Doug, you’ve done a fine job of explaining as I groked what you said. If I get I think most people here got it. I’ve been busy with work and personal life so haven’t had as much time to lurk here. I’m curious what sparked your concern now? Also, isn’t it best to block first and ask questions later to mitigate damage while you investigate? I guess I’m saying the two ideas aren’t mutually exclusive.
Neil > On Jul 15, 2023, at 4:27 AM, Douglas Foster > <dougfoster.emailstanda...@gmail.com> wrote: > > > Murray recently observed, correctly, that something went horribly wrong with > the DMARC rollout, because it caused (continues to cause) many safe and > wanted messages to be blocked. > > My assessment was in a recent post: > > Something about the language of RFC 7489 caused implementers to focus on > blocking individual messages, when the appropriate use of DMARC is to > identify and investigate potentially malicious sources. > > The "message blocking" approach violates the interests of the users it is > intended to protect: > > - An attacker sends 10 messages that maliciously impersonates a big bank. > With help from DMARC p=reject, the evaluator blocks them all. The attacker > follows up with 10 messages that maliciously impersonate a major university. > The stupid evaluator says, "p=none means no problem here". The message is > accepted and the user is harmed because the evaluator learned nothing from > blocking the successful attack. > > Consider a variant of the above: The attacker never impersonates a big bank > with p=reject, it only impersonates big universities with p=none. The > foolish evaluator blocks nothing because it only acts on domains with > p=reject. Again, the user is harmed. > > And we know the flip side: Safe and wanted messages get blocked because > p=reject is enforced without investigation against mailing lists and other > traffic. > > Security theory says that ANY unauthenticated message COULD be a malicious > impersonation, and worthy of investigation. Experience says that malicious > impersonations are a small percentage of all unauthenticated messages. As a > result, the appropriate response to an authentication failure is to > investigate, not to block. > > I don't know exactly how to communicate the difference between message > blocking and sender investigation in DMARCbis, but I sure hope that we will > try. > > Doug Foster > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
