On Tue, Nov 19, 2024 at 7:15 AM Douglas Foster < [email protected]> wrote:
> If the WG refuses to talk about the credential upgrade problem, then the > problem does not exist? > > And if the problem does not exist, then the WG document does not need to > mention it, right? > > I don't think there's anything for DMARCbis to say about the problem. You've described the problem, in part, thusly: If the outbound gateway organization can be deceived into accepting impersonation messages, then the fraudulent message will appear fully authenticated when processed through the gateway organization and received by the recipient organization. The possibility of credential upgrade is a risk to the recipient organization. Outbound gateway organizations should prevent credential upgrade by authenticating the source of incoming messages, to ensure that they are legitimately from the stated client organization. The tools available for this purpose include: · Server-to-server authentication using login credentials. So, what if the login credentials on the submitting server are compromised. How do you propose, within the scope of the DMARC mechanism, that an outbound gateway distinguish compromised login credentials from those that have not been compromised? There is doubtless lots that has already been said and more than can be said to describe the problem of abuse of outbound mail servers through various means, but I don't believe any of it need be said in DMARCbis. If a Domain Owner permits a system to send mail on behalf of its domain, then it accepts the risks of account compromises and other abuses that might result in mail being sent that passes authentication checks without actually being authorized. DMARC's job is to prevent mail from unauthorized sources, not from authorized ones. -- Todd Herr Some Guy in VA LLC [email protected] 703-220-4153 Book Time With Me: https://calendar.app.google/tGDuDzbThBdTp3Wx8
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
