IETF Logo Mail Archive

Re: [dmarc-ietf] attack on reports

Michael Thomas <mike@mtcc.com> Tue, 26 January 2021 20:16 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3BE23A0E32 for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 12:16:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.15
X-Spam-Level:
X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vrauvkhAgAPW for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 12:16:57 -0800 (PST)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CDA03A0E2F for <dmarc@ietf.org>; Tue, 26 Jan 2021 12:16:57 -0800 (PST)
Received: by mail-pl1-x634.google.com with SMTP id d4so10405956plh.5 for <dmarc@ietf.org>; Tue, 26 Jan 2021 12:16:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=e5NzvnK8Vh1XdsPHZHE0AWKAPRRV+Gak+eyY/lmH7Yw=; b=M9JoIX/ZaI8iou2x7yj+ic58yaQtpH8kBhhgSmSTry2/f7p3+Cy6XUFWBxGyy9ur6A IUuvBQgTGCfK1Rg+qUYFn6sDWl0IGvAWireD3P2/Zr0XeoY056AVehPubpB2/0ZBAnNF fqUWOWhsOVqd8DNkUwmdq6fV11YTeKQN2LoF+PlthDkUy0nOfvh/DghJJaeVxrzJzF8k V4rBcBUSbq6ShdLCwrq/ENbOPdPvji4ip+WkwJc1dBXTOLCKD6TbkBezfBSivIJ21bSp tyKVTFZ8UsY52B2uWzHBhFVPpb5Kr7Z/WtT3vg8xnjOTb4S4qGvQLd3k7C9w3Vu5MO80 ufMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=e5NzvnK8Vh1XdsPHZHE0AWKAPRRV+Gak+eyY/lmH7Yw=; b=HvGUlicIh8PcyS4Y3A6CDNJlH1seD5ynNozYorvVCVV37Oxj9OxIT8y5nfBwfNB7ds uf9pmzO5U29fawnSonzOMrOipp50mKodnaaE8+oyw5SkVndo8zettKGVu10FNXVus/RV 6OWhnQ55HOayl62KLOP4MJcJ0cWT8F2oAZRMsfh2SpprXqSUsrYcUgBOqiO4CZxYbZwt v+qcfHSWPQgjX86eVurIbgTtmj5diysqcI45Z2RfzGSuiqeBeRgSeH1KWezgyxRJ8M3J ICj69lOKsLUy4W7Ez7S4v8iGX3xFrw1U4seRZjtQ5vN5OuWcdeK8ClO7+iuRl3Zcmak+ xs5w==
X-Gm-Message-State: AOAM533o6Vv/J1idSK6YyYGIqP3yG/0kVXKP+v18k0pIQ8m2aBb9zrje V8Jwwh2eyofDWpipuZwkk6QkzNDknMyKuQ==
X-Google-Smtp-Source: ABdhPJzpw80n2Nm3ySWwyiOsD6r0MSgvEPd+cSUIj1B5Mi8MuIStYsEjONF1FbR5fO/CBCtMM/CY6w==
X-Received: by 2002:a17:90b:3284:: with SMTP id ks4mr1582164pjb.216.1611692216255; Tue, 26 Jan 2021 12:16:56 -0800 (PST)
Received: from mike-mac.lan (107-182-35-22.volcanocom.com. [107.182.35.22]) by smtp.gmail.com with ESMTPSA id 141sm20069140pfa.65.2021.01.26.12.16.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Jan 2021 12:16:55 -0800 (PST)
To: Todd Herr <todd.herr@valimail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <c049495f-faa2-c5f0-3e0a-7d8d86150568@mtcc.com> <aab313ee-4453-d97c-65ad-2a02d543c66c@tana.it> <24e8da5d-e306-7207-bb8f-74d44e4c5eaf@mtcc.com> <CAHej_8kS7hHR70LdcktuEtm08FyjsmqV17wHq21MdT=eNspCGw@mail.gmail.com> <f8f77f85-a2ae-3fb3-acb4-70d14a9da0f4@mtcc.com> <CAHej_8nZu3Fgj1=V8aQnho7LEc0Y12KfXa8b+xxXVDzDqe8Bxg@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <d181379e-8a3d-2865-53ca-709f679945ac@mtcc.com>
Date: Tue, 26 Jan 2021 12:16:54 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <CAHej_8nZu3Fgj1=V8aQnho7LEc0Y12KfXa8b+xxXVDzDqe8Bxg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------0923B1F51C472FC7C9DF8DE4"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/pGtjpvMBawPeTybCUeiwLAEXwco>
Subject: Re: [dmarc-ietf] attack on reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2021 20:16:59 -0000

On 1/26/21 12:01 PM, Todd Herr wrote:
> On Tue, Jan 26, 2021 at 2:24 PM Michael Thomas <mike@mtcc.com 
> <mailto:mike@mtcc.com>> wrote:
>
>
>     On 1/26/21 10:56 AM, Todd Herr wrote:
>
>         > In addition, if I recover that message from the log, I might
>         find no
>         > relationship with the reporting domain or the reported
>         source IP.
>         > That is to say, I won't be able to deduce if the report is
>         fake or real.
>
>
>         My main point here is to point out the attack.
>
>>
>>     The attack scenario you have described relies on several possible
>>     but perhaps implausible conditions all being true:
>>
>>     1. There exists a domain run by people who are savvy enough to
>>     want to implement DMARC and can consume reports, but don't have a
>>     good grasp on which IPs are likely to be theirs and which aren't,
>>     and don't have an understanding of how to use common tools to
>>     figure out whether an IP address might belong to their provider's
>>     ASN or one halfway around the world, and
>
>     Here's a very basic question: if I do not know all of the IP
>     addresses that send on my behalf, are DMARC reports of any value?
>     Enterprises farm out email all of the time and it could be
>     difficult to know when they change their server addresses, etc. If
>     the reporting is predicated on your having in effect and up to
>     date SPF record (ie, do all of the work to be able to produce
>     one), then that negates anybody who just uses DKIM alone which
>     should be a completely acceptable use case. And no, the
>     domain/selector tells you nothing when it doesn't verify.
>
>     If it is the case that you MUST know all of your sending IP
>     addresses, that should be in blinking bold right up front in
>     section 7.
>
>
> Yes, DMARC reports are of value if you don't know all of the IP 
> addresses that send on your behalf. Some have even written blog posts 
> on the topic of using DMARC aggregate reports as a tool to audit one's 
> authentication practices, by publishing a policy of p=none, collecting 
> the reports, analyzing the data, fixing problems, iterate, iterate, 
> iterate until one is ready to move on to the ultimate goal of p=reject.
>
How do I know when I'm done though if I don't know the IP addresses who 
send on my behalf? Is it an actual forgery or is it Marsha in marketing 
using a outsourced email blaster?

The larger point is that I should not have had to come to a working 
group mailing list to find out what should be in the document in the 
first place. Along with some ascii art in 7.2, there needs to be some 
explanation of the reporting's applicability and limitations. It doesn't 
need to be tome but some informative text goes a long way to helping 
people out who we're involved with the document from the beginning.

Mike

v2.23.0 | Report a Bug | By Email