On Mon 17/Apr/2023 07:05:47 +0200 Murray S. Kucherawy wrote:
On Sat, Apr 15, 2023 at 3:58 PM Neil Anuskiewicz wrote:
1. Cousin domains. We all get that dmarc doesn’t touch those. Dmarc is to
stop spoofing of exact domains. There are other technologies and methods
whose responsibility it is to track down and take down fraudsters.
The claim was made that DMARC solves a real problem, which is direct domain
attacks. I don't think anyone doubts this to be true when it's used in
transaction-only scenarios (the opposite of what we're now calling "general
purpose" domains).
There are two things I think that are important to resolve, and not dismiss
as red herrings:
(1) Exactly how much of a win is it when it's used in a way that disrupts
normal operations? This may turn out to be a value judgement to some
people, pitting the value of what DMARC actually solves against the value
of what it breaks. This is extra challenging given the IETF's bias toward
preferring things that interoperate.
Not much, IMHO. We're halfway in the middle of the ford. Perhaps halfway+.
(2) Exactly how much of a win is it when attackers can simply change the
domain they're using, use a display name attack, and still successfully
attack the same operator? If the size of what it defeats turns out to be
small relative to the overall attack space, then I think the answer to this
question influences the answer to the first one.
We need to be careful here. On the one hand, putting a strong barrier will aid
building additional defenses around it, such as identifying cousin domains,
mixed alphabets, and spoofed From: lines. On the other hand, we force mailing
list to create such spoofed From: lines, and consequently force end users to
accept them. (Is that the residual ML rejections that Barry complains about?)
We should mention this point, and grant citizenship to (some of) those constructs.
I think we should expect that these are the sorts of questions on which we
will be challenged when we send this work out to the wider IETF. Punting
on them as unimportant is not likely to result in a smooth ride.
Most probably you're right, but we'll cross that bridge when we come to it.
jm2c
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
