Mr Levine brings up the valid point that there are a lot of mail filters
with inadequate capabilities. I determined that my two products have
inexcusable weaknesses, so I went shopping.
I had only these rudimentary requirements:
IP filtering Reverse DNS filtering Multi-factor whitelisting or
some
other safe mechanism for handling SPF policy mistakes. DMARC policy
enforcement A secure-email method for outbound messages with sensitive
content No domain spoofing by the product that is supposed to protect
from
domain spoofing.
I was blown away when I discovered:
Products that could not do IP filtering. Products that could do
DMARC
enforcement but not Reverse DNS filtering, and the reverse. Vendors who
had no idea what multi-factor whitelisting meant. High-end vendors who
did
domain spoofing in their secure-email solution. (They have been notified.)
Along the way, I was referred to three industry-analyst reports, and was
equally disappointed that the reports showed no evidence of a theoretical
framework on which to judge vendor differences. At least one analyst
declared the industry "mature", which struck me as odd given the damage
done by WannaCry and the obvious problems in the products I have been
examining.
I currently have exactly ONE vendor that is probably adequate, but I
curtailed the discussion when I realized his costs were way higher than
what I can interest management in spending. Overall, it appears product
vendors have no idea what is actually needed and why.
Since bad email filters are the problem, why is there no IETF working
group to define the expected behavior of email filters? More
importantly, can we start one NOW?
I have been preparing to submit an email filter evaluation RFC as an
individual, since this group seemed uninterested after an earlier post.
But it would be better as a working group document, and it might become
standards-worthy.
Doug Foster
----------------------------------------
From: "John Levine" <[email protected]>
Sent: Sunday, April 7, 2019 8:51 PM
To: [email protected]
Cc: [email protected]
Subject: Re: [dmarc-ietf] Rethinking DMARC for PSDs
In article <[email protected]> you
write:
> The problem:
> Spammers use non-existent domains to achieve identity spoofing, such as
>tax.example.gov.uk
> This is primarily a reception problem, because many recipient mail
filters
>are not equipped to block this type of fraud. ..
Right, and we can stop right there.
A decent spam filter will treat a nonexistent From: domain or envelope
bounce address as extremely suspicious and send the message into spam
folder purgatory. If someone's filters aren't doing that, it is
unlikely that they're paying much if any attention to DMARC, and no
amount of fiddling with DMARC will make any difference.
My mail server rejects anything with a non-existent bounce address at
SMTP time and I don't think it's ever rejected anything my users would
want.
The solution to this problem is for mail systems to fix their filters,
not to invent yet another mail-breaking hack that they won't use
anyway.
R's,
John
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
