IETF Logo Mail Archive

Re: [dmarc-ietf] attack on reports

Steven M Jones <smj@crash.com> Tue, 26 January 2021 21:01 UTC

Return-Path: <smj@crash.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A5563A0EA5 for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 13:01:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.201
X-Spam-Level:
X-Spam-Status: No, score=-0.201 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=crash.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPw8ac5qzn-T for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 13:01:30 -0800 (PST)
Received: from segv.crash.com (segv.crash.com [IPv6:2001:470:1:1e9::4415]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23C453A0EA1 for <dmarc@ietf.org>; Tue, 26 Jan 2021 13:01:30 -0800 (PST)
Received: from shiny.crash.com (192-184-141-33.static.sonic.net [192.184.141.33]) (authenticated bits=0) by segv.crash.com (8.15.2/8.15.2/cci-colo-1.7) with ESMTPSA id 10QL1Ipw034548 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <dmarc@ietf.org>; Tue, 26 Jan 2021 21:01:26 GMT (envelope-from smj@crash.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 segv.crash.com 10QL1Ipw034548
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crash.com; s=201506-2k; t=1611694888; bh=HSzgelhbv+5AIpHw5Ff8wV2DVkGj660xvoqWn73FFfE=; h=Subject:To:References:From:Date:In-Reply-To; b=eJ01rznQ5ewrR7xzClguL+RwIJvPL4wrATLxLMEnPdmrTf0kUZnNuzDZvrQWmxOqF 2nbqzLbFJo1w8Gg9RMpuC+XKjbVuT1rb9nqY1MCFQEvb6c0qtZTXPu6l6nCXWsptjZ 5TR0ToR4ztMX/htP+9hujUidXVyuLVocTHoppmT6UqsgWeP+ouqDTh6glrkGvXk26J jlmLZnFt+BMfjYDVwJ3N/Vf/wSql9dv7LggWvahZHzO14EsXtQ7eyBMfWKH472jHxj 6aDw+PdQBxZBpivKvlmNAOahbFexjxY3QNqL6V23d6lVKZDzUaa+IBuxXRA7ESF6H2 16bgmbhsZ57tQ==
X-Authentication-Warning: segv.crash.com: Host 192-184-141-33.static.sonic.net [192.184.141.33] claimed to be shiny.crash.com
To: dmarc@ietf.org
References: <c049495f-faa2-c5f0-3e0a-7d8d86150568@mtcc.com> <aab313ee-4453-d97c-65ad-2a02d543c66c@tana.it> <24e8da5d-e306-7207-bb8f-74d44e4c5eaf@mtcc.com> <CAHej_8kS7hHR70LdcktuEtm08FyjsmqV17wHq21MdT=eNspCGw@mail.gmail.com> <f8f77f85-a2ae-3fb3-acb4-70d14a9da0f4@mtcc.com>
From: Steven M Jones <smj@crash.com>
Message-ID: <858a8e94-0101-ab61-dfbd-d7d7dc07e69b@crash.com>
Date: Tue, 26 Jan 2021 13:01:18 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:78.0) Gecko/20100101 Thunderbird/78.6.1
MIME-Version: 1.0
In-Reply-To: <f8f77f85-a2ae-3fb3-acb4-70d14a9da0f4@mtcc.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (segv.crash.com [72.52.75.15]); Tue, 26 Jan 2021 21:01:26 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/VgQFCVPheTkWMqiUC2wDBk68cdU>
Subject: Re: [dmarc-ietf] attack on reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2021 21:01:31 -0000

On 1/26/21 11:24, Michael Thomas wrote:
>
> Here's a very basic question: if I do not know all of the IP addresses
> that send on my behalf, are DMARC reports of any value?
>
No, an organization is not assumed to have perfect knowledge of all
their authorized sending sources. If that were common, there would have
been much less need for DMARC in the first place.

One of the primary goals of DMARC (IMO) is to help organizations
identify sending sources that have to be /investigated/. Some may be
vendors who were engaged outside the normal email operational processes,
most are likely just transient spam sources. But you won't know which is
which until you at least take a cursory look.

All of which requires those DMARC aggregate reports, and benefits from
failure reports if you can get them -- and that the domain owner, or
somebody acting on their behalf, *examines* those reports.

Organizations using email should have at least some policies and
procedures that cover all these things - and that is a very large topic
that this isn't the right place to explore. 


> Enterprises farm out email all of the time and it could be difficult
> to know when they change their server addresses, etc.
>
Yes, which is part of why even organizations that have gone through a
long deployment process and arrived at their desired "end state" find
value in continuing to receive and monitor reports. As you touch on,
vendors don't always tell you about such changes in advance.

You have to examine reports and, from time to time, take some action.

--S.

v2.23.0 | Report a Bug | By Email