IETF Logo Mail Archive

Re: [dmarc-ietf] attack on reports

Todd Herr <todd.herr@valimail.com> Tue, 26 January 2021 20:29 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 018843A0E79 for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 12:29:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QcagQNzpDgyo for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 12:29:32 -0800 (PST)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDCC13A0E5A for <dmarc@ietf.org>; Tue, 26 Jan 2021 12:29:31 -0800 (PST)
Received: by mail-qk1-x72d.google.com with SMTP id n15so12663066qkh.8 for <dmarc@ietf.org>; Tue, 26 Jan 2021 12:29:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Y8OL15iVr9H2n5QK63/ATMtdYXd4ZN7pFTCKPi/hyyI=; b=ZobgK4zViJQ1NCasZwDPaXwSjNrIMiF4szPQYCqmg/Pj37KXTrKY5oeohbSMO4VpSb T2hmbWAv1pYXYi/OI9QiXycCfB4MmQMSr/Zl9R7zmpolRTlzY7ocolHVBg/iR9p/n97j RywEiLfoWiCtXv1g1OALXkHmmjy739id1N8577qEg5uoO5Eim02YRj0Ty4QJsyzeI1lg Ry2VsP8ESDkoaWNGOCytIBNLhJcFVfYd4XnoidTs6QId59IyqTRGFLpHDpmdVAmlA+0L G1zwebRNUkyexBVVMwMuZ9FEAVKfA1piKUDPPgt+LMayEpe/GnDWgDjD3IfmiNeThTeS JMYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Y8OL15iVr9H2n5QK63/ATMtdYXd4ZN7pFTCKPi/hyyI=; b=PMVCcpUjPLd5HARnBBxm1bBdrTg4ti9lxAzP8ouaup03WMHE51mVKPPcLr2Ks9WWtO 6AGqtCtRbiaf3lTUGmROSR2fNJNOjN5oFcygKqP6yCLBrO8N/diokaQ35AOugVfkxn2n 2n9tLcadQzwEY6NlX/xZwpnwuuGFIdz9MbXPU64mcMpeINknHzQpDVKNa9VgPglE4dDS rgKUNnhGo9lcb+zpOsOGXCgsYgOkEVyntOm2eJDKsX5iK6KMQnpNh8AMzeXGZuwy/XJA GObaQLop1LPCygQFi5mMUNGvRkVBSs3pWaaLPN2Ags0dv1qNPNcX3o9kMDvdogyaASi2 /HXQ==
X-Gm-Message-State: AOAM5312HGba9TwokrLJa6KGMGIjnVszYY0uEHu9EEgcfEne8lAVpU1z +QTsUX/T1wj4MZm6awjdV+zBceFERmx297ncDXgHUutkV04=
X-Google-Smtp-Source: ABdhPJyY05S97yB5EUA3ZmfyrTkK1qkHSrMABoz0Xcy2A6KJFhHVWg84mEkY97zSgqCooQODafVP37KckrffdCUT5zw=
X-Received: by 2002:a37:a245:: with SMTP id l66mr3323527qke.325.1611692970517; Tue, 26 Jan 2021 12:29:30 -0800 (PST)
MIME-Version: 1.0
References: <c049495f-faa2-c5f0-3e0a-7d8d86150568@mtcc.com> <aab313ee-4453-d97c-65ad-2a02d543c66c@tana.it> <24e8da5d-e306-7207-bb8f-74d44e4c5eaf@mtcc.com> <CAHej_8kS7hHR70LdcktuEtm08FyjsmqV17wHq21MdT=eNspCGw@mail.gmail.com> <f8f77f85-a2ae-3fb3-acb4-70d14a9da0f4@mtcc.com> <CAHej_8nZu3Fgj1=V8aQnho7LEc0Y12KfXa8b+xxXVDzDqe8Bxg@mail.gmail.com> <d181379e-8a3d-2865-53ca-709f679945ac@mtcc.com>
In-Reply-To: <d181379e-8a3d-2865-53ca-709f679945ac@mtcc.com>
From: Todd Herr <todd.herr@valimail.com>
Date: Tue, 26 Jan 2021 15:29:14 -0500
Message-ID: <CAHej_8=jwMmMZLAUoKAXGgmn3va3R_nSYDgtM1U4ZG2s+uVz_Q@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000feb47c05b9d38220"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/zmpIk1Z3AZPkpaD26wAIjegA7_4>
Subject: Re: [dmarc-ietf] attack on reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2021 20:29:36 -0000

On Tue, Jan 26, 2021 at 3:16 PM Michael Thomas <mike@mtcc.com> wrote:

>
> On 1/26/21 12:01 PM, Todd Herr wrote:
>
> On Tue, Jan 26, 2021 at 2:24 PM Michael Thomas <mike@mtcc.com> wrote:
>
>>
>> On 1/26/21 10:56 AM, Todd Herr wrote:
>>
>>> > In addition, if I recover that message from the log, I might find no
>>> > relationship with the reporting domain or the reported source IP.
>>> > That is to say, I won't be able to deduce if the report is fake or
>>> real.
>>>
>>>
>>> My main point here is to point out the attack.
>>>
>>>
>> The attack scenario you have described relies on several possible but
>> perhaps implausible conditions all being true:
>>
>> 1. There exists a domain run by people who are savvy enough to want to
>> implement DMARC and can consume reports, but don't have a good grasp on
>> which IPs are likely to be theirs and which aren't, and don't have an
>> understanding of how to use common tools to figure out whether an IP
>> address might belong to their provider's ASN or one halfway around the
>> world, and
>>
>> Here's a very basic question: if I do not know all of the IP addresses
>> that send on my behalf, are DMARC reports of any value? Enterprises farm
>> out email all of the time and it could be difficult to know when they
>> change their server addresses, etc. If the reporting is predicated on your
>> having in effect and up to date SPF record (ie, do all of the work to be
>> able to produce one), then that negates anybody who just uses DKIM alone
>> which should be a completely acceptable use case. And no, the
>> domain/selector tells you nothing when it doesn't verify.
>>
>> If it is the case that you MUST know all of your sending IP addresses,
>> that should be in blinking bold right up front in section 7.
>>
>>
>> Yes, DMARC reports are of value if you don't know all of the IP addresses
> that send on your behalf. Some have even written blog posts on the topic of
> using DMARC aggregate reports as a tool to audit one's authentication
> practices, by publishing a policy of p=none, collecting the reports,
> analyzing the data, fixing problems, iterate, iterate, iterate until one is
> ready to move on to the ultimate goal of p=reject.
>
> How do I know when I'm done though if I don't know the IP addresses who
> send on my behalf? Is it an actual forgery or is it Marsha in marketing
> using a outsourced email blaster?
>

Time.

Some industry experts have suggested that one budget twelve to eighteen
months between first publishing a DMARC policy record and the hoped-for
transition to p=reject. YMMV, and a lot depends on the types of messages
that the organization sends, and their cadence. At the extreme end of more
than a year would be larger companies doing seasonal or cyclical mailings,
ones that maybe only market to certain customer segments once or twice per
year, tops. The more one knows about one's mail flows and the better one's
authentication practices before deploying DMARC, the shorter that time can
be, but a year or more isn't unusual at all.

-- 

*Todd Herr* | Sr. Technical Program Manager
*e:* todd.herr@valimail.com
*p:* 703.220.4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email