It appears that Barry Leiba <barryle...@computer.org> said: >> - An attacker sends 10 messages that maliciously impersonates a >> big bank. With help from DMARC p=reject, the evaluator blocks >> them all. The attacker follows up with 10 messages that >> maliciously impersonate a major university. The stupid >> evaluator says, "p=none means no problem here". The message is >> accepted and the user is harmed because the evaluator learned >> nothing from blocking the successful attack. > >This is a useful point, and I think we should do something with it.
Sorry, but I completely disagree. The interesting filtering data is that a bunch of unauthenticated mail arrived from some source. As we have learned over and over, someone's DMARC policy tells you nothing about the threat level or whether the failure is an attack or a mailing list, only that someone decided for whatever reason to publish p=reject. If a source sends a burst of unauthenticated mail, it could often be a good idea to give that source a poor reputation. Or maybe you have a reason to believe otherwise, e.g., it's been sending bursts of unauthenticated mail for years, nobody's ever marked it as spam, because it's some kind of courtesy forward. Note that you would do exactly the same thing if the burst of unauthenticated university mail preceded the burst of bank mail. It's the authentication failure that tells you that there may be a problem, not the DMARC policy. Mail filtering is complicated, so much so that handling the signals is more than a full time job at many mail systems. I expect that large mail systems have their own ideas abou who's a bank, who's a university, who's a public mail system, and so forth. You get exactly none of that from DMARC. After all, yahoo is p=reject, gmail and hotmail/outlook are p=none. I am so tired of people imagining that DMARC is more than it is. R's, John _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc