Re: [dmarc-ietf] DMARC'ed reports, was Forensic report loops are a problem

Alessandro Vesely <vesely@tana.it> Tue, 02 February 2021 17:20 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DDE43A0C86 for <dmarc@ietfa.amsl.com>; Tue, 2 Feb 2021 09:20:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XBLBNUBtfN2I for <dmarc@ietfa.amsl.com>; Tue, 2 Feb 2021 09:20:02 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B4B43A0C80 for <dmarc@ietf.org>; Tue, 2 Feb 2021 09:20:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1612286400; bh=KCtRp0f57GmSTaXR64YgDEQwpUWdDheMt/uWnJGwNCQ=; l=1612; h=To:Cc:References:From:Date:In-Reply-To; b=AA6tX4NXyXQkMITLhMVcvTUqCFypL032mKwf/PlzkNrhl4rYx3FPe4epO7mTVa0qM RpIHPn9n4e2t/SBX+OaaDRP5Qo/7vW3deJt6psCf5bTFXAFfS6x4h8iF/OV+mLoqKh DAxb8B+Ku/3KPuV8k0KaJ/IJbV68y1pqfxaRLwrqrcljY0H9/lc1B5PxmtgPh
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Original-Cc: dmarc@ietf.org
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC042.00000000601989C0.00004195; Tue, 02 Feb 2021 18:20:00 +0100
To: Dave Crocker <dcrocker@gmail.com>, John R Levine <johnl@taugh.com>
Cc: dmarc@ietf.org
References: <20210201232105.1931D6D20971@ary.qy> <41163cd5-be81-6fd7-07dd-7a474874429e@gmail.com> <92b361a1-d9a5-9389-46b-3725d885c02@taugh.com> <b83c7574-3aa9-bd39-1a9b-3be6fa4f47ec@gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <1021a8e4-ca5f-5fb3-2661-b4668b4bafd5@tana.it>
Date: Tue, 2 Feb 2021 18:19:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <b83c7574-3aa9-bd39-1a9b-3be6fa4f47ec@gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/xT1hUgqGFc_TaeSPy2GssbunT-I>
Subject: Re: [dmarc-ietf] DMARC'ed reports, was Forensic report loops are a problem
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2021 17:20:04 -0000

On Tue 02/Feb/2021 02:42:25 +0100 Dave Crocker wrote:
> On 2/1/2021 5:38 PM, John R Levine wrote:
> 
>> If we want to document existing practice, I guess we would say that reports 
>> should be authenticated and aligned if practical, but it's OK to send them if 
>> not.
> exactly.


I changed it again, for failure reports, like so:

3.3.  Transport

    Email streams carrying DMARC failure reports SHOULD conform to the
    DMARC mechanism, thereby resulting in an aligned "pass".  This
    requirement is a MUST in case the sending host has a DMARC record
    featuring a ruf= tag.  Indeed, special care must be taken of
    authentication in that case, as failure to authenticate failure
    reports may result in mail loops.

    Reporters SHOULD rate limit the number of failure reports sent to any
    recipient to avoid overloading recipient systems.  Again, in case the
    reports being sent are in turn at risk of being reported for DMARC
    authentication failure, reporters MUST make sure that possible mail
    loop are stopped.


Some comments upthread allude to the reporter's policy.  To be clear, the DMARC 
mechanism which results in an aligned pass is meant to say that the report is 
SPF or DKIM authenticated , the authenticated identifier is aligned with From:, 
and a DMARC record has been discovered.  The value of p= is irrelevant.

Indeed, from a security perspective, a faked failure report is not much 
different from an abusive message.  To wit, a bad actor could send one or the 
other, directly to the victim or, respectively, to a server that will report to 
the victim.


Best
Ale
--