Not sure if it was already discussed: I believe there is a serios
security flaw in DMARC forensic reports feature.
Problem description:
It's possible to obtain subscribers list. If list has individual
"unsubscribe" links or direct list-unsubscribe header, authentication
token can be stealed. So, attacker can e.g. unsubscribe all
DMARC-protected mailboxes from well-known public mailing list and
subscribe everyone to his own.
Attack scenario:
1. Register domain
2. Setup _dmarc "reject" policy and forensic reporting for this domain
3. Send DKIM-unsigned message with this domain in From: to mailing list
(or e-mail with DKIM-signed header which is always modified by list,
e.g. List-Unsubscribe)
mailman since 2.1.18 can check DMARC records, but it can easily be
bypassed by showing different DNS records to mailing list operator and
mailbox provider.
becase both SPF and DKIM checks fail for received message, receiver will
create a forensic report with full headers. There is also a chance
recepient will be automatically unsubscribed from the list due to
undelivered messages.
4. Check forensic reports mailbox - you should get a report for every
message sent to DMARC-aware mail server with all headers, including
unsubscribe links. Potentially this link may leak authentication token.
Solution:
1. Either forensic reporting must be removed from the standard or this
class of attack must be well documented.
2. Recommendation must be given to mailbox providers to hold on this
feature or to use it for approved list of trusted domains only, until
most public mailing lists are DMARC-compatible or to prevent forensic
reports for messages with e.g. List-Unsubscribe links. Last case allows
to bypass forensic reports.
P.S. redirections from one mailbox to another can be detected in the
same way.
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
