Re: [dmarc-ietf] Ticket #111 (and #112) - Proposed language
Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 22 June 2021 04:17 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2E93A116C for <dmarc@ietfa.amsl.com>; Mon, 21 Jun 2021 21:17:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xG6XH6Y-cbcH for <dmarc@ietfa.amsl.com>; Mon, 21 Jun 2021 21:17:45 -0700 (PDT)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F111B3A1168 for <dmarc@ietf.org>; Mon, 21 Jun 2021 21:17:44 -0700 (PDT)
Received: by mail-ot1-x331.google.com with SMTP id i10-20020a9d68ca0000b029045d4c970c96so1218294oto.6 for <dmarc@ietf.org>; Mon, 21 Jun 2021 21:17:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zWUoiygmNhiI9n1zu94AJUCaWb4tuq1dAv7BrRX2uAk=; b=s237JIlEfs20ara7EykOhPH0qWil/QZlZLi7Xjdz3yaWg1IHNmcl9cOSeOvg02aXKP jAhMULkyeYR7HMjfHXLydkrDRoqJDNXOwiiiGIV3bjulUtcYjhtFZBLDhfRtgQeSOAuv RBpqy5jegmCfv1CSLlcnUpbQ0q0Cdfzrzv+kDN9W/bWpP6Fo8k5NORiydOvFijVuyXQz iGtJFyAzsq46DnPBYlOlEwpy52M8uNR9V0X42asviNF6o7utEeZU/GA3SmBZ0+bjFc2o pTTFd+yIYykTBGRmUNyxBus4M3HnkvoMjGbeM9yQH5KQaGazFS/WMrTLfKoFn1iKQSEY sGXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zWUoiygmNhiI9n1zu94AJUCaWb4tuq1dAv7BrRX2uAk=; b=KvgMULWmvZrDcMj7kRL9IZHVWtgs/bBJqCPzlQUv732FX77tIPpXmjXXOQJMAbOd7u Q6qJopgFWD+p7IbERW1WRPD/uXj6j7i1YJzmEEL927D4CFsxmQJY/etOQq2sAQHsvs5l VoYly/Yusu//QO8cHH19qEYCbC06lFu6aD+GlpqstywZzuIOV5OqyCuRAtnyv4NZ+KBv OQCOIFEWEhMtBy3Nwv+YpA/9DaWCOPLPfjAd2QpW9d2t9F5GXFDoncMiKl2+FilVTKIU k8VPItfX2gwDQ+3wgHJZdJZY98sbO4AzXedKN7NdcZ4wyREw15xnfYkiFTI0jY6SQch3 WAEA==
X-Gm-Message-State: AOAM530XPg75dcfsM+LfWcXNHgZZDa5SlqDk0HvYlZhCJQI7KMz7cskw 5G7Ou9u16HpXzpA/PEyHKGXsDFDqMeDZMkt+Sl4=
X-Google-Smtp-Source: ABdhPJxn7NBKSSnXoh89qECgTHoX3NTp6hg2U34ffmFJaZ68ISfVFR9GZQnvw8e8bJx5ityCznAJVjGWR372Ejb/TMQ=
X-Received: by 2002:a05:6830:1102:: with SMTP id w2mr1198037otq.298.1624335463193; Mon, 21 Jun 2021 21:17:43 -0700 (PDT)
MIME-Version: 1.0
References: <20210616160110.09D6011E70FD@ary.qy> <71e61630-0bc8-c9f1-6e7c-5267889c15af@tana.it> <CAH48ZfyYSW5003cxgP0r_skzSdfNvV9FL=sY_32PwQ1dWXxFCg@mail.gmail.com> <CAL0qLwYsTgRJ8PnjG7nAdTJJ54ww2HWtvOGp2EeMqNStjD6X8A@mail.gmail.com>
In-Reply-To: <CAL0qLwYsTgRJ8PnjG7nAdTJJ54ww2HWtvOGp2EeMqNStjD6X8A@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 22 Jun 2021 00:17:33 -0400
Message-ID: <CAH48Zfz6tMw_RSPn-U1Jce1tsGur6mqjXgZpqUVAwP0mT4BfVA@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000047c20505c55312c4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/RrQij0q80phZsVfunTINuQ8QQ4A>
Subject: Re: [dmarc-ietf] Ticket #111 (and #112) - Proposed language
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jun 2021 04:17:50 -0000
I am providing two types of examples: 1) A legitimate sender using a non-existent name, 2) An impersonating sender using undefended non-domain names. Valid Message Example =================== MailFrom: info99@service.govdelivery.com From: updates@secure.hiltonheadislandsc.gov Signature: None DMARC Policy: Not currently configured. SPF Status: PASS FROM Status: NXDOMAIN What happens when they implement DMARC? One possibility is that they create a DKIM signature for "scope1._domainkey. secure.hiltonheadislandsc.gov" This ensures DMARC PASS as long as the signature validates. But if the message is modified in transit, the signature will no longer validate. Which policy should apply? If the public key was successfully retrieved, then the name certainly exists, and is used for DKIM signing, so it should be SP. But it does not yet meet the MX/A/AAAA/SPF test, so our draft calls for it to be evaluated as NP. To meet the MX/A/AAAA/SPF tests, the sender must create one of those four DNS records. But which one is relevant? None of them. Attack Scenario Examples ==================== Assume: Example.com has DMARC policy of "p=reject, sp=none, np=none" Also assume that "spammer.tld" decides it will be profitable to impersonate example.com, and begins this data collection: Research: 1. Spammer scans the example.com website, collecting host names. 2. Spammer performs MX and SPF lookups to collect additional host names. 3. Spammer performs DNS lookup on some other commonly-used names to see if they exist. 4. Spammer notes that while "example.com" is protected by SPF and DMARC p=reject, individual hosts do not have an SPF policy. Strategy Spammer does not want to risk being blocked by DMARC p=reject, so he will not use "example.com" directly. Spammer does not want to be blocked by SPF NXDOMAIN, so he will not use a non-existent MAILFROM domain. Spammer choses "mail.example.com" as the preferred impersonation domain. Attack Scenario 1: Spammer gets lucky, because the MX for "example.com" is the host "mail.example.com". Spammer has these options; a) Pretend to be a mailing service, using spammer.tld as the SPF context: MAILFROM=user@spammer.tld FROM=user@mail.example.com Sender authentication evaluates to SPF=PASS and DMARC policy SP applies. Example.com has these sender-authentication defense options for this attack: - Changing mail.example.com to a subdomain and creating a subdomain DMARC P=reject/quarantine policy, or - Changing the organization policy to sp=reject/quarantine b) Pretend to be a direct message MAILFROM=user@mail.example.com FROM=user@mail.example.com Sender authentication evaluates to SPF=NONE and DMARC policy SP applies. Example.com has these sender-authentication defense options for this attack: - Create an SPF "-ALL" policy for "mail.example.com" - Changing mail.example.com to a subdomain and creating a subdomain DMARC P=reject/quarantine policy, or - Changing the organization policy to sp=reject/quarantine ================ Scenario 2: Spammer notes that "mail.example.com" is not a defined host. Spammer has these options: a) Pretend to be a mailing service, using spammer.tld as the SPF context: MAILFROM=user@spammer.tld FROM=user@mail.example.com Sender authentication evaluates to SPF=PASS and DMARC policy NP applies. Example.com has these sender-authentication defense options for this attack: - Changing mail.example.com to a subdomain and creating a subdomain DMARC P=reject/quarantine policy, or - Changing the organization policy to sp=reject/quarantine b) Pretend to be a mailing service, sent by a host in the target domain: MAILFROM=user@www.example.com FROM=user@mail.example.com Sender authentication evaluates to SPF=NONE and DMARC policy NP applies. Example.com has these sender-authentication defense options for this attack: - Create an SPF "-ALL" policy for "www.example.com", or - Changing mail.example.com to a subdomain and creating a subdomain DMARC P=reject/quarantine policy, or - Changing the organization policy to sp=reject/quarantine, or - Changing the organization policy to np=reject/quarantine On Thu, Jun 17, 2021 at 3:57 AM Murray S. Kucherawy <superuser@gmail.com> wrote: > I continue to not understand the defect you're highlighting here. > > I think you've expressed yourself primarily in the abstract. Could you > craft a sample message, sample envelope, and sample DNS context that > highlights the problem you're talking about? Maybe then it'll snap into > focus. > > On Wed, Jun 16, 2021 at 2:43 PM Douglas Foster < > dougfoster.emailstandards@gmail.com> wrote: > >> NXDomain on RFC5322.From is a completely different issue. It means >> that the name is only used for service provider messaging, and is therefore >> not linked to any IP address or other physical infrastructure. It affects >> the ability to define a meaningful NP test. The issue becomes irrelevant >> to DMARC if and only if we drop the NP policy idea completely. >> >> The proposed MX/A/AAAA/SPF test has two significant problems: >> - It incorrectly classifies some names as NP because they do not need >> MX/A/AAAA/SPF records because they are not tied to an IP address, and we >> have provided a very poor mechanism for a domain owner to come into >> compliance. >> > > There's a workaround here: If I want to use a name that is not represented > in the DNS according to that test, all I need to do is DKIM sign with my > parent domain. That makes "p" apply because now you have an aligned > "pass", which presumably trumps any "np" that's set. > > If you aren't signing with DKIM in that scenario, and you obviously can't > pass SPF either, then you can't possibly hope to pass DMARC irrespective of > any test being done on the name's validity. > > - It incorrectly classifies some names that are not used for email as not >> NP, simply because they have an A/AAAA record. It provides no method for >> the domain owner to signal that the name is not used for email and >> therefore should be treated as NP. >> > > If they're not used for email, then they're not in DMARC's problem space. > > At any rate, since PSD has been approved, I'm hoping the experiment is > underway, or will be soon, and then we might have some actual data about > the severity of this defect and thus also possibly some hints about ways it > can be mitigated. > > -MSK >
- [dmarc-ietf] Ticket #11 (and #112) - Proposed lan… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Dotzero
- Re: [dmarc-ietf] Ticket #111 (and #112) - Propose… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Alessandro Vesely
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Alessandro Vesely
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… John Levine
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Alessandro Vesely
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… John Levine
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Dotzero
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Ken O'Driscoll
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Alessandro Vesely
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… John R Levine
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #111 (and #112) - Propose… Douglas Foster