Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help
Todd Herr <todd.herr@valimail.com> Mon, 25 January 2021 16:44 UTC
Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1FE73A14F7 for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 08:44:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id te9gvlFAYeaW for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 08:44:21 -0800 (PST)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85EC93A14F6 for <dmarc@ietf.org>; Mon, 25 Jan 2021 08:44:21 -0800 (PST)
Received: by mail-qt1-x82b.google.com with SMTP id l23so7633057qtq.13 for <dmarc@ietf.org>; Mon, 25 Jan 2021 08:44:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=+bgW2O+z7O5D8NPxqS/w2MWH+fpc0n5+McvXjTLPrC8=; b=B5DI/H3J46f2AQNYx0oivOOOodt5D4mwyAuScXZX+8m9RG1CZLZ5aBd2qyRBhCgE/x SHig2WCXtrU1TBPGV1gFAh/7SxnR/6wqCt+jcHoqg7AM87i9sE6CHO0120N4+pIOF4iN /SLWgTxT6gk+6/6trZtVODoAhi2rrSSFSFObp/CPY/arwXXB93d692hPN3rklgoPlnbj 6r6yt8SqT7dOL6xFgYcWaRR/D72/3spiXtVCRsILSnzU122fQDmwNPF7YHTOLVhJ2Bg8 f07vMVaeGtNQYL03lMai/gQnLSAy13874mCFD+xvRMvwORTTdgZCCatyOwl+z0xhRMXh MGPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=+bgW2O+z7O5D8NPxqS/w2MWH+fpc0n5+McvXjTLPrC8=; b=Cdl9mnTLOJmEvzCAp3S0hKxIOgWJC/Oj6No34KkUdMiSwLKA8WodHW9oYwp0RvpePH kZ5dwDdOfCDdzDKbp3p6qJCU/gUiXdnvSPvN68M8Isq6Y9SBZvcgcHdr03jcNOXEIYz3 zz6ZphiqDp0hZg8pYoN4T8q4r5U/ae8/KMa4xbNs/lE9uXccA2MGhpXYwJ11xmsx48Pm djkTBP3fSwG95J6wjR1i0Ov46e1Geb8lT81KnCTwAx2w7qltakrt4nJKuO7TpxzPJJ5E oUmh4Gh/17V7ZjPamm9rBLuc00P0bdmAka121m+7AWqmr+0bBV8Jj4DAp/smRrtRSsTh 0/FQ==
X-Gm-Message-State: AOAM530+vswAvCubVrtPVjL0Nfzb9fqgXTCspzI604+27fdhYU3PHmaP N5HC0+kJOXHyCTGKoNiDal0Z6Lf3NREyF9aQc/UmSwLoms0=
X-Google-Smtp-Source: ABdhPJxE4QV6vGF8kfVbnhgsbKrY+Ys7XiSoBV6BirTmZClH9BHL/YmsWp+YuoW+ECZYs+Y/C8ukYKRJJK7/hDGnVtw=
X-Received: by 2002:ac8:3a66:: with SMTP id w93mr1281152qte.220.1611593060076; Mon, 25 Jan 2021 08:44:20 -0800 (PST)
MIME-Version: 1.0
References: <34317129-8225-fb38-4ad3-e1b9ffed21fb@iecc.com> <9c84fa50-d23c-a794-fc62-09788ac383a9@mtcc.com> <CAHej_8mTaFo7aESFk4pHjbqbheriYPoAy6f+HhcE6ASVJSyViA@mail.gmail.com> <df867378-5da0-b912-2a0f-b2081d1f2437@mtcc.com>
In-Reply-To: <df867378-5da0-b912-2a0f-b2081d1f2437@mtcc.com>
From: Todd Herr <todd.herr@valimail.com>
Date: Mon, 25 Jan 2021 11:44:04 -0500
Message-ID: <CAHej_8kfCC1H89pRjgxXK=+BizJHFdKgnr7Gxh_2wWq8P7L-0Q@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000de621105b9bc3f0d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ZAgtD4MgiJvNhrOxftuGcsVezNI>
Subject: Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2021 16:44:24 -0000
On Mon, Jan 25, 2021 at 10:18 AM Michael Thomas <mike@mtcc.com> wrote: > > On 1/25/21 5:25 AM, Todd Herr wrote: > > On Sun, Jan 24, 2021 at 9:53 PM Michael Thomas <mike@mtcc.com> wrote: > >> >> On 1/24/21 6:29 PM, John R. Levine wrote: >> > I realized why the arguments about whether to require authentication >> > on reports are pointless. >> > >> A blatant assertion. The onus of proof is with people who say we should >> accept information from unknown sources. Extraordinary claims require >> extraordinary evidence. I have been doing security related stuff for >> long enough to know that being humble in the face of adversaries is the >> most prudent course. State actors can get involved when they figure they >> can game things to their advantage. To be dismissive is complete hubris. >> >> > I've spent several days thinking about these tickets, and for the life of > me I can't see what the payoff might be for someone to forge a DMARC report. > > I suppose nominally there's a denial of service risk, where a bad actor > could flood a rua or ruf mailbox with forged reports or just email in > general, but that's going to exist whether or not the "reports" are > DKIM-signed. > > The main thing I've learned over the years of dealing with security is to > not underestimate what a motivated attacker can do. Your imagination is not > the same as their imagination. Closing #98 in particular is absolutely > ridiculous: the report should already have a DKIM signature or SPF so it's > just a matter of making sure its valid. Why would you *not* want to insure > that? The amount of justification for *not* having the receiver > authenticate it is a mountain. The amount of effort to authenticate it is > trivial for mail. Levine's dismissal of security concerns because he has > anecdotal "evidence" from a backwater domain carries no weight at all. > That's all well and good, but you haven't answered the question I asked. What threats do you have in mind? Put another way, how do you envision an attacker exploiting the lack of authentication in a DMARC report to his or her gain? I recognize that my imagination, or yours, may not match what a motivated attacker can do. I have presented some possible scenarios that might result from a forged DMARC report, and in them I don't see a gain for the attacker, unless his or her goal is to be an annoyance to the target. Can you please describe a scenario where an attacker might use a forged DMARC report to gain something of value from the target of his/her forgery? -- *Todd Herr* | Sr. Technical Program Manager *e:* todd.herr@valimail.com *p:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [dmarc-ietf] Tickets 98 and 99 -- fake reports ar… John R. Levine
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Todd Herr
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Todd Herr
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Douglas Foster
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Murray S. Kucherawy
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Todd Herr
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… John Levine
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… John Levine
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Douglas Foster
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Douglas Foster
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… John Levine
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Todd Herr
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Alessandro Vesely
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Alessandro Vesely
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… John R Levine
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Alessandro Vesely
- [dmarc-ietf] reporting security requirements Michael Thomas
- Re: [dmarc-ietf] reporting security requirements Seth Blank
- Re: [dmarc-ietf] reporting security requirements Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Todd Herr
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Steven M Jones
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Michael Thomas
- Re: [dmarc-ietf] Tickets 98 and 99 -- fake report… Seth Blank