Re: [dmarc-ietf] Security considerations - Aggregate reports

[Neil Anuskiewicz]

On Nov 15, 2022, at 7:11 PM, Douglas Foster <dougfoster.emailstanda...@gmail.com> wrote:  General: For a reporting specification, the Security Considerations are by definition any risks of unwanted information disclosures.   So that is where attention needs to be given. Operational experience:   I don't have specific knowledge of the information gathering strategies of malicious actors.    When evaluating my reports, I noted that some sources were reporting significantly fewer messages than were sent out.  I have specific knowledge about one of those vendors.  They offer different filtering products to different clients, and they allow clients to choose whether DMARC is evaluated or not. So this is what I concluded from that knowledge: If a server farm hosts DomainA and DomainB, and I only get DMARC aggregate reports when I send to DomainA, then I can conclude that DomainB is not evaluating DMARC and is therefore more vulnerable to impersonation attacks than DomainA.    I think that knowledge is valuable to bad guys, so I think it is worth a warning in our spec. The problem with this warning is that if people act on it, the volume of reporting might decrease noticeably. How about framing the warning in the direction of a best practice of implementing for domain B which is inherently a good idea and denies utility of these sort of DMARC probes trolling cyberspace for vulnerabilities of this sort. The clear recommendation should be implement DMARC for all of your domains. Don’t leave holes for probes to find. Dmarc, especially starting with a monitoring only policy isn’t a big ask. On Tue, Nov 15, 2022 at 7:51 PM Seth Blank <s...@valimail.com> wrote: On Tue, Nov 15, 2022 at 4:13 AM Douglas Foster <dougfoster.emailstanda...@gmail.com> wrote: You failed to read and understand what I wrote. Hatless, I also cannot parse your proposed text or what you're trying to communicate in this email. As Chair, our charter around the bis project is clear, and is to prioritize "issues based on operational experience and/or data aggregated from multiple sources." Along with any clearer proposed text, can you please share the operational experience and data aggregated from multiple sources which informs this security consideration so that we can prioritize this accordingly? Thanks, Seth -- Seth Blank | Chief Technology Officer e: s...@valimail.com p: 415.273.8818 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system. _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc