-----Original Message-----
From: John Levine [mailto:johnl(_at_)taugh(_dot_)com]
Sent: Monday, April 14, 2014 5:50 PM
To: ietf(_at_)ietf(_dot_)org
Cc: MH Michael Hammer (5304)
Subject: Re: protecting the Internet from DMARC damage, was perspectives
The fact is that a vocal constituency led by John Levine made it
extremely clear that MLMs were out of scope and there was zero interest
on the part of the MLM community in discussing ways in which MLMs could
be made to work in an email authentication framework even if there were
any MLM operators willing to do so. ...
DMARC must be in pretty bad shape if its proponents have to resort to
malicious lies like this. It saddens me that Mike, who I used to consider a
friend, would do so.
John, your position has been absolutely consistent through the years. Your
comments below reflect that. Your comments in the IETF-DKIM working group
reflected that as well. I'm sorry you no longer consider me a friend but your
position has consistently been "we are not broken, now go away". If the world
were encased in ambergris that might be a useful position but the world is not.
We have disagreed on this for over a decade.
My position has always been perfectly clear: mailing lists are not broken,
they
provide a significant service to individual Internet mail users, and it is
not our
job to spend time and money to solve other people's problems. DMARC, like
all of its predecessor authentication schemes, has a model of the way people
send mail that describes much but not all of the actual mail people send.
There are an awful lot of ways that people send mail, so this shouldn't come
as a surprise to anyone.
How does your statement substantively differ from what I wrote in my previous
post? You explicitly state that it is not your problem and it is somebody
else's problem. You have been vocal about your position for years and years.
You may not like my characterization of your position but that is your position
nonetheless. It is not simply that you took that position regarding DMARC but
that you have consistently taken that position for ANY discussion regarding
potential changes to MLMs for ANY changes that might relate to authentication.
Your position has been that the community at large can rely on "your"
reputation (the actual example you gave in the SSP discussion in 2008 related
to the IETF-DKIM list hosted by Dave Crocker). While you (or Dave) may have an
excellent reputation - and I agree that you do despite our differences - that
is not the basis for a scalable standard. You assert that lists are not and
have not been a vector for abuse. I've seen abuse through lists wh!
ere a subscriber account has been compromised. Yes it may get addressed by
operators, some faster than others. Rather than working to find a model (or
expand existing ones) to address the use cases you claim won't work or
shouldn't be changed because "we were here first and it works for us", I would
assert that it is beneficial to the community to have the discussions to come
up with standards and practices that protect end users from abuse.
The invariable next step is that some of the proponents of the scheme,
rather than recognizing and admitting to its limitations, declare that the
mail
the scheme can't describe is bad and must be eradicated, with the term
"forged" often misused. People who have been around long enough will
remember when the SPF crowd demanded that everyone stop forwarding
mail, or a few people wanted to apply strict DKIM ADSP to everything.
Mailing lists are the most obvious sending scenario that DMARC doesn't
describe, but it's far from the only one.
You are absolutely correct in stating that DMARC doesn't address mailing lists
- because you have staked out a position that mailing lists should not have to
change in any way shape or form to deal with any authentication model. That is
extremely constraining out of the gate and pretty much ends any meaningful
discussion at that point. "How about if we... NO!"
I have always said that DMARC is useful for a lot of mail, such as the "spam
cannon" stuff (a comment on the volume, not necessarily the
character) that Mike's employer sends, or that Paypal and banks send.
As we have seen, it fails miserably for domains with non-employee live
users.
I haven't pushed for DMARC to be applied to domains with end users but the fact
that it "fails miserably" (for some definition of fail) reflects more on a lack
of discussion and effort on how it (or other approaches) might work (due to
intransigence) rather than the fact that it or some other approach could work.
Without exception the ways proposed to change MLMs to "to work in an
email authentication framework" have involved removing useful features
added over the decades that our users use and like, so it also shouldn't be a
surprise that we're not interested in bowdlerizing our service to solve their
problem. We also note that many of the proposed solutions are
overcomplicated and unlikely to work in practice (original-authentication-
results) or just plain won't work (turning off all subject tags, message
footers,
and other message
modifications.)
John, abuse is a community problem. I haven't been involved in any of the
proposed solutions regarding mailing lists which you mention for precisely the
reason that you (As the voice of MLM developers and operators) have made clear
that there is absolutely no implementation (other than leave you to your own
devices) that is acceptable. I don't count using separate IPs and signing mail
emitted by your servers (for domains other than your own) as a meaningful
effort. I'm just not the kind of guy who accepts "trust me" as a meaningful
anti-abuse solution.
If the DMARC crowd were interested in being good net citizens, there is a
way to deal with DMARC's limitations that is straightforward but not free:
whitelisting. Most of the lists I see sign their mail, and they generally use
static IP sending addresses, so they're not hard to characterize. The set of
mailing lists and other legitimate mail sources that DMARC doesn't describe is
not enormous, and it should be possible to develop shared whitelists for
them, if someone were willing to pay for doing so. (This is a much smaller
problem than trying to whitelist all "legitimate" mail.) If the list-whitelist
group said that lists need to sign their mail or use an unshared IP to get
whitelisted, you would find little resistance, both because most of us do that
already, and because it doesn't ask us to make our lists worse for our users.
You have put forward the whitelist (FUSWP - Final Ultimate Solution to the
Whitelisting Problem) solution in the face of a variety of proposals. DMARC
does not preclude whitelisting by the validating operator. In fact, it
specifically provides for local policy overrides, including one for mailing
lists. You say it is someone else's (the "DMARC crowd" as you put it) problem.
It's kind of like the old saw about truckers thinking they are in the trucking
business rather than the transportation business. We are ALL in the email space.
Your solution to mailbox providers with users that implement p=reject is to
boot the users off of mail lists and tell them to go find another mail
provider. That may work for some lists but there will be significant issues for
others. I'm not even going to delve into your comments about lists signing
their mail when sending as a domain other than themselves. That discussion has
been had multiple times in multiple forums. When presented with a mail list
signature on an email purporting to be from a given domain and an assertion
from the domain itself that constrains use of that domain, I know which one I'm
going to go with as a general rule.
When I think of your church mail list example, the first thing that came to
mind is WWJD? The second thing that came to mind is that an organization,
whether a church, a university or similar organization, might not be too
appreciative if significant donors or volunteers were told by their mail list
operator "to take a hike" because the mail list operator is upset by that
persons mailbox provider. Whether you like it or not and whether you admit it
or not, it is your problem because it is a community problem. As I have stated
before, I have not advocated that domains with users should publish a p=reject.
I do recognize that those domains may have an interest in protecting their
domains from abuse and see DMARC is a potential tool to mitigate direct domain
abuse. I say this without personally advocating for it. You have studiously
avoided one of the key underlying questions for this discussion and others:
Does the owner of a domain have the right to control or limit the use o!
f its domain (or other similar resources)? If not, which 3rd party gets to be
the decider? Are there any limits on the 3rd party decider? If so, who gets to
set the limits on the 3rd party decider? Be careful, it's a slippery slope.
Unfortunately, we've seen no willingness to spend their money to help us
solve their problem, and far too much of do it our way or else, because we
are bigger than you are.
Look at how you phrased the above. That translates into give us money or we
won't make any effort whatsoever. Is it really about money? I truly don't think
so. Please provide as a reference your ID for this proposed whitelisting
standard in datatracker. Absent specific detailed proposals that would induce
someone to sponsor your effort why would anyone give you money for this
whitelisting equivalent of FUSSP? Good mailers go bad. Every once in a while
bad mailers go good. I'm quite familiar with whitelisting schemes and my
personal position is "What have you done to me today?". I don't care what your
reputation has been for the last x years if you are emitting badness today. You
opened your email stating that "It saddens me that Mike, who I used to consider
a friend, would do so." You obviously don't whitelist people so why would you
expect people to accept your assertion that you (your maillist) should be
whitelisted? I am of course disappointed that you no longer consider !
me a friend, but if blunt discourse on a difficult subject requires you to do
so then I accept that. Readers of this exchange can decide for themselves
whether, as you have asserted, I have maliciously lied about you. The archives
from IETF-DKIM are available as are the ones for IETF-DMARC and DMARC-DISCUSS.
I would also point people to the archives for ASRG as well for a litany of
out-of-hand rejection (although I willingly admit that many of the proposals
from newly subscribed participants did lack a certain understanding of the
problem space).
You may not like my characterization of your position but your position has
consistently - over quite a few years - been that MLMs are fine, now go away
because it is "your" problem, not mine. That is the essence of your post I'm
currently responding to. It's not a function of "them" being bigger than you.
It's a function of you not being willing to have any sort of meaningful
engagement with "them" other than on terms you dictate. It's not just large
domain owners and corporations struggling with abuse. It's domain owners of all
sizes and types. And yes, it's individuals that suffer the consequences of our
collective failure to find solutions to real world abuse. I again reiterate
that I am not personally advocating that domains with users publish p=reject
regardless of impact on others. I will say that the train has left the station
and I expect there will be other domains which, in the face of significant
abuse, will make similar decisions. Absent alternatives and seeing!
that similar domains claim that the approach has provided relief for them,
this would appear to be a logical choice and not an irrational one.
With each additional domain that makes such a decision your position becomes
increasingly untenable. You (and others) might be willing to kick off list
participants from such domains if it represents some small percentage of
participants but how many list operators will do so if such participants
represent a significant portion or majority of participants? Will the
organizations that these lists are managed for accept such outcomes? Some will
but many won't. They will switch to implementers that allow them to go about
their daily activities without it being made painful for them. If a mailing
list is configured and nobody is subscribed or participates is it a mailing
list? You propose pain as a motivator but you don't seem to recognize that such
pain may motivate people and organizations to outcomes other than that which
you desire.
I recognize that this is a bitter discussion for some. It could have and should
have been a discussion held much earlier and in a different context. That is
water under the bridge. As others have asked, where should the IETF and the
larger community go from here? Punishing users as a means of getting at a
mailbox provider doesn't seem particularly constructive in the long run and as
I have indicated above may be somewhat self-defeating. IETF shunning of DMARC
may feel good but even John Levine has stated that it has benefits in
particular implementation categories (as long as no change is asked of MLMs). A
discussion of technical approaches that enable mail lists to participate in
authentication approaches for 3rd party domains without losing (significant)
functionality might be useful. Are there alternative ways of providing that
same functionality? Note that I'm not even being DMARC specific in proposing
that. John Levine has proposed whitelisting as a solution. I don't bu!
y into that personally but it might be a useful discussion to have - monetary
donations should not be required in order to have a discussion about this.
Apologies to all for this long missive.
Mike