Re: [dmarc-ietf] Report bombing is a prolem, Forensic report loops are not

Alessandro Vesely <vesely@tana.it> Sun, 31 January 2021 11:31 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C92A3A0C46 for <dmarc@ietfa.amsl.com>; Sun, 31 Jan 2021 03:31:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.421
X-Spam-Level:
X-Spam-Status: No, score=-4.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r3fc9aaVQT4i for <dmarc@ietfa.amsl.com>; Sun, 31 Jan 2021 03:31:01 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 215203A0C44 for <dmarc@ietf.org>; Sun, 31 Jan 2021 03:31:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1612092656; bh=lUprxi3y60qpUZUOQRn5tDVQOgbidpH18lHAHHiaLbo=; l=2171; h=To:References:From:Date:In-Reply-To; b=BfKX62uJd9vt3eYU1p07cj+nieo/4vJzLNvCZ/7ye4vsrjx3jbkYLrW6Av92udp7Z +GznTjUH7zPWe3k0vTw1jHNYd/fNUTUEn7V0/UclLoXJ2tQj0aMLdAzoN9vScSInOB sy48nQHkMTbRiXFMHRaY/5rfps7fdJEKMcBooeRX5NapVZnI38NKcv1Q6seVM
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC07E.00000000601694F0.0000555B; Sun, 31 Jan 2021 12:30:56 +0100
To: dmarc@ietf.org
References: <db72db79-272e-5d52-8994-4da81c8723bd@tana.it> <20210129210006.063C66CF2279@ary.qy> <CAH48ZfxCpFjySAL06a9pDusX1FiuSuVsHkBZG-Zkvxgu3BJmcA@mail.gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <49b248dc-91a7-7f2d-ba28-72fe8d6d356a@tana.it>
Date: Sun, 31 Jan 2021 12:30:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <CAH48ZfxCpFjySAL06a9pDusX1FiuSuVsHkBZG-Zkvxgu3BJmcA@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/i1g-9gzW63KGgUci7BxsW7HFfiI>
Subject: Re: [dmarc-ietf] Report bombing is a prolem, Forensic report loops are not
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jan 2021 11:31:03 -0000

On Sat 30/Jan/2021 13:51:56 +0100 Douglas Foster wrote:
> Interesting point.
> [...]
> 
> The spec is confusing because it says (a) failure reports should be sent
> immediately, (b) failure reports should be aggregated, and (c) failure
> reports should be throttled but without specifying a limit.
> 
> I wonder if the rule should be one message per week per source, since any
> large volume sender will be getting reports from multiple sources.   The
> main problem with this is that law enforcement actions may want to be
> bombed.


This point deserves its own ticket.  While we have a ri= tag (to be revised, 
see Tickets #50 and #71) and !size limits for aggregate reports, failure report 
consumers don't have a way to express the amount or frequency of feedback they 
want.


> On Fri, Jan 29, 2021 at 4:00 PM John Levine <johnl@taugh.com> wrote:
>> In article <db72db79-272e-5d52-8994-4da81c8723bd@tana.it> you write:
>>>3.3.  Transport
>>>
>>>    Email streams carrying DMARC failure reports MUST conform to the
>>>    DMARC mechanism, thereby resulting in an aligned "pass".  Special
>>>    care must be taken of authentication, as failure to authenticate
>>>    failure reports may provoke further reports.
>>
>>     Reporters SHOULD rate limit the number of failure reports sent
>>     to any recipient to avoid overloading recipient systems.


I haven't yet modified this, but I mostly agree.


>> Why would reports due to a mail loop be more of a problem than due to
>> some random spammer sending a lot of fake mail, or (real life) your
>> users send mail to mailing lists with thousands of subscribers? Rate
>> limit your reports, don't worry about where they came from.


Rate limiting usually implies a number of buckets.  They are managed by 
imposing limits per time periods, which can be either server-global or per 
bucket.  Normally, for MSA usage, one has one bucket per user.  I have never 
implemented failure reporting, but I'd guess buckets may vary.  Besides the 
signing domain (which determines the report consumer), the receiving address, 
the sender and the spam flag may deserve their own buckets.

Thoughts?

Best
Ale
--