[dmarc-discuss] General DMARC weakness - personal forwarding
vesely at tana.it
Fri Jun 1 02:04:56 PDT 2018
On Fri 01/Jun/2018 07:40:07 +0200 Roland Turner via dmarc-discuss wrote:
> On 31/05/18 23:13, Alessandro Vesely via dmarc-discuss wrote:
>> My filtering ability is visible to the people I forward to. Although targets
>> don't see what I spare them, they can imagine. If you receive spam from me,
>> you lower my reputation. Easy.
>> OTOH, my good faith ARC signing has to be assumed. To prove the opposite, you
>> start with a message I forward to you; say it ARC-claims I received it from X.
>> Afterwards, you need to contact X and have them deny they ever sent it. A
>> rather impractical method, especially since you need an X such that you can
>> trust their word against mine. How come?
>> Orthogonality is broken by mandating filter-before-forward. That way,
>> receivers of ARC-signed, obvious spam can infer that the corresponding ARC
>> signature is faked. The better the filtering, the stronger the trust, and the
>> more evident will a possible ARC key compromise be. So, if you pardon my
>> geometry-fictional wording, the "trust not to lie in ARC signing/sealing" gets
>> measured by assessing its projection onto the filtering axis.
> OK, I see what you're getting at (and therefore why you mentioned spam traps).
> As a [large] receiver, I would not be tackling it in this way at all, mostly
> because I don't get to ask any of the Xs what the truth is, but also because
> spam filtering and ARC signing really are largely orthogonal capabilities
> (and to the extent that they're not, there's too much noise to make good use of
> the results). I would instead - to further extend the use of over-specified
> geometric analogies - be performing something akin to gravitational lensing:
> * For each of [tens of] thousands of domain names, I have from their email
> received directly an assessment of their expertise at ensuring that their
> email can be authenticated, broken down by stream (IP address, subnet,
> service provider, etc.).
> * For each forwarder, I can see how they're reporting authentication results
> for many of the same senders at the same IP addresses, assuming that SPF
> authentication results are included in ARC.
> * From this I can determine whether the forwarder is ARC-signing correctly.
> Note that this is different to comparing the forwarder's probabilistic spam
> filtering with my own; in the ARC-signing case there are correct actions
> and incorrect actions, and a large receiver has enough information to tell
> which a forwarder is doing.
> Note that none of these steps has any relationship with spam which - given that
> spammers can (and do) cause their email to authenticate, and legitimate senders
> can (and do) fail to do so - is as it should be.
> - Roland
> 1: Yes, it is likely that forwarders who are exceptionally good at spam
> filtering will tend to be really good at ARC signing, but most of the important
> information is about forwarders who aren't exceptionally good at filtering, so
> this correlation appears largely unimportant.
> 2: or registrants, to the extent that this information becomes available again
> once ICANN stops arguing absurdities in front of European courts and focuses on
> the actual problem
I see. As a small receiver, I didn't even think about comparing different
forwarders of the same senders. In my case, such coincidences only cover a
handful of trusted mailing lists. Your argument further confirms how ARC
better suits large receivers.
Thank you for a nice discussion
More information about the dmarc-discuss