[ih] Grotty Email behavior (better subject ID...)

[Steffen Nurpmeso]

John Levine wrote in
 <20210907025519.89354277C8E8 at ary.qy>:
 |It appears that Steffen Nurpmeso via Internet-history <steffen at sdaoden.eu> \
 |said:
 |>dcrocker at bbiw.net wrote in
 |>|The actual culprit is DMARC, which enforces authenticated From header 
 |>|field domain name use. ...
 |
 |>And RFC 9057 which added the Author: header field that likely
 |>would have avoided this obnoxious situation when it would have
 |>been shipped alongside DMARC.
 |
 |Very unlikely.

You would not believe it, but i really reread RFC 7489 ;  What
nonsense!

  ...
 |this led to vast numbers of support calls.  AOL and Yahoo independently \
 |decided
 |to outsource their support problem to the rest of the Internet by publis\
 |hing
 |a DMARC policy record that made all the forged spam bounce, with the \
 |side effect
 |of breaking every mailing list in the world.  (Yahoo knew that would \
 |happen and
 |did not care, according to someone who was in the room.)
 ...

This discussion was already in the past, you seem to remember.
User interfaces are terrible and the abstraction and
trivialization that ... leaves enough room for doing more logic
training for a better IQ test next time ... is a good thing.  My
tmux status line includes

  [2:40°/1:44° | 0.32 0.29 0.17 1/346 | RF:W~B! wlp1s0~#223/18 wgppp-104/4 browse-8/94 | 100% "" | 2021-09-07 16:03]

and funnily that starts quite a bit right of the 80 columns, not
even 30%, of the screen width i am working in.  That looks so
funny if you see it from distance!  (I still think that the
"browse" namespace counter of the Linux kernel 5.10.* is wrong and
treats receive as send and vice versa, .. because the wgppp, which
almost solely but DNS sends out via a WireGuard device, gets it
right.  But well.  wgppp now at least _does_ count again even if
it uses a WG device.)

I personally do not like DMARC at all, not its XML schemata
(help!), not the report URI mechanism (would postmaster at X not
suffice, for example), but maybe all this is really used in
practice.  I like envelopes, it is MIME, but it would mirror the
historic behaviour of enwrapping in sealed envelopes.  It seems
bitter that this cannot be used in practice; but maybe i would not
like it myself, seeing all these envelopes around the actual mail
i wrote.  I do not know.

 |The original motivation for DMARC was heavily forged commercial domains
 |like paypal.com that send direct from the company to the recipient.  The
 |only thing a message from Paypal ever says is "something happened, look
 |at the web site to see what it was" so they made a reasonable decision that
 |if a strict DMARC policy lost a little legit mail along with a lot \
 |of phishes,
 |that's a good tradeoff.
 |
 |Unfortunately, AOL and Yahoo which were at the time separate badly \
 |run companies
 |each had huge security breaches (twice for Yahoo) in which crooks stole \
 |people's
 |entire address books.  The crooks took pairs of stolen addresses and \
 |started
 |sending spam that appeared to come from a friend of the recipient. \

On the other hand that, if the big picture would allow easy S/MIME
and/or OpenPGP for everyone, to be usable at a fingertip, it would
have prevented this.  And if the user would be given the
certificate to own it, and only install it (back) to the big
provider, then this would be real freedom.

I mean, isn't that laughable.  You in U.S.A. have no problem with
looking in mirrors which state "Objects in the rear view mirror
may appear closer than they are" (i would live in fear of
accidentally not looking to the front while reading this), or
"Children can choke on nuts" (which i find a masterpiece of
reduction given what Children can possibly put in their mouth,
poor nuts, how about USB-sticks, for example!), but heck, when
looking at the mailer in the 1000$ smartphone you want it clean.

They could also have said that existence of a DMARC DNS entry
requires mails to be DKIM signed, or otherwise the mail is per se
invalid.  At that time i would have simply extended SPF with
a flag which says exactly this.  Maybe like that?  Wouldn't this
have worked?  But it is useless talk of mine as all that is not
true.

 | Not surprisingly,
 |this led to vast numbers of support calls.  AOL and Yahoo independently \
 |decided
 |to outsource their support problem to the rest of the Internet by publis\
 |hing
 |a DMARC policy record that made all the forged spam bounce, with the \
 |side effect
 |of breaking every mailing list in the world.  (Yahoo knew that would \
 |happen and
 |did not care, according to someone who was in the room.)
 |Now we have sort of a cargo cult around DMARC, with putative experts \
 |insisting
 |that everyone should have a p=reject DMARC policy because it is "more \
 |secure"
 |which it is for only a rather narrow version of "secure."  In fact \
 |it can be
 |helpful if A) your mail is forged a lot and B) you don't send any legit \
 |mail
 |via paths that DMARC cannot describe.  Some domains are like that, but many
 |are not.   Mine are not which is why I have no plan ever to publsh a DMARC
 |policy other than p=none.
 |
 |The yelling about mailing lists was loud enough that there is now a \
 |thing called
 |ARC which more or less provides a log in the message of what the authent\
 |ication
 |results were a prior hops, so in principle recipient systems can look \
 |at mail
 |they know is from something like a mailing list and use the ARC info \
 |to see if
 |it would have passed DMARC when it arrived at the list.  Several large mail
 |systems including Gmail and Outlook/Hotmail are now added ARC headers \
 |(I think
 |invalid ones at Microsoft) but so far nobody I know is using it to \
 |fix DMARC
 |overfiltering.
 |
 |As Dave has often pointed out, many mail programs, perhaps most these \
 |days, do
 |not show the From: address so the nominal benefit of DMARC, that you \
 |can tell
 |that the sender is "real" does not exist.  People who run large mail \
 |systems
 |tell me that despite the fact that it is so easy to evade, DMARC still \
 |blocks
 |a lot of phishing which means unsurprisingly that many crooks are lazy or
 |ignorant.
 |
 |It's hard to see how an additional Author header would make much differe\
 |nce here.

You are surely right with this.
The MUA i maintain has such a long way to go ... but i hope
Author: will become used so that it can be used in favour (and if
that is by matter of highlighting or similar) of the mutilated and
rewritten From:'s that are everywhere.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)