IETF Logo Mail Archive

[dmarc-ietf] attack on reports

Michael Thomas <mike@mtcc.com> Tue, 26 January 2021 17:24 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F6B83A0BC5 for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 09:24:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.15
X-Spam-Level:
X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zt5L7jHb6XIU for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 09:24:56 -0800 (PST)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 997263A0BBC for <dmarc@ietf.org>; Tue, 26 Jan 2021 09:24:56 -0800 (PST)
Received: by mail-pg1-x530.google.com with SMTP id t25so3930257pga.2 for <dmarc@ietf.org>; Tue, 26 Jan 2021 09:24:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=IIRnw5ra66e53xqPodx0NeItkzzFlCe1E9BLMFBb5hA=; b=CHwugga7VbmK9uIqoYkAtbUR1MWcLCQVVNuFwgyseno1d+7RRKRhHqXdPYZ+P4fs8g YrjQTDRgB33jAup9JjejeG9PmOlz+q4rXLGbIxsk5xzLbhqbOjdM4jaTBmugHoY8Srf0 kWUhMBbbSlP1rYb+yVYpQ/rJ9J2oKOCcbK63YVyn/3r4d0lT/RtEZojcQ/CNzcOnuKh9 KIW12DxOwDDFrvwmS7x+8sCvDMR3sM3cXXaS9RL6xVgIc9ELjGYp08CUhZBvbEjZgXd1 PkX+fgSrVmPwDEL0+LVSX5iJxwVKwqobzzYUVCmviwWgqPEECxlfEV6Pc5sGP6LD4W8k DvmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=IIRnw5ra66e53xqPodx0NeItkzzFlCe1E9BLMFBb5hA=; b=c2h+XudsEh615J7WeRP9SFpt5oKOyUaoh7Zw0Ebgca5VTTLuHXeWCmrw/uCHvbJVea v/ax4uN40Pd7cHjzgpEEfz38nwGRVaFkYB8Ar2Roa7HDI4YeiPXRa324JAgCZA6790/B djAYKLUTHRnOqmNwyfBiyWl81AxolC+2t88Jtt7eWvNDe16fRucATOe5N5AgEHuWnuCS E+W2PJD08Wx/ATf79ed1FhYlq9nzHlofGs9OIIc719g+E/qUkaPAK/4sA9/ppKyoEWoF isI68Jdudx6xtLl6UNjzHMSN/UUt0tOAg8CT7rhuVWptYDRvIKAr5POpXlVy2UctF8CA MBsg==
X-Gm-Message-State: AOAM530u+zP76rjerPXAVJ6w10a/XgmP2FmiPqcrUDfr71uxLhbCUSo3 7NM92gJaS4Cn4l/Cp/ynrH6O7KODzCQlVw==
X-Google-Smtp-Source: ABdhPJyJM6kphnnYACF0vlT5h0ioEZ0NJSzZvDuCiaV2OIHLILy/UWiLuGb866k2AtXiY+37rwv7xg==
X-Received: by 2002:a63:703:: with SMTP id 3mr6543231pgh.272.1611681895551; Tue, 26 Jan 2021 09:24:55 -0800 (PST)
Received: from mike-mac.lan (107-182-35-22.volcanocom.com. [107.182.35.22]) by smtp.gmail.com with ESMTPSA id s73sm20205783pgc.46.2021.01.26.09.24.54 for <dmarc@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Jan 2021 09:24:54 -0800 (PST)
To: "dmarc@ietf.org" <dmarc@ietf.org>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <c049495f-faa2-c5f0-3e0a-7d8d86150568@mtcc.com>
Date: Tue, 26 Jan 2021 09:24:53 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/8e588uxX2eOmG5VQhbACUteQLNo>
Subject: [dmarc-ietf] attack on reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2021 17:24:58 -0000

This is different than yesterday. From what I can tell there is no 
identifying information of the original message like message-id in the 
report xml. If i'm wrong, please point me to it. Since the object of the 
reports is to have confidence so that I can set a p=reject policy, all 
an attacker needs to do is bombard $LARGEPROVIDER with bogus messages 
purportedly from my domain to make me not want to change over to reject 
for fear of large providers dumping legitimate email from my domain. 
This could be somewhat mitigated if you know all of the IP addresses 
that send for you domain, but that could be difficult with the use of 
outsourced email, etc and shouldn't be a requirement. Addition of the 
message-id would allow me to cross check from my logs, say, that it was 
a legitimate message from my domain or not. There may be other ways to 
solve this, but that is one.

Mike

v2.23.0 | Report a Bug | By Email