ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com changed component from dmarc-bis to dmarc-aggregate-reporting
Closed ietf-svn-bot closed 3 years ago
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com changed component from dmarc-bis to dmarc-aggregate-reporting
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com commented
Hatless...
I disagree with the premise of this ticket, and assert that not only does DMARC reporting not require explicit knowledge of all valid sending IP addresses, DMARC reporting instead provides a facility by which it reveals to the domain owner previously-unknown valid IP addresses, leading to a full understanding of the IP addresses in use to send mail for the domain.
ietf-svn-bot
commented
3 years ago @vesely@tana.it commented
Attacker in the above description is used with two meanings:
A spammer abusing of the domain name, which results in aggregate reports containing records with failed authentication.
A malicious influencer trying to mislead the domain admins by sending fake aggregate reports containing lots of failures. Such activity, akin to spear phishing, can discourage the domain admins from publishing strict DMARC policies, so that the attacker can abuse the domain.
ietf-svn-bot
commented
3 years ago @vesely@tana.it changed _comment0 which not transferred by tractive
ietf-svn-bot
commented
3 years ago @johnl@taugh.com changed status from new to closed
ietf-svn-bot
commented
3 years ago @johnl@taugh.com set resolution to wontfix
ietf-svn-bot
commented
3 years ago @johnl@taugh.com commented
This ticket misunderstands how DMARC reporting works.
resolution_wontfixtype_defect| by mike@mtcc.comIn order differentiate between an attacker sending from an unapproved IP address and an approved but not yet validated source, the receiver of reports needs to have explicit knowledge of all valid IP addresses in use, including those of outsourced email for example. This is not spelled out in the current draft and should be. Given the current DMARC reporting architecture not knowing all valid IP addresses could lead to an attacker spoofing messages to large providers to make it seem as if approved but unsigned traffic is still at large. It should be made plain that this is part of the task of getting to a p=reject policy.
there is a security aspect to this as well as a deployment aspect.
Issue migrated from trac:101 at 2022-01-24 16:53:15 +0000