDH2mIiDN24cB2uGb05zRg809ars5 
WqOOBCBkYiKJUNi95LmZ0W2VCXqVwTxEYLC4r9EFoBGEm/dloDcWVjG7 Z6A=

;; Query time: 0 msec
;; SERVER: 192.168.80.2#53(192.168.80.2)
;; WHEN: Sun Feb  7 15:57:10 2016
;; MSG SIZE  rcvd: 707
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Google paper on email security mentions DMARC

2015-11-17 Thread John R Levine via dmarc-discuss 


Seeing as DNSSEC hasn't been done to many (if any) google domains, I wouldn't 
expect dane to be implemented yet either.

" DNSSEC has not been widely deployed— recent studies have
found that less than 0.6% of .com and .net domains have deployed
DNSSEC [46]"


DNSSEC still has some serious deployment issues.  I sign all the DNS zones 
on my server, but I can only install the required DS records for about 
half of them, because the registrars won't talk to me because I'm not the 
registrant, my users are.


DMARC at least doesn't have that problem.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Still having problems with third-party sending

2015-08-20 Thread John R Levine via dmarc-discuss 
I've been looking at examples. I'm not sure how to solve the problem of 
recipient perception of the subdomain.  we have been so effective at 
convincing people that email addresses that look different from what you 
are expecting are a phishing attack and they should simply delete it 
that they do not respond to our subdomain emails but still fall for real 
pishing.  yes, the irony is not lost on me.


Take a look at some of stuff you get from big brands.  People don't seem 
to find off...@email.bigcorp.com very different from off...@bigcorp.com. 
These days most MUAs don't even show the address, just the From: header 
comment.


another issue with subdomains is the return address. maybe a customer 
can alias one domain on top of another but that also triggers suspicion 
on the part of the recipient. not sure how to handle that one.


Same answer.  Suspicion?  Of an address they don't even see?


DKIM selectors are for key management, ...


Maybe the misunderstanding speaks to a common conceptual model for 
outsiders?


I believe it is more due to not reading the documentation.

 what are the implications of generalizing selectors to 
identifying different streams?


You have something that is not DKIM.  See RFC 6376, particularly section 
3.


You've already got the answer -- if you want the streams all to use the 
same domain, whoever manages the domain has to manage the DNS records, and 
if you want DMARC reports, arrange for someone to receive the reports and 
process them however is useful, which might include segmenting them by 
characteristics known to the domain manager.  If the domain manager cannot 
or will not do that, use subdomains or different domain names.


R's,
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] the obvious lookalike attack

2014-06-07 Thread John R Levine via dmarc-discuss 
Yes, but users[*] more-or-less have learnt to expect contrived messages 
from mailing lists (altered Subject, footer added, and now altered From 
line...), ...


The users on my mailing lists have no clue about a buggered From: line. 
How many lists do you run?


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DMARC woes - forwarding signed / encrypted e-mail

2014-05-09 Thread John R Levine via dmarc-discuss 

This is hardly a solution, both because it's utterly undocumented, and
it requires a kind of spam filtering that not everyone wants or can
afford.


Assuming by this you mean use of DMARC results as a non-absolute filter
input, isn't that how most everyone treats SPF these days?


Yes, as far as I can tell.  The only people I know who reject on SPF -all 
tend to be running home linux boxes.


On the other hand, the set of mail screwed up by SPF -all has very little 
overlap with the mail screwed up by DMARC, so it's hard to predict how 
relevant that will be.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)