Re: [dmarc-ietf] Ticket #28 - Failure report mail loops

Alessandro Vesely <vesely@tana.it> Mon, 07 December 2020 11:13 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 077F63A1319 for <dmarc@ietfa.amsl.com>; Mon, 7 Dec 2020 03:13:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0k3MWuVeYLc for <dmarc@ietfa.amsl.com>; Mon, 7 Dec 2020 03:13:05 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 304353A1318 for <dmarc@ietf.org>; Mon, 7 Dec 2020 03:13:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1607339582; bh=q2NelWCpf/1d2jUC2Lb9oGILgH0MmbI8HNf25+DgVN4=; l=3270; h=To:Cc:References:From:Date:In-Reply-To; b=DLIiWfnx7k+y084I0juL3LwrkUN0A33svzEK6kE89a6HaB9aEXkU+1ZsaFreK+Uaq MrUW1+aacPvhyNrzHTERVVx7SclITAG5ijItOkureU58AyrVyhfx8z8xfpdN6ODL+F 4CcITNYCgzXxxJqnyntQVJCq28jsQcOse44DxgutUrI9JNZWd4jZiypwAabO0
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Original-Cc: dmarc-ietf <dmarc@ietf.org>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC053.000000005FCE0E3E.00004673; Mon, 07 Dec 2020 12:13:02 +0100
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: dmarc-ietf <dmarc@ietf.org>
References: <0408ae98-e1c1-71fe-fdd4-8bc7a7c151d3@tana.it> <CAL0qLwZXJ+mq1cq0yby05fN9-igt-U+Miht5LHpaYmqM=Omk3w@mail.gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <faada008-12c3-59f8-49b5-4a71882bc2b1@tana.it>
Date: Mon, 7 Dec 2020 12:13:02 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <CAL0qLwZXJ+mq1cq0yby05fN9-igt-U+Miht5LHpaYmqM=Omk3w@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/KVemsv28CjgcUX7k0tJVgwsBofo>
Subject: Re: [dmarc-ietf] Ticket #28 - Failure report mail loops
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 11:13:07 -0000

On Mon 07/Dec/2020 08:15:57 +0100 Murray S. Kucherawy wrote:
> On Fri, Dec 4, 2020 at 3:10 AM Alessandro Vesely <vesely@tana.it> wrote:
> 
>> We would like to close this ticket by Dec 18, two weeks from now, so
>> please get
>> on it.
>>
>> The ticket originated from John's comment, in May 2019:
>>
>>      Apropos recent discussions, we could recommend that failure reports be
>>      rate limited per recipient both to break loops and to deter indirect
>>      mail bombing.
>>
>>
>> The current draft discusses the topic toward the end of the introduction
>> of Section 3, before the first subsection:
>>
>>     An obvious consideration is the denial-of-service attack that can be
>>     perpetrated by an attacker who sends numerous messages purporting to
>>     be from the intended victim Domain Owner but that fail both SPF and
>>     DKIM; this would cause participating Mail Receivers to send failure
>>     reports to the Domain Owner or its delegate in potentially huge
>>     volumes.  Accordingly, participating Mail Receivers are encouraged to
>>     aggregate these reports as much as is practical, using the Incidents
>>     field of the Abuse Reporting Format ([RFC5965]).  Various aggregation
>>     techniques are possible, including the following:
>>
>>     *  only send a report to the first recipient of multi-recipient
>>        messages;
>>
>>     *  store reports for a period of time before sending them, allowing
>>        detection, collection, and reporting of like incidents;
>>
>>     *  apply rate limiting, such as a maximum number of reports per
>>        minute that will be generated (and the remainder discarded).
>>
>>
>> Some issues the WG may want to consider:
>>
>> 1.  That whole passage should be moved to its own subsection of Section 5,
>> "Security Considerations".  Only a reference should be left in the intro.
>>
> 
> Sure (though it's also fine where it is, IMHO).


Thanks.


>> 2.  In the first *-bullet above, the sense of multi-recipient is 
>> ambiguous.  An explicit mention of ruf= might help. >
> I don't follow.


The two paragraphs before the one I quoted are:

    The destination(s) and nature of the reports are defined by the "ruf"
    and "fo" tags as defined in Section 6.3.

    Where multiple URIs are selected to receive failure reports, the
    report generator MUST make an attempt to deliver to each of them.

They make it clear the sense of "multi-recipient".  However, diagonal readers 
may miss that point, especially if the quoted part is moved.  They would 
attribute the usual meaning to the phrase "multi-recipient messages", which 
makes no sense.


>> 3.  The 2nd and 3rd *-bullets may need expansion.  Propose text in case.
> 
> Has anyone complained that they're too terse?
> 
> 4.  Some explicit loop prevention specification may be added.  For example:
>> 4.1.  send reports from a subdomain having a DMARC record without ruf=, or
>> 4.2.  never send failure reports about failed reports.
> 
> The latter, which is consistent with SMTP never generating a bounce about a
> bounce.


However, SMTP has an operational definition of bounce, MAIL FROM:<>.  Should we 
take the same stance?  That is, send failure reports with an empty bounce 
address and never send failure reports to bounces or failure reports?


Best
Ale
--