On Thu, 5 May 2022, Alessandro Vesely via mailop wrote:
On Fri 29/Apr/2022 18:24:04 +0200 Bernardo Reino wrote:
On Fri, 29 Apr 2022, Tobias Fiebig via mailop wrote:
This might be a bit of a theoretical attack thing, but looking over the
bounces
for my nightly outbound DMARC reports I actually started to wonder about
this;
(Mostly because I am getting scared by regularly sending DMARC reports to
non
-existing accounts on a major ESP ;-)).
It's scary, and your scenario looks very real.
I regularly get bounces from Google due to DMARC reports being sent to
non-existant addresses handled by Google.
Sorry to be late...
Note that example.com should set rua=mailto:dm...@example.com; that is, they
should receive reports at their own domain. If they setup a recipient to an
external domain, the latter must acknowledge that setting.
I don't know if that is a requirement. But I have cases like e.g. with
@discourse.org, where the rua is dmarc-repo...@discourse.org, so that would be
"OK" as per your comment above.
However, the MX for that domain is aspmx.l.google.com et al. which is what
causes the/a problem.
My last event was this very morning, with:
<dmarc-repo...@discourse.org>: host aspmx.l.google.com[108.177.14.27] said:
550-5.7.1 [65.108.69.105 12] Our system has detected that this message
is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to
Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1
https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1 for
more information. y32-20020a2ebba0000000b0024f06a6a250si945257lje.307 -
gsmtp (in reply to end of DATA command)
so that is Google rejecting the DMARC report that discourse.org ASKED FOR,
because it considers it to be "unsolicited".
(OK, I originally mentioned non existent addresses, but being rejected as a
spammer is even worse than that, in my book).
I've even considered stopping sending DMARC reports entirely, as one could
argue that they don't serve any positive purpose for the reporter, and may
even have a negative impact, as you have described.
There /are/ a couple of positive effects for reporters. One, for small
senders, is to contribute scraping out a minimal footprint.
If that "minimal footprint" ends with meaning "Google thinks I send unsolicited
e-mails during the night to addresses that may or may not exist" then I'd rather
live without that footprint ;-)
I currently have 14 (manually added) domains in my "no DMARC reporting list".
When I reach 20 I'll just stop reporting altogether ¯\_(ツ)_/¯
Cheers,
Bernardo
PS: I notice this is derailing off the original topic, which was the nice DMARC
reflection attack._______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop