Re: [dmarc-ietf] attack on reports

Michael Thomas <mike@mtcc.com> Tue, 26 January 2021 22:15 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AC7C3A02BC for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 14:15:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.15
X-Spam-Level:
X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6XHTQ5fd2yT5 for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 14:15:09 -0800 (PST)
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42F763A017E for <dmarc@ietf.org>; Tue, 26 Jan 2021 14:15:09 -0800 (PST)
Received: by mail-pj1-x1032.google.com with SMTP id jx18so57813pjb.5 for <dmarc@ietf.org>; Tue, 26 Jan 2021 14:15:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=IkWzad5KR+hgPTgMGpbEYDmX7+btf8W7YbuhfRQUVK4=; b=jVTs6I4NuRi2Y2/Yl0TzBvgYii1BcjLw8o4mh7Nv3WCPnj5TVMv+FkJfYGp+yPkxkx j10X8G5ydsFvenF9pfCBDayAPoNmmZdSjwC1lslFZssXRo7wn++dceiIetJQ9fpQt39u 4r+vYnQa650eF5Amz8Agx5pdBv2CevKELUYRk2unpmKIkzjAw6I1pX9RuWJGfp1tvOay mY0+T27F+1mxUaByld/nRQf8kCrsCrDtANMzlhg3L9Bg1Elu6/fVHefQi2sh5szwDP3v QzU5VCIA7tkKWqbJPL/pARPBnHHQwXUI75nJP+mBJhchvbsBh2CFDx6gZnOXGzpzmobf DJ+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=IkWzad5KR+hgPTgMGpbEYDmX7+btf8W7YbuhfRQUVK4=; b=Fk2EWPRyaWNt2bPGt+2BF/nMDPRAewL+8xenGoGK8qZ1bKHQePmRf3unXL7PsBrqbN lM7hDF9Nzg8UU8m4a/0ahFoAk8APwqgiP1BsJOt3xMLGiP8WU2bWoe1/DyNoaWDp1MuN lxjIy1jpGM9MD9CVEQJaEvNeurHL4SM3qXg/KzYQsoxF2T1OTxPlKwjJ72Xmb9TXOz2/ sghZAteG28VeJHMkJBc0IQ8YDwqF44IJAIGKY4AbgpfWLEXujv/NKBqb0Mds7SNz63JH hJ+OPbSQiHgrregg8p9ITpMSsbr5noWjyasJBUCVlaQWxFBa/27hreP8Zemnx4EwxuSw z7gg==
X-Gm-Message-State: AOAM532iWXUg/nlO2s+jnPNfbMUhfOh234hEA9c6CaS2oHp+Gf2xMOKq DOOgme9Ye4dR9am3kxS2zLb7KMjjMPLx1Q==
X-Google-Smtp-Source: ABdhPJxKVMDaRbZ/2oDubsRgIYMT6erhOD/jrAhtWTs7AYSAwAK9zO8iH/khTkmUDoBTLIn7A2Bk8g==
X-Received: by 2002:a17:902:7148:b029:df:f45d:41c9 with SMTP id u8-20020a1709027148b02900dff45d41c9mr8262711plm.3.1611699308051; Tue, 26 Jan 2021 14:15:08 -0800 (PST)
Received: from mike-mac.lan (107-182-35-22.volcanocom.com. [107.182.35.22]) by smtp.gmail.com with ESMTPSA id a141sm92522pfa.189.2021.01.26.14.15.07 for <dmarc@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Jan 2021 14:15:07 -0800 (PST)
To: dmarc@ietf.org
References: <c049495f-faa2-c5f0-3e0a-7d8d86150568@mtcc.com> <aab313ee-4453-d97c-65ad-2a02d543c66c@tana.it> <24e8da5d-e306-7207-bb8f-74d44e4c5eaf@mtcc.com> <CAHej_8kS7hHR70LdcktuEtm08FyjsmqV17wHq21MdT=eNspCGw@mail.gmail.com> <f8f77f85-a2ae-3fb3-acb4-70d14a9da0f4@mtcc.com> <CAHej_8nZu3Fgj1=V8aQnho7LEc0Y12KfXa8b+xxXVDzDqe8Bxg@mail.gmail.com> <d181379e-8a3d-2865-53ca-709f679945ac@mtcc.com> <CAHej_8=jwMmMZLAUoKAXGgmn3va3R_nSYDgtM1U4ZG2s+uVz_Q@mail.gmail.com> <c05c4fb1-514c-7312-1d5e-cdcf5fba6267@mtcc.com> <CAHej_8kBj5XHqjKa6FfyP1YRVApiJT_LwSCZ9EneZOUfRZKE=w@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <81e96be0-989a-ac75-b6e2-3381d971e019@mtcc.com>
Date: Tue, 26 Jan 2021 14:15:06 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <CAHej_8kBj5XHqjKa6FfyP1YRVApiJT_LwSCZ9EneZOUfRZKE=w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------CD33CD99EFD92526A500AE2E"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/f7TB6DIHMnQlaey9R5JwnUBBPHU>
Subject: Re: [dmarc-ietf] attack on reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2021 22:15:11 -0000

On 1/26/21 1:44 PM, Todd Herr wrote:
> On Tue, Jan 26, 2021 at 4:19 PM Michael Thomas <mike@mtcc.com 
> <mailto:mike@mtcc.com>> wrote:
>
>     I don't see how time helps anything if I can't differentiate
>     between our legitimate traffic and attacker traffic. All an
>     attacker would need to do is send a mail cannon to mimic Marsha in
>     Marketing every once in a while and the entire thing resets. If it
>     is a requirement to know all of the legitimate IP addresses in
>     order to make use of the reports as an indicator, the draft should
>     be very explicit about that.
>
>
> Forgive me; I have failed to get my point across in a way that 
> conveyed my meaning. Let me try again.
>
> My use of the word "Time" was intended to mean, effectively, 
> "experience, wisdom, and knowledge" all of which would be gained 
> through regular (for me it was daily) analysis of the latest DMARC 
> aggregate reports. Through the time spent analyzing those reports, one 
> would obtain a fuller picture of one's organization's mail flows, 
> gaining a knowledge that can really only come from immersion in the data.
>
>
I have written this up and it is now issue #101.

Mike