On 1/26/21 9:37 AM, Alessandro Vesely wrote:
On Tue 26/Jan/2021 18:24:53 +0100 Michael Thomas wrote:
This is different than yesterday. From what I can tell there is no
identifying information of the original message like message-id in
the report xml. If i'm wrong, please point me to it.
With a record for each message it wouldn't be an *aggregate* report.
From section 7.2:
"Visibility comes in the form of daily (or more frequent) Mail
Receiver-originated feedback reports that contain aggregate data on
message streams relevant to the Domain Owner. This information includes
data about messages that passed DMARC authentication as well as those
that did not."
That sure sounds like it's on a message basis to me. How else could the
reports get to be as big as megabytes?
In addition, if I recover that message from the log, I might find no
relationship with the reporting domain or the reported source IP.
That is to say, I won't be able to deduce if the report is fake or real.
My main point here is to point out the attack.
Mike
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
