If you are evaluating messages, you are free to use any strategy that seems worth your effort.
However, if you are the sender of messages that cannot produce DMARC PASS, you have a bigger problem. You need an algorithm which can be trusted to usefully distinguish between malicious and non-malicious senders, and has an expectation of widespread implementation. I don't think such an algorithm exists. For the evaluator, we need to consider diminishing returns on effort. First, I discard any messages from senders with bad reputations, then I discard messages with bad content, then I allow messages that pass sender authentication. What is left is a set of messages which have no visible problems but which might (or might not) represent malicious impersonations of a legitimate sender. How much additional processing power is required to achieve how much improved decision-making? It might be useful to parse the RECEIVED chain to look for known-bad IP addresses or DNS names, but it is not an easy algorithm. It might be possible to develop a reliable NP rule that blocks messages with domain names that are unregistered or not used for email, but we are not there yet and those messages are likely to be a small subset of the problem. Attempts at additional granularity will encounter problems like "Can I reliably identify messages that were forwarded?" and "Can I reliably identify messages that come from a mailing list?" Not easily. Of course, one can choose "Always Block" as AOL has done, or choose "Always Allow", as I suspect many others have done. Neither approach is optimal. At some point, the best answer comes from actually looking at the message to answer the question, "Is this a message that I want?" Once an answer is obtained, I need to create a local policy rule which implements my answer for all future messages that have the same fingerprint. We have never described the exception process, and as a result many products have exception mechanisms that are inadequate and inappropriate. I believe that a document which describes the exception process will be the best that we can do and will be a big step forward. I have begun experimenting with drafts, but am not ready to submit one yet. Doug Foster On Mon, Nov 22, 2021 at 6:28 PM Wei Chuang <weihaw= [email protected]> wrote: > Hi all, > > [Standard disclaimer, that the comments below are my own and don't > represent my employer at all] > > I saw Ale's draft draft-vesely-dmarc-mlm-transform > <https://datatracker.ietf.org/doc/html/draft-vesely-dmarc-mlm-transform> > in the ARC list, and wanted to discuss some of the ideas. Just to put in > context my points- My understanding is we have to trust the forwarders to > use the ARC authentication results, which we might not have because the > forwarder is new, or has low volume. Moreover mailing lists do much of the > modifications that break DMARC. This is a common enough scenario that I > think it's useful to consider alternatives such as the ideas found in Ale's > draft. The numbered bullets are ideas summarized from Ale's draft, and > asterix * bullets are my comments about that. > > 1. Ale's draft suggests not reversing all possible transforms, and rather > focuses on a subset caused by mailing lists that are reversible > * Could ARC be suitable for those other scenarios? Could we expect that > forwarders that do more substantial irreversible rewriting such as > modifying URLs in a spam/phishing filter MTA, already have a strong > relationship with the receiver? Presumably, might they be trusted by the > receiver and their ARC result could be used? > 2. Footers must only be added with as a) append on single text/plain part > b) mime part appended to multipart/mixed c) mime wrap where a footer is > added in a new multipart/mixed. > * It's not very clear to me how Ale's draft handles the b) and c) > scenario. (There is mention of "reason="transformed"", but this still > seems incomplete) I saw that Murray has a draft > draft-kucherawy-dkim-list-canon > <https://datatracker.ietf.org/doc/html/draft-kucherawy-dkim-list-canon> that > identifies addition of new mime parts that could be helpful there. > 3. Footers added to text/plain must be identified with at least four "_" > as a separator. > * Would the DKIM length "l=" field be helpful? Understood there are > abuse risks. > 4. "quoted-printable encoding must not be used for... single-part > text/plain messages, as it is impossible to guess original soft line breaks > after re-encoding" > * Are you suggesting quoted printable encoding aren't fully > reversible? Actually, could the RFC2045 canonical encoding of the message > be used as the source for doing the DKIM content hashing? This would > bypass having to worry about additional transfer re-encodings by > forwarders. > 5. Finding the original FROM by looking at From, Author, Original-From, > X-Original-From, Reply-To, and Cc. > * Can this be standardized to a fixed location such as Author? (Sorry > I'm unfamiliar with the discussion on Author) > 6. Subject > * Agreed that some simple heuristic as proposed in the draft is a good > approach. Perhaps the original subject suffix length also might work here > too. > > Comments and discussion are very much welcome. > -Wei > > > > > > > > > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
