IETF Logo Mail Archive

Re: [dmarc-ietf] Endless Loops with DKIM reports

"John Levine" <johnl@taugh.com> Wed, 05 June 2019 20:06 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06E531200FD for <dmarc@ietfa.amsl.com>; Wed, 5 Jun 2019 13:06:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=CJsXnjkk; dkim=pass (1536-bit key) header.d=taugh.com header.b=I4wLM3SW
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZaOPKngPKaIj for <dmarc@ietfa.amsl.com>; Wed, 5 Jun 2019 13:06:23 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26D971200B5 for <dmarc@ietf.org>; Wed, 5 Jun 2019 13:06:22 -0700 (PDT)
Received: (qmail 94336 invoked from network); 5 Jun 2019 20:06:21 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1707e.5cf820bd.k1906; i=johnl-iecc.com@submit.iecc.com; bh=MlugDaPZ+YZkpSBmWCD4spX+x/GHDearRd0daymRlVA=; b=CJsXnjkkjezlK/3orNDuLGj4UTfQxcc2NERjPnwBd20MzbOTMCtecbGqhxcgZMu2i0hk55p7PKPe46UCYdG1l34ATXfpAK6FbJBakNHu96FGIX1xL6noCTH1cNgbgaF8UmZ720NmMgyRNWR1OIo+s9bkL2Sr8xgstMzttKmQIcAF5fuVQ/oq7hBk0dqT/Rdk/jZoM6hRl0FhttgB40uZNWsSPMyO+xxz7bSCTetNejy9oqNTMlfpMOJGhnGsTYO+
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1707e.5cf820bd.k1906; olt=johnl-iecc.com@submit.iecc.com; bh=MlugDaPZ+YZkpSBmWCD4spX+x/GHDearRd0daymRlVA=; b=I4wLM3SWXnSn2VXDqsIApY89n9aLRl5zAntyDPlIReE5iayG4KutItg5AqdPMvy/t0od2z7L4wttxUflaRiWJxgtE+f7BAZ/al+Llw70uLj+SXt1CxAJ6efF4Z9tiPaydeaklqtzlXO2PxldKi+htF3aWmdbEajGGUjUtMlUgn1xC8qyZ+sPNwK+AZMX5+pSy4gW2Boi6f4B4ibNE6jq0U88dNFvtbjWzdIUFSIM9N6r/45BrqT/Pz6xDwPLERWY
Received: from ary.local ([109.74.56.122]) by imap.iecc.com ([64.57.183.75]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP; 05 Jun 2019 20:06:20 -0000
Received: by ary.local (Postfix, from userid 501) id 2ED512014FE9B7; Wed, 5 Jun 2019 22:06:18 +0200 (CEST)
Date: Wed, 05 Jun 2019 22:06:18 +0200
Message-Id: <20190605200619.2ED512014FE9B7@ary.local>
From: John Levine <johnl@taugh.com>
To: dmarc@ietf.org
Cc: dcrocker@bbiw.net
In-Reply-To: <29174612-a051-8066-9dde-2afaf181ca0e@dcrocker.net>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Hc19pPtzjfeKgkPIbcZ95m7fnLA>
Subject: Re: [dmarc-ietf] Endless Loops with DKIM reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jun 2019 20:06:25 -0000

In article <29174612-a051-8066-9dde-2afaf181ca0e@dcrocker.net> you write:
>The high-level point I'm trying to make is that control messages -- such 
>as DMARC reports -- need to be handled in a fashion that works 
>automatically and at scale.  Since looping is a well-known problem for 
>such messages, they need to be generated and handled in a way that 
>prevents the problem.

Right.  you can give all the advice you want about sending stuff in
ways that's intended to prevent responses, but since some people will
always ignore your good advice, and any single party only controls one
leg of the loop, the only unlateral way to limit the damage is rate
limiting.

It's fine to tell people to use null bounce addresses and from:
addresses that don't ask for dmarc reports, but you need to rate limit
anyway.

v2.23.0 | Report a Bug | By Email