On 11/18/20 3:49 PM, John Levine wrote:
In article <0f1c26b8-e101-8630-ba9b-8acaf59ac9b5@xxxxxxxx> you write:
It was certainly our intention that it was at least for enterprise since
that's the use case we were most interested in at Cisco. But Ned is
right that a lot of our motivation at Cisco was driven by spear
phishing. We didn't ultimately succeed because there were just too many
things emitting mail in closets from 386 servers everybody was afraid to
turn off. I hope it's a different situation now after 15 years.
DMARC includes a reporting feature you can turn on without turning on
any of the policy stuff. It's exactly so you can find those servers in
closets. Cisco now publishes a p=quarantine DMARC policy which
suggests they think their random server problem is under control.
The larger problem we had was that Cisco did lots of acquisitions which
made it really hard to know what we were up against. I like the
reporting feature, but the rest of it looks like warmed over adsp to me.
The funny thing about this non-repudiation issue is that I don't recall
anybody bringing it up, and that's probably because it was a non-issue
then because submission authentication was pretty rare. DKIM couldn't
prove anything beyond that it was the domain that sent it which is
pretty ho-hum for say a gmail.
Large webmail systems have always been pretty strict about what header
addresses you can use. I don't think it was ever easy for one Gmail
user to send mail pretending to be another.
But it was turning on submission auth that makes a really good case that
a person did in fact send that piece of email. I wonder if this has been
used legally yet? Most likely the vast majority of the time it doesn't
need to come down to that.
Mike
