Re: [dmarc-ietf] Endless Loops with DKIM reports
Hector Santos <hsantos@isdg.net> Tue, 04 June 2019 15:21 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13ECB12015D for <dmarc@ietfa.amsl.com>; Tue, 4 Jun 2019 08:21:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=R9TNwm5I; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=T7EM2lZE
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dPGKXa-fVCHi for <dmarc@ietfa.amsl.com>; Tue, 4 Jun 2019 08:21:38 -0700 (PDT)
Received: from mail.winserver.com (ntbbs.santronics.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 16134120155 for <dmarc@ietf.org>; Tue, 4 Jun 2019 08:21:35 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=2215; t=1559661688; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=dk8O9V9bJ7igHka99+DZImLRAU8=; b=R9TNwm5ItduV9jtbyTf3GTvBgSaoUJ9cybcVL8jAUuSmKh8jsi2+EBHKUL6C7n oVJV331VyCbrS/ex1CzR0PcwuBH7exbgIJ6VcIxaHESnlfTqfwL7Xf/Of5LR6zOL PjU/POagYLR2OuXUIEXtY/In1aQH1eWjKFvcjYwFNfBhE=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Tue, 04 Jun 2019 11:21:28 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 454135182.94763.480; Tue, 04 Jun 2019 11:21:28 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2215; t=1559661507; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=qKL5lY5 ZDg9PkotH/u3g/G5lFynxBhCunP2lgNKW9XA=; b=T7EM2lZEo9wACCD3bypH25a RUGXQhGWG22Bv9nPjafY3R2xHy5vNp6XyN4p36RIKoLtRnYdgWhyODgvUGui6kP5 hLI4PtQXr/w5X8ir3JZWQM6HY0ryUzgBABzJnbIDIe5LkUaPnSqs67lnXyOKr+1t OnACUj57nM5jYkZ+Ku18=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Tue, 04 Jun 2019 11:18:27 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 2026362160.9.72100; Tue, 04 Jun 2019 11:18:26 -0400
Message-ID: <5CF68C79.6030408@isdg.net>
Date: Tue, 04 Jun 2019 11:21:29 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <26D82EA6-8E39-4AED-BB9D-E2F53E7548C4@aegee.org> <adeaa778-5025-6fa2-0fe4-d10e2ea984c4@dcrocker.net> <eed31056-7f51-ee2a-5367-8fca5f6770aa@corp.mail.ru> <B9299213-2E56-4126-B34A-8194D6FC170D@aegee.org> <227c8736-7726-4d9b-ff34-f329cd116ebf@corp.mail.ru>
In-Reply-To: <227c8736-7726-4d9b-ff34-f329cd116ebf@corp.mail.ru>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ji1BbwzSQ_ByjomkLp6I3vj5VZg>
Subject: Re: [dmarc-ietf] Endless Loops with DKIM reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2019 15:21:40 -0000
On 6/4/2019 10:29 AM, Vladimir Dubrovin wrote: > > Recommendation to use empty envelope-from / return-path is doubtful, > because this recommendation is usually applied to mail transport-level > application and DMARC reporting does not belong to transport level. In > practice, this recommendation will increase loop probability for DMARC > reports due to quite common SPF misconfiguration. So with what protocol transport mechanism are DMARC reports sent? The basic design question I see here is what return path to use for a DMARC report. The considerations would be: C: MAIL FROM:<> C: MAIL FROM:<unique-non-null-return-path> The first format is known as the NULL return path. From what I see in my quick check of May and June logs, I did not see any NULL return path usage, but I do see the following style from three big ISPs: C: MAIL FROM:<dmarc-support@alerts.comcast.net> C: MAIL FROM:<noreply@dmarc.yahoo.com> C: MAIL FROM:<noreply-dmarc-support@google.com> Two of them are using non-standard "noreply" user-id string, sub-string concept in a non-standard attempt to expose the idea the receiver (or user) should not attempt to reply/bounce the messages. Google has recognized this "noreply" tag and they made it not fail a CBV (Call Back Verification) check. Yahoo will fail a CBV check and thus its dmarc reports are not received by my commercial package by default, out of the box. I just added a local white list for this, but this points out the need to conform to a practice known to help prevent "responses" to a notification by using NULL return path address. Otherwise, in the future DMARC reporting document, it needs to specify a new "special user-id" (left hand side of address) that will tell up-to-par compliant DMARC report receivers to not reply to it. We can't presume that a general idea of using a "noreply" string or substring of a user id signifies a valid report or notification. It can be a "loop hole" for bad guy mail entry abuse when it begins to pre-empt return path validity checking. All this is another reason why we should consider splitting DMARC PS work into two documents. Policy and Reporting. -- HLS
- [dmarc-ietf] Endless Loops with DKIM reports Дилян Палаузов
- Re: [dmarc-ietf] Endless Loops with DKIM reports Dave Crocker
- Re: [dmarc-ietf] Endless Loops with DKIM reports Vladimir Dubrovin
- Re: [dmarc-ietf] Endless Loops with DKIM reports Dave Crocker
- Re: [dmarc-ietf] Endless Loops with DKIM reports Vladimir Dubrovin
- Re: [dmarc-ietf] Endless Loops with DKIM reports Dave Crocker
- Re: [dmarc-ietf] Endless Loops with DKIM reports Дилян Палаузов
- Re: [dmarc-ietf] Endless Loops with DKIM reports Vladimir Dubrovin
- Re: [dmarc-ietf] Endless Loops with DKIM reports Hector Santos
- Re: [dmarc-ietf] Endless Loops with DKIM reports John Levine
- Re: [dmarc-ietf] Endless Loops with DKIM reports Dave Crocker
- Re: [dmarc-ietf] Endless Loops with DKIM reports John R Levine
- Re: [dmarc-ietf] Endless Loops with DKIM reports Dave Crocker
- Re: [dmarc-ietf] Endless Loops with DKIM reports John R Levine
- Re: [dmarc-ietf] Endless Loops with DKIM reports Douglas E. Foster
- Re: [dmarc-ietf] Endless Loops with DKIM reports John R Levine