On Mon, Jan 25, 2021 at 10:18 AM Michael Thomas <[email protected]> wrote:
> > On 1/25/21 5:25 AM, Todd Herr wrote: > > On Sun, Jan 24, 2021 at 9:53 PM Michael Thomas <[email protected]> wrote: > >> >> On 1/24/21 6:29 PM, John R. Levine wrote: >> > I realized why the arguments about whether to require authentication >> > on reports are pointless. >> > >> A blatant assertion. The onus of proof is with people who say we should >> accept information from unknown sources. Extraordinary claims require >> extraordinary evidence. I have been doing security related stuff for >> long enough to know that being humble in the face of adversaries is the >> most prudent course. State actors can get involved when they figure they >> can game things to their advantage. To be dismissive is complete hubris. >> >> > I've spent several days thinking about these tickets, and for the life of > me I can't see what the payoff might be for someone to forge a DMARC report. > > I suppose nominally there's a denial of service risk, where a bad actor > could flood a rua or ruf mailbox with forged reports or just email in > general, but that's going to exist whether or not the "reports" are > DKIM-signed. > > The main thing I've learned over the years of dealing with security is to > not underestimate what a motivated attacker can do. Your imagination is not > the same as their imagination. Closing #98 in particular is absolutely > ridiculous: the report should already have a DKIM signature or SPF so it's > just a matter of making sure its valid. Why would you *not* want to insure > that? The amount of justification for *not* having the receiver > authenticate it is a mountain. The amount of effort to authenticate it is > trivial for mail. Levine's dismissal of security concerns because he has > anecdotal "evidence" from a backwater domain carries no weight at all. > That's all well and good, but you haven't answered the question I asked. What threats do you have in mind? Put another way, how do you envision an attacker exploiting the lack of authentication in a DMARC report to his or her gain? I recognize that my imagination, or yours, may not match what a motivated attacker can do. I have presented some possible scenarios that might result from a forged DMARC report, and in them I don't see a gain for the attacker, unless his or her goal is to be an annoyance to the target. Can you please describe a scenario where an attacker might use a forged DMARC report to gain something of value from the target of his/her forgery? -- *Todd Herr* | Sr. Technical Program Manager *e:* [email protected] *p:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
