Re: [dmarc-ietf] Ticket #42 - Expand DMARC reporting URI functionality

John Levine <johnl@taugh.com> Mon, 07 December 2020 21:41 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30A3F3A0B50 for <dmarc@ietfa.amsl.com>; Mon, 7 Dec 2020 13:41:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=ZCHtNALI; dkim=pass (2048-bit key) header.d=taugh.com header.b=BfAWx4p1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hVoDMo2lPMb0 for <dmarc@ietfa.amsl.com>; Mon, 7 Dec 2020 13:41:35 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 179FA3A0A42 for <dmarc@ietf.org>; Mon, 7 Dec 2020 13:41:34 -0800 (PST)
Received: (qmail 30632 invoked from network); 7 Dec 2020 21:41:34 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=77a5.5fcea18e.k2012; bh=WWJrA1P1JiOIZ2AVoL1YTyQICPFvZAJnRlANeyq0Pxg=; b=ZCHtNALIDfVkE4k5SEbwKf4QDZXlU1LNXmfkCVWPY3Yhj9sJiH1uw+SyzEa6i+BdBz107uZaSaesS4n+JeAjAQRUecVblhJqfCAavMMWUTWB7wESv3S+iGUKHcwahyqObtjY8QLN0IDITwX9rNpHexNW4kveKtSFQAhd0rM2JQzo+7oY3+VrvroUIosxRbBeRA7UqlXyY8p95rk8EBN1/8I1JNqz84M1ghkB+7+zO9c1A33Qt60l5ex60F60cxvW+R8tijq3rjq71MPVKvhd69jrzr72kwI0OYpe9qVpma8GxpwMTNU3PvDYzVoW4XqxtQ98FIgSNwPq3/cjkgcEkg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=77a5.5fcea18e.k2012; bh=WWJrA1P1JiOIZ2AVoL1YTyQICPFvZAJnRlANeyq0Pxg=; b=BfAWx4p1NGO5GQGwCFHCJ89y9k8ijiBRLw2g5ajrdVG6MTeTPCfJHs5biZc2WYoHOn5ijNbVA+34lPZxITIrIsZSIhdrlSom3HWRyuPCn6MYA0WlcbpvW+ITEgah/7RxUggmZgbGPT5Ssjh9PHuJXZ2bmp5lLMMaTF0ktuyWsm4qgj9u/AZvEPOb1hvvMGShfMnNA2SGzSObwcQLUXuDX7torFxIcJo5dPT6lqUbmLja0CcEGQVvrACz20pSfjZTWaKXgwFNiufsbtiexXbnx3c7t27hUU96tfP7CLW0rQQXQp1hZCS3+9y6GNHA1ve7FM4r3wdkDGtbK86dRl6lIg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 07 Dec 2020 21:41:33 -0000
Received: by ary.qy (Postfix, from userid 501) id 2D5142922931; Mon, 7 Dec 2020 16:41:32 -0500 (EST)
Date: 7 Dec 2020 16:41:32 -0500
Message-Id: <20201207214133.2D5142922931@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dmarc@ietf.org
In-Reply-To: <bf90e25d-b0de-5f41-095-e7a4c9a7c9cd@taugh.com>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jbQsgoUPMWuZJKVVqdENQJxoz-Q>
Subject: Re: [dmarc-ietf] Ticket #42 - Expand DMARC reporting URI functionality
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 21:41:37 -0000

>I don't understand the security or GDPR references.

Well this is amusing. I wondered if anyone had ever implemented some
version of the http reporting in early DMARC drafts, so I set up a new domain
with a server that will accept POST or PUT requests and added its URI to my
DMARC records.

I didn't get any of those (the POSTs below are not to the right URI)
but it's impressive how fast Russian bots started to probe it, within
hours.

This is not a reason to avoid https reporting. Every web site gets
probed like this and so long as your web server rejects unknown URIs,
they're harmless. After all, my e-mail reporting addresses get a
certain amount of spam, too.

R's,
John



139.162.113.204 dmreport.abuse.net - [07/Dec/2020:03:15:11 -0500] "GET / HTTP/1.1" 404 719 "HTTP Banner Detection (https://security.ipip.net)"
192.241.209.169 dmreport.abuse.net - [07/Dec/2020:05:26:29 -0500] "GET / HTTP/1.1" 404 719 "Mozilla/5.0 zgrab/0.x"
192.241.237.68 dmreport.abuse.net - [07/Dec/2020:05:49:18 -0500] "GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1" 404 786 "Mozilla/5.0 zgrab/0.x"
91.241.19.84 dmreport.abuse.net - [07/Dec/2020:06:44:01 -0500] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 823 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
91.241.19.84 dmreport.abuse.net - [07/Dec/2020:06:44:01 -0500] "POST /api/jsonws/invoke HTTP/1.1" 404 757 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
91.241.19.84 dmreport.abuse.net - [07/Dec/2020:06:44:07 -0500] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 823 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
91.241.19.84 dmreport.abuse.net - [07/Dec/2020:06:44:07 -0500] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 404 858 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
91.241.19.84 dmreport.abuse.net - [07/Dec/2020:06:44:09 -0500] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 404 753 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
91.241.19.84 dmreport.abuse.net - [07/Dec/2020:06:44:11 -0500] "POST /mifs/.;/services/LogService HTTP/1.1" 404 779 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
91.241.19.84 dmreport.abuse.net - [07/Dec/2020:06:44:12 -0500] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 404 813 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.118.53.202 dmreport.abuse.net - [07/Dec/2020:11:45:14 -0500] "GET / HTTP/1.1" 404 719 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
67.205.149.169 dmreport.abuse.net - [07/Dec/2020:12:50:40 -0500] "GET / HTTP/1.0" 400 362 "-"
83.97.20.31 dmreport.abuse.net - [07/Dec/2020:14:46:30 -0500] "GET / HTTP/1.1" 404 723 "-"
185.141.63.14 dmreport.abuse.net - [07/Dec/2020:14:47:37 -0500] "GET / HTTP/1.1" 404 723 "libwww-perl/6.49"