On 6/25/2020 8:10 AM, David I wrote:
From: Dave Crocker <[email protected]>
set a 'From' they're not entitled to use that's of a trusted contact, and the
DMARC associated with the abused domain in the 'From' has no effect and
can't be used for filtering. So while you could so a similar filter on Sender,
it
wouldn't be as useful, and would provide less security benefit.
Why is it useful in the From:? Seriously.
Because the claimed author is an important aspect of any kind of trust
calculation on an email, human or automated. So an aligned, authenticated
'From' is a strong signal.
1. Signal to what and how is it used for filtering?
2. Why isn't an aligned Sender: just as strong?
3. Arguably the actual semantics of an aligned From:, for DMARC, is for
an aligned Sender:, since the semantics of DMARC concern the
organization and not the author. Remember that From: typically
conflates both author and operator information.
Since the utility of DMARC has nothing to do with recipient end-user
decision-making,
I don't really understand this assertion. The DMARC spec suggests for
p=quarantine that unauthenticated mail ends up in a spam folder. It's assumed
that users are less likely to open and trust mail in their spam folder (though
it's not 100% of course). So yes, the utility of DMARC has something to do with
end-user decision making.
Users open mail in the spam folder all the time.
why is DMARC's use of From: automatically better than
having DMARC use Sender:?
Because the From field is used by software to understand where an email came
from, and apply UI, filters, and warnings.
1. "Warnings" have no reliable utility.
2. UI behavior is what From: field alignment is breaking, given the
workarounds that MLMs have to do
3. Filtering engines use a wide array of information; there is nothing
magical about their use of From. Also note item #3, from above.
Attackers do all sorts of bad things. Some of those bad things don't actually
matter. They might be unauthorized, ill-intended, and even make you or me
uncomfortable. But they don't actually have any effect on getting bad mail
delivered to recipients nor an effect on those recipients. Bad actors try all
sorts of stuff.
Agreed. It's possible for bad actors to compromise mailboxes to bypass current
DMARC based filtering. So is DMARC pointless? No, because it increases the cost
and complexity of the attack, which is a positive thing.
I think you missed my point. My point was that some of what attackers
do doesn't matter. It upsets us when we hear about their doing it, but
it doesn't affect discoverability and it doesn't affect recipient
behavior. We should worry about their actions that actually have a bad
effect, not worry about actions we just don't like.
So pointing out what an attacker might or will do doesn't end the argument.
What matters is the /effect/ of their actions, not the theory of their actions.
The effect would be to phish people more successfully by evading the current
DMARC checks on From alignment and filters/detections based on cousin domains.
Your claim of 'successfully' means you have objective data
substantiating the successes. Please circulate it to us.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
