Re: [dmarc-ietf] Forensic report loops are a problem

Thu, 28 Jan 2021 04:42:12 -0800 

On Thu 28/Jan/2021 04:17:06 +0100 Steven M Jones wrote:

On 1/27/21 12:47, Murray S. Kucherawy wrote:

On Wed, Jan 27, 2021 at 12:37 PM John Levine wrote:


I still don't understand why failure reports about messages that happen
to be failure reports are in any way special. >>
Loop detection in RFC 5321 is a normative MUST because of the obvious operational problems it creates. Maybe I'm being thick, but right now I 
don't see how this is different, apart from the fact that each message is
distinct; you're still causing a problem by turning this on without a care
in the world about whether two verifiers start spamming each other. >

There's coverage in 7489 Section 7.2 that a domain owner can inadvertently
DDoS themselves via failure reports. And that still surprised many
implementers, even though it seemed obvious to them in retrospect. >
This case is even less obvious, and we still have questions coming in about
it from new implementers. >
I don't think it's a security consideration because it doesn't scale up
the way "ruf" can, so it deserves a brief mention here. But I would
rephrase Ale's last sentence:


3.3.  Transport

    Email streams carrying DMARC failure reports MUST conform to the
    DMARC mechanism, thereby resulting in an aligned "pass".  Special
    care must be taken for authentication, as failure to authenticate
    failure reports may result in mail loops.  These loops can be mitigated
    by sending reports from a domain or subdomain that doesn't request
    reports, or by performing rate limiting for report receiving mailboxes.



I rephrased it further:

3.3.  Transport

   Email streams carrying DMARC failure reports MUST conform to the
   DMARC mechanism, thereby resulting in an aligned "pass".  Special
   care must be taken of authentication, as failure to authenticate
   failure reports may result in mail loops.  These loops can be
   mitigated by sending reports from a domain or subdomain that doesn't
   request reports, or by performing rate limiting especially for
   failures related to messages received at addresses published in a
   ruf= tag.


Best
Ale
--





















_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to