[dmarc-discuss] General DMARC weakness - personal forwarding

Alessandro Vesely vesely at tana.it
Fri Jun 1 02:04:56 PDT 2018


On Fri 01/Jun/2018 07:40:07 +0200 Roland Turner via dmarc-discuss wrote:
> On 31/05/18 23:13, Alessandro Vesely via dmarc-discuss wrote:
> 
>> My filtering ability is visible to the people I forward to.  Although targets
>> don't see what I spare them, they can imagine.  If you receive spam from me,
>> you lower my reputation.  Easy.
>>
>> OTOH, my good faith ARC signing has to be assumed.  To prove the opposite, you
>> start with a message I forward to you; say it ARC-claims I received it from X.
>> Afterwards, you need to contact X and have them deny they ever sent it.  A
>> rather impractical method, especially since you need an X such that you can
>> trust their word against mine.  How come?
>>
>> Orthogonality is broken by mandating filter-before-forward.  That way,
>> receivers of ARC-signed, obvious spam can infer that the corresponding ARC
>> signature is faked.  The better the filtering, the stronger the trust, and the
>> more evident will a possible ARC key compromise be.  So, if you pardon my
>> geometry-fictional wording, the "trust not to lie in ARC signing/sealing" gets
>> measured by assessing its projection onto the filtering axis.
> 
> OK, I see what you're getting at (and therefore why you mentioned spam traps).
> As a [large] receiver, I would not be tackling it in this way at all, mostly
> because I don't get to ask any of the Xs what the truth is, but also because
> spam filtering and ARC signing really are largely orthogonal capabilities[1]
> (and to the extent that they're not, there's too much noise to make good use of
> the results). I would instead - to further extend the use of over-specified
> geometric analogies - be performing something akin to gravitational lensing:
> 
>   * For each of [tens of] thousands of domain names[2], I have from their email
>     received directly an assessment of their expertise at ensuring that their
>     email can be authenticated, broken down by stream (IP address, subnet,
>     service provider, etc.).
>   * For each forwarder, I can see how they're reporting authentication results
>     for many of the same senders at the same IP addresses, assuming that SPF
>     authentication results are included in ARC.
>   * From this I can determine whether the forwarder is ARC-signing correctly.
>     Note that this is different to comparing the forwarder's probabilistic spam
>     filtering with my own; in the ARC-signing case there are correct actions
>     and incorrect actions, and a large receiver has enough information to tell
>     which a forwarder is doing.
> 
> 
> Note that none of these steps has any relationship with spam which - given that
> spammers can (and do) cause their email to authenticate, and legitimate senders
> can (and do) fail to do so - is as it should be.
> 
> - Roland
> 
> 1: Yes, it is likely that forwarders who are exceptionally good at spam
> filtering will tend to be really good at ARC signing, but most of the important
> information is about forwarders who aren't exceptionally good at filtering, so
> this correlation appears largely unimportant.
> 2: or registrants, to the extent that this information becomes available again
> once ICANN stops arguing absurdities in front of European courts and focuses on
> the actual problem

I see.  As a small receiver, I didn't even think about comparing different
forwarders of the same senders.  In my case, such coincidences only cover a
handful of trusted mailing lists.  Your argument further confirms how ARC
better suits large receivers.

Thank you for a nice discussion

Best
Ale
-- 








More information about the dmarc-discuss mailing list