Re: [dmarc-ietf] Report bombing is a prolem, Forensic report loops are not

John Levine <johnl@taugh.com> Fri, 29 January 2021 21:00 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED0543A12ED for <dmarc@ietfa.amsl.com>; Fri, 29 Jan 2021 13:00:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=iT6tSswQ; dkim=pass (2048-bit key) header.d=taugh.com header.b=27UQ9Zgg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJY8epGtRZ7a for <dmarc@ietfa.amsl.com>; Fri, 29 Jan 2021 13:00:08 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA5C33A12EA for <dmarc@ietf.org>; Fri, 29 Jan 2021 13:00:07 -0800 (PST)
Received: (qmail 76818 invoked from network); 29 Jan 2021 21:00:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=12c10.60147756.k2101; bh=ZrpgvzXSgeeS2X45mBD0lyBCLlHYwU4rH7zsxS0zkBc=; b=iT6tSswQNBVDOVnuBbQislrLpIfmztZXFR9tTz3X1gcjPpmHaFrJ0GBnK2hCh2wQEnp58annF1rg4oUmDekLYf1kX3VLScwqDtizJ8mmfhPFB2xKduTJrNCLyYtU+CgI4J5quC8PGEuJ8WihM19QHjYN+d1SXNZxiSjWQFhLHlsFdlCrPdWSIFPQyUO7SXewlTQFdnYCBMqVToKO/Fnc5xz57SVdR8Buj/fckbWY0+s5QhvgXlYoMeKn8JsqrjFMXdGkR8Z7Ceow3j8iXMWhpNtLjiVfmDzvSfZ8t5r9KVpiceMstC2w9Rg6VXitxPHgY5TXuVNPEwePv/ZsZcRgSQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=12c10.60147756.k2101; bh=ZrpgvzXSgeeS2X45mBD0lyBCLlHYwU4rH7zsxS0zkBc=; b=27UQ9Zgghih6Q7hP08cV3cXe2juy0xrR1eqOi1iCUOGb58MKaX+me3dQK7ro8MET9qecpWGGPyeOoy38NBlKgGBGO7sf4yzx4fhATYRZdQRDiSwFSnhF5+ABojVuLZAANE5ETBACHlVQERcwZuxfYMdxPRYzBKxGLvpquPVShsZVFezUoQjYpjdcFn3vd7VqpOQBZWueaSDL3M6SdSOYLdl1S8MydQvCoNsK/zfuLOb5OTiVAo0QwUVgtVZj2cwH5X/Koovryvc/rFOnuUcSDpKvT0wqIYyWFrwhhsXT8kDKOYcxD6LA2sAm5jOaildDRxFEVuQRGjaODYyvYZjRCg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 29 Jan 2021 21:00:06 -0000
Received: by ary.qy (Postfix, from userid 501) id 063C66CF2279; Fri, 29 Jan 2021 16:00:05 -0500 (EST)
Date: 29 Jan 2021 16:00:05 -0500
Message-Id: <20210129210006.063C66CF2279@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dmarc@ietf.org
Cc: vesely@tana.it
In-Reply-To: <db72db79-272e-5d52-8994-4da81c8723bd@tana.it>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/_mpPtFLukVPxRq7xL1JIc_WXyIc>
Subject: Re: [dmarc-ietf] Report bombing is a prolem, Forensic report loops are not
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2021 21:00:10 -0000

In article <db72db79-272e-5d52-8994-4da81c8723bd@tana.it> you write:
>3.3.  Transport
>
>    Email streams carrying DMARC failure reports MUST conform to the
>    DMARC mechanism, thereby resulting in an aligned "pass".  Special
>    care must be taken of authentication, as failure to authenticate
>    failure reports may provoke further reports.

    Reporters SHOULD rate limit the number of failure reports sent
    to any recipient to avoid overloading recipient systems.


Why would reports due to a mail loop be more of a problem than due to
some random spammer sending a lot of fake mail, or (real life) your
users send mail to mailing lists with thousands of subscribers? Rate
limit your reports, don't worry about where they came from.

R's,
John