> On Nov 21, 2022, at 5:55 AM, Douglas Foster > <[email protected]> wrote: > > > This has nothing to do with MUST mandates. We are trying to write a > document that people will choose to implement. Todd, in particular, has > written several times about the principle that feedback reporting is critical > to the success of DMARC. It is therefore appropriate to ask why a > significant group of stakeholders have decided that they don't need to > implement the whole design. If we are failing to meet their needs, we > should ask whether that failure can be corrected. > > The rest of the data leakage discussion is best understood in terms of game > theory between an attacker and a defender. Reporting suggests that DMARC is > not only evaluated but also enforced, so an attacker perceives a reduced > probability of success, and is less likely to attempt an attack. > Conversely, absence of reporting decreases the probability that DMARC is > evaluated and enforced, and therefore the attacker perceives an increased > probability of success. When a server does reporting on only some domains, > what does that do to the perceived probability of success when attacking a > non-reporting domain? I think an attacker will reasonably conclude that it > makes the probability pretty high, and the increased probability of success > also increases the probability of an attempted attack. > > But of course, perceived probability of success does not matter if the > perception is wrong. A server that enforces DMARC for all domains, whether > reported or not, does not need to fear a successful impersonation attack. > They may even be happy to have the attack because it gives them information > needed to block the source and gain protection from other attack types. But > a defender does need to worry. Which is why my original language started > with the state of the defender: If a defender enforces and reports DMARC on > some domains, while ignoring DMARC on other domains, then the reporting > process gives valuable information to the attacker. The existence of > partial reporting makes an impersonation attack on the unprotected domains > more likely, and the actual lack of defenses means that the impersonation > will not be detected. > > Therefore, > (a) Domains with DMARC reporting are less likely to see an impersonation > attack attempted. Reporting becomes desirable even if DMARC enforcement is > not applied. Therefore it is in every recipient domain's interest to > publish reports, unless the domain enforces DMARC but uses impersonation > attacks as a honeypot. Consequently, I was surprised to find major players > that do not report, hence the question. > > (b) Domains without DMARC reporting are at increased risk of an impersonation > attack because they do not report. If DMARC enforcement is also missing, > those attacks will not be blocked. > > (c) Domains that neither enforce nor report are at increased risk when they > are part of a server farm that reports on other hosted domains. > > My original point was to identify the evaluator's self-interest and document > the situation in a way that helps evaluators act in their own self interest. > > My more recent topic is trying to ensure that our reporting plan is aligned > with everyone's self interest, to maximize beneficial voluntary participation.
Mr. Foster, you seem to be suggesting a game theory model. The calculus of decision maker doesn’t necessarily align with what’s good for the group and chips away at their own self interest in a slower, less obvious manner. So you seem to be suggesting that incentives could be adjusted to not feel like a low grade deadlock. To mix metaphors, the commons requires incentive alignments or the commons degrades. So how are virtuous incentives worked in? Is it feasible? Neil _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
