search

domainaware / parsedmarc

A Python package and CLI for parsing aggregate and forensic DMARC reports
https://domainaware.github.io/parsedmarc/
Apache License 2.0
995 stars 213 forks source link

invalid forensic report - inline? #64

Closed syska closed 5 years ago

syska commented 5 years ago

Are inline forensic reports like the following supported?

But got thw follow from Baruwa as an inline message ... is this supposed to be valid? Is this a parsedmarc issue or is it Baruwa this id doing something wrong?

Here is the mesage:

A message claiming to be from you has failed the published DMARC
policy for your domain.

  Sender Domain: domain.tld
  Sender IP Address: 191.252.30.42
  Received Date: Wed, 20 Feb 2019 08:52:51 +0100
  SPF Alignment: no
  DKIM Alignment: no
  DMARC Results: Reject

------ This is a copy of the headers that were received before the error
       was detected.

Received-SPF: pass (mailwatch.domain.tld: domain of fantozziassociates.com.br designates 191.252.30.42 as permitted sender) client-ip=191.252.30.42; envelope-from=technology@fantozziassociates.com.br; helo=mcegress-30-lw-42.correio.biz;
Received: from mcegress-30-lw-42.correio.biz ([191.252.30.42])
        by mailwatch.domain.tld with esmtp (Baruwa 2.0)
        (envelope-from <technology@fantozziassociates.com.br>)
        id 1gwMgU-000BZz-Ii ret-id none;
        for user@domain.tld; Wed, 20 Feb 2019 08:52:51 +0100
X-Sender-Id: x-authuser|technology@fantozziassociates.com.br
Received: from mcbain0002.correio.biz (mcingress0005.correio.biz [10.30.225.40])
        by mcrelay.correio.biz (Postfix) with ESMTP id B6599E7FB4
        for <user@domain.tld>; Wed, 20 Feb 2019 04:38:27 -0300 (-03)
X-Sender-Id: x-authuser|technology@fantozziassociates.com.br
Received: from mcbain0002.correio.biz (mcbain0002.email.locaweb.com.br
 [10.30.224.225])
        by 0.0.0.0:2500 (trex/5.9.14);
        Wed, 20 Feb 2019 04:38:27 -0300
X-LW-Relay: Bad
X-LW-SenderId: x-authuser|technology@fantozziassociates.com.br
Received: from mcbain0002.correio.biz (localhost [127.0.0.1])
        by mcbain0002.correio.biz (Postfix) with ESMTP id B868780E109
        for <user@domain.tld>; Wed, 20 Feb 2019 04:38:21 -0300 (-03)
Received: from proxy.email-ssl.com.br (bartf0034.email.locaweb.com.br [10.31.120.66])
        by mcbain0002.correio.biz (Postfix) with ESMTP id 94B8680A079
        for <user@domain.tld>; Wed, 20 Feb 2019 04:38:21 -0300 (-03)
x-locaweb-id: dhgMVzE2N6Che-U8r-uy0-8GOczG90QXqWf1mPzhNnDb041_bM9xYl5CAv6pKmafkEV_FrqY_ktG7QelXU2nuAMZ-FM0gZyq1NL_r6PEX6tVUKIbsEn68tDhhitNMPjObNP-7nv3utX6nG-515B_SgMtXHH3zlkoLYwRtAKgSAfpExUPhcydzhHlDIGrndZP4N0HtsTlDy_yd6vJ7hXHgzhqip2MJfNPEKDMaq66Ogg= NzQ2NTYzNjg2ZTZmNmM2ZjY3Nzk0MDY2NjE2ZTc0NmY3YTdhNjk2MTczNzM2ZjYzNjk2MTc0NjU3MzJlNjM2ZjZkMmU2Mjcy
X-LocaWeb-COR: locaweb_2009_x-mail
X-AuthUser: technology@fantozziassociates.com.br
Received: from [177-129-200-154.nnt.net.br] (unknown [177.129.200.154])
        (Authenticated sender: technology@fantozziassociates.com.br)
        by proxy.email-ssl.com.br (Postfix) with ESMTPSA id 7AEE27A0352
        for <user@domain.tld>; Wed, 20 Feb 2019 04:38:24 -0300 (-03)
List-Subscribe:
 <http://mailer.fantozziassociates.com.br/misc/pages/subscribe/q5ricwgpnd38z1uhjha6616rhonlor2a2djt9zc6hy3a9r8bsf5onqcz7n0f>,
  <mailto:subscribe@mailer.fantozziassociates.com.br?subject=Subscribe+87334_3110_6_776050_8348>
To: user@domain.tld
Date: Wed, 20 Feb 2019 08:38:25 +0100
Errors-To: security@fantozziassociates.com.br
X-aid: 8691818038
X-Priority: 2
Message-ID:
 <53kz0kecyil122wsjpzgbqwqp@zqzb6cnx632waplm7idrcqlr0spvpwvvanoz677w9wgdd6wfrq2uls>
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=UTF-8
Abuse-Reports-To: abuse@fantozziassociates.com.br
Subject: hhp
From: <user@domain.tld>
X-Sender: technology@fantozziassociates.com.br
X-Outbound-RspamD: yes
X-MC: yes

If you think this is an issue with parsedmarc that should be supported, please let me know ... I will supply any information missing....

If this is an issue with baruwa I will file an issue on there support channel ...

seanthegeek commented 5 years ago

This is not a valid format.

https://tools.ietf.org/html/rfc7489#section-7.3

syska commented 5 years ago

As awesome as it can be ... I will open an issue with Baruwa so see if they can fix it.

anbalaganr commented 4 years ago

Hi,

I too getting similar forensic report from "antispamcloud.com". And parsedmarc throws "not a valid DMARC report" error.

is there any workaround?

Regards, Anbalagan R

sriccio commented 4 years ago

Hi,

I also have a tons of such formatted forensics report in our dmarc mailbox and it gets rejected by parsedmarc.

Most also come from antispamcloud.com and hostfactory.ch, but not only.

It looks like antispamcloud is a hosted service of SolardWinds SpamExpert. https://documentation.solarwindsmsp.com/spamexperts/documentation/Content/B_Admin%20Level/domains/mx-records.htm

I might try to get in touch with them asking why they don't use the AFRF for the reports.

When a Domain Owner requests failure reports for the purpose of forensic analysis, and the Mail Receiver is willing to provide such reports, the Mail Receiver generates and sends a message using the format described in [AFRF]; this document updates that reporting format, as described in Section 7.3.1.

steenstra commented 3 years ago

This is not a valid format.

https://tools.ietf.org/html/rfc7489#section-7.3

I have 900 of the same emails in my Archive/Invalid folder, and not a single email in my Archive/Forensic folder. Could it be that maybe you are mistaken about what the standard is? Or is it possible to add support for this format anyway, since in my case, this is the only format that is used.