IETF Logo Mail Archive

Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis

Wei Chuang <weihaw@google.com> Sun, 13 August 2023 21:47 UTC

Return-Path: <weihaw@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89FFBC151063 for <dmarc@ietfa.amsl.com>; Sun, 13 Aug 2023 14:47:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.606
X-Spam-Level:
X-Spam-Status: No, score=-17.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q7Rx-iYqIFYf for <dmarc@ietfa.amsl.com>; Sun, 13 Aug 2023 14:47:40 -0700 (PDT)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67B5BC151061 for <dmarc@ietf.org>; Sun, 13 Aug 2023 14:47:40 -0700 (PDT)
Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-40fd6a26ed1so31cf.1 for <dmarc@ietf.org>; Sun, 13 Aug 2023 14:47:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1691963259; x=1692568059; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lQu8+P4139R3YM2r/xnTjGGtyyYk6G2WzpwDLfFQGYc=; b=YKYb4ZGbxLxKN7XSBzQkyIYnvSSBlWMHs60swOqkXdNXyAkrnkuGSqoSpOV5762Ym3 uRJdPz00m4MOjxSoCf9NQSQiepAHDhzBiCI5ka4yxlbVCCQZBHxuLp08Hy4FqnqBzjw3 cx0jGV4xeSPdthqfn6WI7wLrhPwL1vbN8MhH2PtTSU9vTaV1hVYGdhrNFISB0Cgd3b/6 nzmbNyVVES0SgtJ9ULg/7fgfTAO/qNryfOIXoqV89lRHganTNQ7RUeunYJWhdtAJjxdP xCTx8mPB9H4fmBIdp4/jYttoFwQ6ZieHYuXZeNr4nQ6pGHnjpUuYV4w+H/j7avbCiuID qkag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691963259; x=1692568059; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lQu8+P4139R3YM2r/xnTjGGtyyYk6G2WzpwDLfFQGYc=; b=D50KRQc9A32EoEcUeEBNC4E5Suyyyd2YUGJaI6S5YWqGlGgdLwOYtYOSE1n1h+3opR oETI+lqVsV5pmq5q/ajRV5yCuTCRw4M1VJ7SYkUHnerme+wh7mNIhpprV6a+7YGRJ71b IHWMzqy1HTDK0T4q7rxUZ7Tf3hqpzISjR6H6kxVLZ62WMD1H96ssuHRz0Mn0tgXiTybu 0Is9eXIl/gd5Tyt6gwsNGbO3DxxM6GCnUJfmhL+A3LJsW1acNKDKZDXm5XU3CZLhRMfk qsjGPBQuzKxQnyojSVVXkL2DDJK3QMKVJEbUQVmdsBBsbbuYqlPNN+987n/n44MyzFOP AC1A==
X-Gm-Message-State: AOJu0YzvK5MU/SvDGYs57xlEHH6eSlwmXyT3kqz9eUjruKYToShbqMAo 5DOmLqLyQ30j6Acmij9RUuYnZHfCR5+m/IWkhNQ/6nVtdMESK5cNAbtifg==
X-Google-Smtp-Source: AGHT+IHI6WKm4L6DWgTx56Vi/C5HztANeNcFNM4KTknGIaGFjN2S4R6xpbnu6Fds855KSHgcCWHcAye3nximJT/gcZs=
X-Received: by 2002:a05:622a:580a:b0:3f3:91c7:14d4 with SMTP id fg10-20020a05622a580a00b003f391c714d4mr135403qtb.0.1691963258228; Sun, 13 Aug 2023 14:47:38 -0700 (PDT)
MIME-Version: 1.0
References: <20230805195903.26505FF79E6F@ary.qy> <3536799.mSVOu7074L@localhost> <2B846955-E465-4A1F-9F89-3DDDB8B362CF@isdg.net> <3611454.GY1gGpy5ap@localhost> <CAAFsWK119cvS8VxfVMCdewPRKLNk4Zfa2R0-MYfb6CY9SJC7tQ@mail.gmail.com> <DB3C9948-9BCE-4939-966A-86BB66AA2D80@kitterman.com>
In-Reply-To: <DB3C9948-9BCE-4939-966A-86BB66AA2D80@kitterman.com>
From: Wei Chuang <weihaw@google.com>
Date: Sun, 13 Aug 2023 14:47:15 -0700
Message-ID: <CAAFsWK0F53pKu=6UdwnZHakUmp4jub=712jvhYL3ED-RZbq_gQ@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="000000000000fb44ae0602d4e4fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/sPc_FMwPedFjSmeA9XqrhHpBXEc>
Subject: Re: [dmarc-ietf] Proposal for additional Security Considerations for SPF Upgrade in draft-ietf-dmarc-dmarcbis
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2023 21:47:44 -0000

I've tried to roll up the guidance in this thread in the results below.
-Wei

=====

11.9 Quarantined Forwarded Mail Security Risk

When receivers apply the "MUST NOT reject" in Section 8.6 to accept
unauthenticated messages as quarantined messages, receivers ought to
carefully review how they forward mail traffic to prevent additional
security risk.  The forwarded mail might be able to obtain SPF or DKIM
authentication through the receiver, and thereby obtain a fraudulent DMARC
aligned From despite having an associated strong DMARC policy of
"p=reject".  For SPF, a malicious sender needs two properties to perform
such a SPF attack: 1) a receiver that will forward quarantined messages,
and 2) the spammer finds a SPF policy that covers the forwarding IPs.  Such
a sender crafts a message with From header assuming the identity of the
domain with the SPF policy and matching MAIL FROM.  Consequently the
receiver evaluates message authentication and finds that the MAIL FROM does
not authenticate but does not reject the message and instead quarantines
it.  Vulnerable receivers then forward the message to some subsequent
receiver with the message taking the authenticated identity of the From
header.  That forwarding might be under control of the malicious sender
perhaps via auto-forwarding or enterprise policy.  Receivers need to
consider restricting forwarding when the message is SPF unauthenticated.
For DKIM, a malicious sender finds a forwarder that re-signs messages with
DKIM that lets some malicious email take the identity of the DKIM signer
domain.  Some forwarders appear to do this for all messages.  Other
forwarders might do this when the message is modified such as
mailing-lists.  As with the SPF attack, the malicious sender may be able to
create a message with some From header corresponding to the spoofed
re-signing domain to obtain DMARC alignment at the receiver.  Forwarders
that re-sign messages with DKIM ought to consider the reputational and
identity risk that it imposes.  With ARC [RFC8617], receivers sometimes
override their local DMARC results with results found from the
ARC-Authentication-Result header to prevent mail from being rejected or
quarantined. Malicious senders may target these receivers if that override
is done improperly.  Hence receivers ought to carefully consider whether
they can trust the results passed in the ARC-Authentication-Results as they
are provided by the forwarder without any guarantee they are correct.  SPF,
DKIM and ARC forwarding attacks and other considerations are discussed
further in Liu et. al. [1].

[1] Liu, Enze et al. "Forward Pass: On the Security Implications of Email
Forwarding Mechanism and Policy", Proceedings of the 8th IEEE European
Symposium on Security and Privacy, 2023.

On Sun, Aug 6, 2023 at 1:46 PM Scott Kitterman <sklist@kitterman.com> wrote:

> That reads to me as guidance for DMARC implementers on how to integrate
> SPF and DKIM  results for the purposes of DMARC.  I think that's in scope
> for DMARCbis.
>
> There's a multitude of ways people can screw these things up and we won't
> be able to cover them all.  The guidance needs to be somewhat high level.
>
> One of my favorites is a case I was asked to investigate where an ESP had
> transmitted a clearly forged email for one of their customers and the
> customer wanted to know why DMARC hadn't protected them, even though they
> had a p=reject policy.
>
> What happened was that the ESP received a DMARC fail email from an
> unrelated mail server that also had a valid ARC signature, so instead of
> rejecting the message, they allowed the ARC result to override the DMARC
> policy and accepted it. Then they relayed it to the final destination
> (which in the same domain as the From domain - which was owned by their
> customer).  There's all kinds of things people can do to mess this up.  I
> don't think it's obscure that one should only believe ARC results from
> trusted sources, but there we were.
>
> Scott K
>
> On August 6, 2023 8:07:31 PM UTC, Wei Chuang <weihaw=
> 40google.com@dmarc.ietf.org> wrote:
> >I don't think having this language is saying you can't do SPF.  Rather
> this
> >is about preventing new spoofing attacks on DMARC aligned identity.  In
> >particular where previously this attack was not possible on forwarders
> that
> >honored the p=reject policy, now that they will downgrade to quarantine,
> it
> >opens a new vector that should be reviewed to prevent this attack. I
> >propose this because I've seen the forwarding attack with SPF on ups.com.
> >The Liu et. al. paper notes that they were able to spoof the From header
> >government e.g. state.gov, financial and legal companies with SPF.  You
> >noted that it's feasible with DKIM too.  The RFC should ask forwarders to
> >do this review when they p=reject downgrade otherwise it does add systemic
> >risk to the DMARC protected From identity.
> >
> >-Wei
> >
> >On Sun, Aug 6, 2023 at 11:38 AM Scott Kitterman <sklist@kitterman.com>
> >wrote:
> >
> >> On Sunday, August 6, 2023 2:10:35 PM EDT Hector Santos wrote:
> >> > > On Aug 5, 2023, at 5:37 PM, Scott Kitterman <sklist@kitterman.com>
> >> wrote:
> >> > >
> >> > > On Saturday, August 5, 2023 3:59:02 PM EDT John Levine wrote:
> >> > >> It appears that Scott Kitterman  <sklist@kitterman.com> said:
> >> > >>>> When receivers apply the "MUST NOT reject" in Section 8.6 to
> accept
> >> > >>>> unauthenticated messages as quarantined messages, receivers
> SHOULD
> >> > >>>> carefully review how they forward mail traffic to prevent
> additional
> >> > >>>> security risk.  That is, this downgrade can enable spoofed
> messages
> >> > >>>> that
> >> > >>>> are SPF DMARC authenticated with a fraudulent From identity
> despite
> >> > >>>> having
> >> > >>>> an associated strong DMARC policy of "p=reject". ...
> >> > >>
> >> > >> We all realize that SPF has problems, but I really do not want to
> fill
> >> > >> up the DMARC document with text that says "you can authenticate
> with
> >> > >> SPF, hahaha no just kidding."
> >> > >>
> >> > >> The way to fix Microsoft's forwarding SPF problem is for Microsoft
> to
> >> put
> >> > >> the forwarding user's bounce address on the message, not for us to
> >> tell
> >> > >> the entire world to use kludgy workarounds.
> >> > >
> >> > > I agree.  We need to be careful to solve protocol problems in the
> >> protocol
> >> > > and leave fixing implementation problems to implementers.  We aren't
> >> > > going to protocol our way out of bad implementation decisions.
> >> >
> >> > Taken within the good-intention, protocol-compliant implementations,
> >> which
> >> > one do we add as “Implementations Notes?”  Which or rather What are
> >> > “Current Practice”behavior can we note?
> >>
> >> I think best current practice goes in a different document.  Maybe we do
> >> that
> >> after DMARCbis is buttoned up?
> >>
> >> Scott K
> >>
> >>
> >> _______________________________________________
> >> dmarc mailing list
> >> dmarc@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dmarc
> >>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email