--On Thursday, May 27, 2021 19:15 +0200 Kaspar Etter
<kaspar=40ef1p(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org> wrote:
On 27 May 2021, at 18:23, John R Levine <johnl(_at_)taugh(_dot_)com>
wrote:
We've spent a decade with people insisting that the entire
e-mail world has to change the way it works to conform to the
lastest FUSSP.
Why is domain authentication framed as a spam prevention
technique? Any messaging service which is popular, open, and
free will have spam. Spam is a problem of quantity: You just
have to bring down the amount of unsolicited messages to a
bearable level, be it with domain or IP reputation,
challenge-response mechanisms, or proof of work. Phishing, on
the other hand, is a problem of quality: A single successful
attack can do immense harm. It's not just large
organizations which are being impersonated. A popular scam is
to impersonate the victim themselves, claiming that their
account has been compromised and blackmailing them into paying
a ransom.
Just because some people will always fall for scams doesn't
mean that we shouldn't try to reduce the number of victims.
Otherwise, cars wouldn't need safety measures because some
people will always die in car accidents. Priming plays a huge
role in human psychology and there's a lot that mail clients
could do in this regard: Separate messages from unknown
senders, don't display the display name of unknown senders,
warn users when they click on links from unknown senders, warn
users if a previously authenticated sender could not be
authenticated, etc.
They understand that DMARC's limitations cause a lot of
gratuitous pain for their users who've been using mailing
lists for a long time.
I fully understand this pain and respect the motivation behind
ARC, but you cannot have (strict) domain authentication and
message rewriting. I want the former and don't care about
the latter. Maybe the solution will be that people use two
different addresses: One with domain authentication enabled
for direct conversations and one without domain authentication
for mailing lists.
Kaspar,
This is rapidly evolving into what is often known here as a
religious debate. Such debates are rarely useful: one group of
people start with fundamental and strongly held principles about
what email is about and what is therefore most important to
optimize, others have a different set, and then they often go
off and argue about things that are really just corollaries of
the assumed principles. That is also the disadvantage of trying
to construct an argument and explanation "from first
principles", especially if the hypothesized princinples are not
explicit: if others disagree with you about what those those
principles are, it may not be useful to have conversations about
the derived explanation and details.
Let me give an example using part of the above thread.
I am, personally, not a big fan of domain authentication. My
problems are tied, not to any particular detail but to two
operational/ political problems. The first is that any such
system is inherently dependent on the integrity, responsibility,
and accountability of domain name registrars and domain
operators. I guess the most charitable thing I can say about
that is that some are better than others and that their business
models and incentives may not be the same as those of email
providers, much less those of the recipient email user. Even
some email providers are problematic: absent legal action, when
was the last time you heard of a major email provider closing an
account and deleting a mailbox because it was used as the reply
address in some phishing, extortion, or other fraudulent scheme?
Or how often do you see a major provider require strong
authentication to establish a mailbox and then having terms and
conditions indicating that any fraudulent or illegal use of the
mailbox would result in termination of the account and handing
the user over to law enforcement?
Is authentication that a mailbox exists in a domain and that
someone is allowed to send mail using/ through the domain better
than nothing? Yes, clearly. How much better? Well, it cuts
down on the number of really stupid evildoers. Some of us worry
more about the smart ones, even the smart ones who have
concluded that they will be more successful making the sort of
deliberate "mistakes" that confine their likely audiences and
potential victims to really stupid users, but that is probably
another religious issue.
The political side of the problem is that, as long as someone
can behave in an evil or criminal way but do it in a way that
allows escaping any chance of punishment (such as by carrying
out the bad behavior from a country that does not consider the
behavior criminal, as least if it is not applied to their own
citizens), then, under the best of circumstances, trying to stop
the behavior is an arms race and a losing one. And, if we can
figure out ways to stop a large percentage of the evil traffic,
it actually reduces the incentives to deal with either those
underlying political /legal issues or with the education and
technology that appear to be prerequisite to making PKI-based
authentication work at an individual level for most of the email
users in the world. And, that, of course, leads to another
political/social problem: to the degree to which solutions
depend on high-quality user authentication, that level of
authentication may be incompatible with highly valued ideas of
privacy and potential anonymity.
Finally, as John Levine and others have more or less pointed
out, getting some of these problems solved may require either a
cure for human stupidity and carelessness or training,
certification, and licensing of Internet users. I have no idea
which of those is less likely.
best,
john
p.s. some of us already use different addresses for
individual/direct communications and for mailing lists. In
practice, it does not work well for the purpose you describe
with or without domain authentication because message threads,
and the addresses used with them, transition back and forth
between the two realms.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp