search

cisagov / trustymail

Scan domains and return data based on trustworthy email best practices
Creative Commons Zero v1.0 Universal
189 stars 31 forks source link

Questions related to HHS Trustymail and HTTPS CyHy Reports #102

Closed erm161 closed 5 years ago

erm161 commented 5 years ago

  1. The Trustymail report now contains .net, .org and .com domains that do not contain DMARC information (columns T-X in the raw data are blank). This produces a N/A in the compliance fields, rather than a 0/1 for the .gov domains.

  2. 105 NIH domains have dropped off of the report of top-level domains for NIH. The 1/20 report contained 271 NIH top-level domains and the 1/27 and 2/3 reports have 166.

  3. HHS has not been able to send the HTTPS report out to our stakeholders because the last column of the raw data reads "Unknown Error". Can DHS send us a report without this error?

Thank you for your time,

jsf9k commented 5 years ago

Regarding your first point, we were asked by someone at HHS to add the following non-.gov domains:

I assume these are the domains you are talking about. I don't have any more details about the request, but if you send me an email at jeremy.frasier@trio.dhs.gov I'll forward it to someone who can tell you more.

jsf9k commented 5 years ago

Regarding your second point, it looks like a lot of NIH hosts (such as autodiscover.31.nia.nih.gov) that used to have MX records no longer do. As stated on page 4 of the 2/9 report, we do not list subdomains in the "Results" table that do not support SMTP. A subdomain that does not have an MX record set does not receive mail and hence does not support SMTP.

(We omit such subdomains from the report in order to keep the overall report size manageable.)

jsf9k commented 5 years ago

Regarding your third point, we do not have the capacity to create custom reports. "Unknown Error" is indeed the name of the last column of the CSV, and the boolean value it contains indicates whether an unexpected error occurred while processing the domain. (This field exists chiefly as a means to help us debug when folks report issues with results fro particular domains.) I looked at your 2/9 HTTPS report, and that column only has a value of true in 7/12492 lines.

erm161 commented 5 years ago

Thanks – we figured out the issue. A new column was added since the 1/20 report – OCSP domains. I’m not sure of the purpose of this column, but it caused an error in the macro we’ve created to turn the DHS reports into an OpDiv specific compliance report for our use. I was able to remove that column and everything aligned as expected.

Thanks,

Evan Miller (Contractor) Security Design + Innovation (SDI) Office of Information Security (OIS) US Department of Health & Human Services (HHS) Email: Evan.Miller@hhs.govmailto:Evan.Miller@hhs.gov (Cell) 732.322.1566

From: Shane Frasier notifications@github.com Sent: Tuesday, February 12, 2019 10:39 AM To: dhs-ncats/trustymail trustymail@noreply.github.com Cc: Miller, Evan (OS/ASA) (CTR) Evan.Miller@hhs.gov; Author author@noreply.github.com Subject: Re: [dhs-ncats/trustymail] Questions related to HHS Trustymail and HTTPS CyHy Reports (#102)

Regarding your third point, we do not have the capacity to create custom reports. "Unknown Error" is indeed the name of the last column of the CSV, and the boolean value it contains indicates whether an unexpected error occurred while processing the domain. (This field exists chiefly as a means to help us debug when folks report issues with results fro particular domains.) I looked at your 2/9 HTTPS report, and that column only has a value of true in 7/12492 lines.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://protect2.fireeye.com/url?k=fe92376e-a2c61e45-fe920651-0cc47a6d17cc-c3c2befc148be644&u=https://github.com/dhs-ncats/trustymail/issues/102#issuecomment-462808453, or mute the threadhttps://protect2.fireeye.com/url?k=143365f4-48674cdf-143354cb-0cc47a6d17cc-76adbd0426bf1e21&u=https://github.com/notifications/unsubscribe-auth/AimyuFdGt9hNeWxIJfI17RSAAsmObcItks5vMuAdgaJpZM4aojNO.

jsf9k commented 5 years ago

@erm161 it seems you knew about the domains being added. The reason no DMARC information appears for those domains is because they lack DMARC records. For example:

$ dig TXT _dmarc.hearttruth.net

; <<>> DiG 9.13.5 <<>> TXT _dmarc.hearttruth.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45166
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_dmarc.hearttruth.net.         IN      TXT

;; AUTHORITY SECTION:
hearttruth.net.         1771    IN      SOA     ns.nih.gov. hostmaster.nih.gov. 27 3600 600 2419200 3600

;; Query time: 11 msec
;; SERVER: 172.30.3.1#53(172.30.3.1)
;; WHEN: Tue Feb 12 10:44:12 EST 2019
;; MSG SIZE  rcvd: 107
jsf9k commented 5 years ago

Thanks – we figured out the issue. A new column was added since the 1/20 report – OCSP domains. I’m not sure of the purpose of this column, but it caused an error in the macro we’ve created to turn the DHS reports into an OpDiv specific compliance report for our use. I was able to remove that column and everything aligned as expected.

The purpose of that column is to alert the report recipient if a domain is known by us to be an OCSP domain. Such domains are scanned, but their compliance or non-compliance does not influence the BOD 18-01 results for organization. Such sites are discussed on page 4 of your HTTPS report, and here.

jsf9k commented 5 years ago

I'll close this issue for now, since I think it is resolved, but please reopen @erm161 if you feel otherwise.