ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DMARC: perspectives from a listadmin of large open-source lists

2014-04-08 10:55:39
from [Robin H. Johnson] [Permanent Link] 
On Tue, Apr 08, 2014 at 12:21:46AM -0400, John R Levine wrote:

You would have to track which forwarders are well behaved and add
valid X-O-A-R headers, but if you can do that, you can skip the header
analysis and just whitelist the mail from the well behaved forwarders.


The XOAR proposal does specify:
| The X-Original-Authentication-Results header is only useful if the
| forwarder is trusted.  The forwarder is free to modify the headers and
| body of the message however it wishes and can generate new signatures
| over arbitrary X-Original-Authentication-Results headers.  Thus, the
| user SHOULD only trust X-Original-Authentication-Results if the message
| was delivered by known good forwarders, and forwarders SHOULD NOT
| propagate X-Original-Authentication-Results unless the previous
| forwarder is known to be good.
|
| For the purposes of this memo, a message was delivered through trusted
| forwarder if:
| - The DKIM signature passes
| - The DKIM domain is a trusted forwarder

I think the original scenario you described could be implemented by bad
players as follows:
- set up a mailman instance with DMARC support, that forges the XOAR
  header.
- Ensure that the mailman outgoing mail passes SPF+DKIM for the domain
  in question.



Note that there are also well behaved things that don't pass DMARC and 
don't have any original authentication results to report, with the usual 
examples being mail-an-article at the NY Times and Wall Street Journal.

Those uses shouldn't be considered valid, and NYTimes has already moved
away from that, at least as of my test 5 minutes ago.
| MAIL FROM:<emailthis(_at_)ms3(_dot_)lga2(_dot_)nytimes(_dot_)com>
| RCPT TO:<robbat2(_at_)gentoo(_dot_)org>
| DATA
| ...
| From: robbat2 <emailthis(_at_)ms3(_dot_)lga2(_dot_)nytimes(_dot_)com>
| Sender: emailthis(_at_)ms3(_dot_)lga2(_dot_)nytimes(_dot_)com
| To: robbat2(_at_)gentoo(_dot_)org
| ...


The problem described WILL vanish when all mailing list apps implement
DMARC, but until then, it's really broken.

Mailing list apps can't "implement DMARC" other than by getting rid of 
every feature that makes lists more functional than simple forwarders. 
Given that we haven't done so for any of the previous FUSSPs that didn't 
contemplate mailing lists, because those features are useful to our users, 
it seems unlikely we'll do so now.

By implement DMARC, I meant implement XOAR headers; VERP is too useful
to running lists to get rid of. Non-VERP bounce messages are still too
generic, even in this modern day.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Infrastructure Lead
E-Mail     : robbat2(_at_)gentoo(_dot_)org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Attachment: signature.asc
Description: Digital signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DMARC: perspectives from a listadmin of large open-source lists, Robin H. Johnson
Next by Date:  Re: DMARC: perspectives from a listadmin of large open-source lists, ned+ietf
Previous by Thread:  Re: DMARC: perspectives from a listadmin of large open-source lists, ned+ietf
Next by Thread:  Re: DMARC: perspectives from a listadmin of large open-source lists, John R Levine
Indexes:  [Date] [Thread] [Top] [All Lists]