Re: [dmarc-ietf] attack on reports
Michael Thomas <mike@mtcc.com> Tue, 26 January 2021 21:19 UTC
Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96D873A0EF1 for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 13:19:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.15
X-Spam-Level:
X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zuD1PrhhAyei for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 13:19:19 -0800 (PST)
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 811473A0EF0 for <dmarc@ietf.org>; Tue, 26 Jan 2021 13:19:19 -0800 (PST)
Received: by mail-pg1-x52d.google.com with SMTP id r38so45258pgk.13 for <dmarc@ietf.org>; Tue, 26 Jan 2021 13:19:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=GQ1WaUdMCv/2rMET5IBAYfHyDnoVAitBVgYcBH3atYk=; b=LY7dac+BoqXrL4cKkRo22yzAmtNSDQFbrwIqwv6JRN38TtjOB6iWK5Pz0ayQf3aOu7 +OH1z6kOv+k2EX8ELSeQtw08ZMmZXVmWYXn9MEjFXlaAg01XnavczZm6BXt2Ss2EGiiV mNukWejqaCSslMsXk33a8RuqqOOQ7tSkRC8OXPxuNHCPqk8lu9dCB1G51GHjIT6g3qYf DUV39car9hgpSuAEFdeEqnN4+99afrm8Y3MEAq2ytQU/9hs7l1RklSgGPM2PcpfaOUBZ 5f+7sU7bbgdFguCYBMOkQtPAPs44p06ehe5V9HbI3guBB4Dy1RVIUdAT1NB6L5eCCbGX kfpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=GQ1WaUdMCv/2rMET5IBAYfHyDnoVAitBVgYcBH3atYk=; b=Rg7h9g3FXyHiaWBagXdeP/FcJE7kLiFu+xPhkF8tk8hfSJk1E7BiLVJUUH/BA+0Avw +nIxTEEl2QO0BjxpSGn9sjEvTMMpHDB7tTgiBwP3Te/OKSk3CiFGyAA/gvKQcWJ/YG1g aQPIxE0hpKXN6GYClUuZ9TORR/iFUdWCrav46QJOYD4HS/qZ4ebegy5G9eGPF7zlLTn2 8xFTz9WQ7Xg6WVfGck5IRm3ibfpB2rd0489PAE0Ey5cNvYv9xjJ8SoxrwGF3Oxd5FLOA 0lOjDnf2gI4JfWaoqvchQ5IHFfZVvGuJqXm2oZJ+CRf1WjzRCBEIIZPQxKelpllp+LZt pKvA==
X-Gm-Message-State: AOAM530PpiLa1/6eFlJmYo0IgHNonKdcEzr7voiIo5RZWgi+hN81WsLq 6kle3owSJWb4K0m83mSfmUHkdMCuE4tAEA==
X-Google-Smtp-Source: ABdhPJwWbDQ5PjzFOr8+SUc+FqKkd9ivqs/k++Y6WXg0F78VrdGlNdun6GbF6S3ZhW8wG0kxTqNj1w==
X-Received: by 2002:a62:7896:0:b029:1b6:7319:52a7 with SMTP id t144-20020a6278960000b02901b6731952a7mr7419247pfc.30.1611695958459; Tue, 26 Jan 2021 13:19:18 -0800 (PST)
Received: from mike-mac.lan (107-182-35-22.volcanocom.com. [107.182.35.22]) by smtp.gmail.com with ESMTPSA id y22sm42198pfb.132.2021.01.26.13.19.17 for <dmarc@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Jan 2021 13:19:17 -0800 (PST)
To: dmarc@ietf.org
References: <c049495f-faa2-c5f0-3e0a-7d8d86150568@mtcc.com> <aab313ee-4453-d97c-65ad-2a02d543c66c@tana.it> <24e8da5d-e306-7207-bb8f-74d44e4c5eaf@mtcc.com> <CAHej_8kS7hHR70LdcktuEtm08FyjsmqV17wHq21MdT=eNspCGw@mail.gmail.com> <f8f77f85-a2ae-3fb3-acb4-70d14a9da0f4@mtcc.com> <CAHej_8nZu3Fgj1=V8aQnho7LEc0Y12KfXa8b+xxXVDzDqe8Bxg@mail.gmail.com> <d181379e-8a3d-2865-53ca-709f679945ac@mtcc.com> <CAHej_8=jwMmMZLAUoKAXGgmn3va3R_nSYDgtM1U4ZG2s+uVz_Q@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <c05c4fb1-514c-7312-1d5e-cdcf5fba6267@mtcc.com>
Date: Tue, 26 Jan 2021 13:19:16 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <CAHej_8=jwMmMZLAUoKAXGgmn3va3R_nSYDgtM1U4ZG2s+uVz_Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------4A49B698C8EF3EF31E060311"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/swR6_PB6RRmqzm-tQPaFEYLKMuI>
Subject: Re: [dmarc-ietf] attack on reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2021 21:19:21 -0000
On 1/26/21 12:29 PM, Todd Herr wrote: > On Tue, Jan 26, 2021 at 3:16 PM Michael Thomas <mike@mtcc.com > <mailto:mike@mtcc.com>> wrote: > > Yes, DMARC reports are of value if you don't know all of the IP > addresses that send on your behalf. Some have even written blog > posts on the topic of using DMARC aggregate reports as a tool to > audit one's authentication practices, by publishing a policy of > p=none, collecting the reports, analyzing the data, fixing > problems, iterate, iterate, iterate until one is ready to move on > to the ultimate goal of p=reject. >> > How do I know when I'm done though if I don't know the IP > addresses who send on my behalf? Is it an actual forgery or is it > Marsha in marketing using a outsourced email blaster? > > > Time. > > Some industry experts have suggested that one budget twelve to > eighteen months between first publishing a DMARC policy record and the > hoped-for transition to p=reject. YMMV, and a lot depends on the types > of messages that the organization sends, and their cadence. At the > extreme end of more than a year would be larger companies doing > seasonal or cyclical mailings, ones that maybe only market to certain > customer segments once or twice per year, tops. The more one knows > about one's mail flows and the better one's authentication practices > before deploying DMARC, the shorter that time can be, but a year or > more isn't unusual at all. > I don't see how time helps anything if I can't differentiate between our legitimate traffic and attacker traffic. All an attacker would need to do is send a mail cannon to mimic Marsha in Marketing every once in a while and the entire thing resets. If it is a requirement to know all of the legitimate IP addresses in order to make use of the reports as an indicator, the draft should be very explicit about that. Mike
- [dmarc-ietf] attack on reports Michael Thomas
- Re: [dmarc-ietf] attack on reports Alessandro Vesely
- Re: [dmarc-ietf] attack on reports Michael Thomas
- Re: [dmarc-ietf] attack on reports Todd Herr
- Re: [dmarc-ietf] attack on reports Michael Thomas
- Re: [dmarc-ietf] attack on reports Todd Herr
- Re: [dmarc-ietf] attack on reports Michael Thomas
- Re: [dmarc-ietf] attack on reports Todd Herr
- Re: [dmarc-ietf] attack on reports Matt V
- Re: [dmarc-ietf] attack on reports Steven M Jones
- Re: [dmarc-ietf] attack on reports Michael Thomas
- Re: [dmarc-ietf] attack on reports Michael Thomas
- Re: [dmarc-ietf] attack on reports Michael Thomas
- Re: [dmarc-ietf] attack on reports Michael Thomas
- Re: [dmarc-ietf] attack on reports Todd Herr
- Re: [dmarc-ietf] attack on reports Michael Thomas