[dmarc-ietf] Ticket #28 - Failure report mail loops

Alessandro Vesely <vesely@tana.it> Fri, 04 December 2020 11:10 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78FB63A09C6 for <dmarc@ietfa.amsl.com>; Fri, 4 Dec 2020 03:10:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtO9Hh_oCKau for <dmarc@ietfa.amsl.com>; Fri, 4 Dec 2020 03:10:32 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84B6A3A09C4 for <dmarc@ietf.org>; Fri, 4 Dec 2020 03:10:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1607080228; bh=Obe1tfuB3p8C3dODDBxqzjoOpT3CmF4DCfGT4sIlZFg=; l=2001; h=To:From:Date; b=BMlLFE9usEo4FtATQ1cLgWbTqKvPg2dCngx/kY2b4UzQFkuaMV1sXuJBcZhN/c5FC yxoN/eoZ+qsAFANb/cn08Q2RlKjGIvc+KN/+GLoSSsWXFpAFqTtEE1PHO5gdammm2V +iS+EWGkCLGeUuU/OVhhxBWalKCGSaJ3fnX0yMUzwnrYEP/pI42cBFLe7hpwx
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC083.000000005FCA1924.00003BF2; Fri, 04 Dec 2020 12:10:28 +0100
To: dmarc-ietf <dmarc@ietf.org>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <0408ae98-e1c1-71fe-fdd4-8bc7a7c151d3@tana.it>
Date: Fri, 4 Dec 2020 12:10:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/W3uGPEpT3Yi5lqKntZXyL8jkNjk>
Subject: [dmarc-ietf] Ticket #28 - Failure report mail loops
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 11:10:35 -0000

We would like to close this ticket by Dec 18, two weeks from now, so please get 
on it.

The ticket originated from John's comment, in May 2019:

     Apropos recent discussions, we could recommend that failure reports be
     rate limited per recipient both to break loops and to deter indirect
     mail bombing.


The current draft discusses the topic toward the end of the introduction of 
Section 3, before the first subsection:

    An obvious consideration is the denial-of-service attack that can be
    perpetrated by an attacker who sends numerous messages purporting to
    be from the intended victim Domain Owner but that fail both SPF and
    DKIM; this would cause participating Mail Receivers to send failure
    reports to the Domain Owner or its delegate in potentially huge
    volumes.  Accordingly, participating Mail Receivers are encouraged to
    aggregate these reports as much as is practical, using the Incidents
    field of the Abuse Reporting Format ([RFC5965]).  Various aggregation
    techniques are possible, including the following:

    *  only send a report to the first recipient of multi-recipient
       messages;

    *  store reports for a period of time before sending them, allowing
       detection, collection, and reporting of like incidents;

    *  apply rate limiting, such as a maximum number of reports per
       minute that will be generated (and the remainder discarded).


Some issues the WG may want to consider:

1.  That whole passage should be moved to its own subsection of Section 5, 
"Security Considerations".  Only a reference should be left in the intro.

2.  In the first *-bullet above, the sense of multi-recipient is ambiguous.  An 
explicit mention of ruf= might help.

3.  The 2nd and 3rd *-bullets may need expansion.  Propose text in case.

4.  Some explicit loop prevention specification may be added.  For example:
4.1.  send reports from a subdomain having a DMARC record without ruf=, or
4.2.  never send failure reports about failed reports.


Best
Ale
--