Re: [dmarc-ietf] Composition Kills: A Case Study of Email Sender Authentication
Scott Kitterman <sklist@kitterman.com> Wed, 22 April 2020 22:08 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C26663A0C06 for <dmarc@ietfa.amsl.com>; Wed, 22 Apr 2020 15:08:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=p0pJjaeJ; dkim=pass (2048-bit key) header.d=kitterman.com header.b=buX/k+by
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KnE4Xyned8di for <dmarc@ietfa.amsl.com>; Wed, 22 Apr 2020 15:08:40 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4E753A0BFA for <dmarc@ietf.org>; Wed, 22 Apr 2020 15:08:40 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 2660EF802BF for <dmarc@ietf.org>; Wed, 22 Apr 2020 18:08:38 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1587593318; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=WiiJEeK5WQ341n9KOmM6B5zvPLovpymC7EOdK4skl7M=; b=p0pJjaeJB5tlFWlTb2r2D9Za9LCb6Mk1qKcl8FnfPpTt+uIbDq3ffa/kUO+Pz57lZrIho 3PeJFIcuPbsXwGwDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1587593318; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=WiiJEeK5WQ341n9KOmM6B5zvPLovpymC7EOdK4skl7M=; b=buX/k+by/x32umpWUPNeZbE3PHq2HV3JVkKP7WtAOOxI1kHCQZdsJNGoTq7R7wc1uzXDo 8lgqo0j2nAa5tbOdH9j4ys4TJC/F6dMWx102c0eCp2WpxjQKPrbB0wLWBhO216d9V4x164m mQfe04NX2/2XQEKWBLOvExgKR11X0nzEQAqbB7F5+GAc29Ok0GpmeWcMzw3lt+JJf35zx8F xZnnyzG59imZL87V2TifB3XnASy0hH79v5WWhNhga4lAdmkNBfaYDpHll621uIawKhlHax/ esuEGlUSipjuFC3CvDH76vR+kiW8AZIGuHeTPN4gbwxxGKj0ryF281+/0jog==
Received: from sk-desktop.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id E80C5F800E7 for <dmarc@ietf.org>; Wed, 22 Apr 2020 18:08:37 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Wed, 22 Apr 2020 18:08:37 -0400
Message-ID: <5816941.mf8d9O40cs@sk-desktop>
In-Reply-To: <51be5654-94c4-38c6-8f6b-dca403d6680a@dcrocker.net>
References: <2656238.kvSPeydUtl@sk-desktop> <51be5654-94c4-38c6-8f6b-dca403d6680a@dcrocker.net>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/RNznOb4iO3-qAFfoU68d2Evnxts>
Subject: Re: [dmarc-ietf] Composition Kills: A Case Study of Email Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 22:08:48 -0000
On Wednesday, April 22, 2020 4:28:44 PM EDT Dave Crocker wrote: > > 4.1 HELO/MAIL FROM confusion > > This seems to imply that tightening is needed in DMARC, so that it uses > an SPF domain that SPF has actually been validated? I think the issue is > that SPF validation needs to inform DMARC what domain it has validated, > rather than have DMARC decide which domain to fetch. The standard authentication results header field will do this in the form of: Authentication-Results: mx.example.org; spf=pass smtp.mailfrom=example.com > > SPF implementations treat “(any@legitimate.com” as anempty MAIL FROM > > address, and thus forward the resultsof checking HELO to the DMARC > > component, because thestring in the parentheses can be parsed as a > > comment ac-cording to RFC 5322 [10]. Some DMARC > > implementations,however, may take it as a normal non-empty address, > > 1. This issues goes away if SPF supplies DMARC the domain name, rather > than DMARC having to fetch it > > 2. I doubt this otherwise needs changes to language in the DMARC spec, > but it's worth making sure. I agree it's worth making sure. The input for DMARC from SPF/DKIM should a both a result and a domain. There is some inconsistency in how SPF verifiers report SPF results when using HELO as a fallback for an null Mail From. RFC 7208 section 2.4 is, IMO, reasonably clear that for a null Mail From, the SPF 'Mail From' identity is postmaster@[HELO], so it should be reported as an smtp.mailfrom= result, which the paper claims is the threat vector. I think they are wrong. As long as the input domain is checked and is in alignment for DMARC, there's no issue there. I tried their exact scenario with two of my domains and here's what the SPF verifier reported: Authentication-Results: mx.example.org; spf=pass (sender SPF authorized) smtp.mailfrom=kitterman.com (client-ip=72.81.252.18; helo=kitterman.org; envelope-from=(scott@kitterman.com; receiver=bogus1@kitterman.org) While this is not ideal (for envelope-from=(scott@kitterman.com. The string should be quoted [per the 5322 CFWS definition], it shouldn't lead to any confusion about the identity. I figured out this is wrong and the example below is right per various RFCs, but it took some investigation to dig it all back up. A more thorough review by someone that knows more than me would surely be a good idea. > > 4.3 Authentication results injection > > Another focus on what results are communicated and how. > > The paper asserts that AR is used as DMARC input. I suspect that is > rarely, if ever, true. Yes? No? For integration of open source components such as opendkim and opendmarc, this is the standard method of communicating results data between components (also true for communicating SPF results to opendmarc is you don't use its internal SPF implementation). For what it's worth, I invested some time yesterday and today testing the various open source components I maintain (pyspf, pyspf-milter, policyd-spf- python, dkimpy, dkimpy-milter, and authres) and found some behaviors in the cases they describe that is sub-optimal, I could not replicate any of the security relevant issues they describe. I did get some new test cases. ... As an example, if the example they used is presented to the authres module as the d= domain in for a DKIM verification, d=legitimate.com(.attacker.com, it returns d="legitimate.com(.attacker.com" [note the quoting, which is correct per the 5322 CFWS definition]. If it's parsing that, it fails to return a domain at all, which is a bug, but doesn't cause the reported problem. Scott K
- [dmarc-ietf] Composition Kills: A Case Study of E… Scott Kitterman
- Re: [dmarc-ietf] Composition Kills: A Case Study … Kurt Andersen (b)
- Re: [dmarc-ietf] Composition Kills: A Case Study … John Levine
- Re: [dmarc-ietf] Composition Kills: A Case Study … Dave Crocker
- Re: [dmarc-ietf] Composition Kills: A Case Study … Scott Kitterman
- Re: [dmarc-ietf] Composition Kills: A Case Study … John Levine
- Re: [dmarc-ietf] Composition Kills: A Case Study … Juri Haberland
- Re: [dmarc-ietf] Composition Kills: A Case Study … ned+dmarc