On 12/8/24 17:32, John R Levine wrote: >> Suddenly someone clever may come up with a use case, and start sending >> bogus third-party reports. > > I really, really, do not want to waste time on "this has never happened in > the past decade and nobody can think of a plausible reason to do it but it > MIGHT happen" stuff. We'll be here until the end of time if we do.
Thanks, but I wish you could state so more plainly, I feel like I'm really insisting to get my points across, and that I'm on the brink of overstaying my welcome, being a PITA to all of you, doing so. In addition to what Mark said, which I did not know about since I do not use those services, I can think of the following: Imagine example.com using a deterministic report_id based on our domain name and epoch start and end time of the report. A pattern I see from many reporters. * Bad actor sends email to example.com spoofing the From address. * Bad actor then sends a fake third-party report to us purporting to be from example.com for the reporting period. * The report is processed * example.com sends the real report, but this report is discarded as duplicate. This way we do not know about what bad actor is doing, unless we manually look into every duplicate report. Granted, the unauthorized third-party report is only one piece of the puzzle here. The report_id could be chosen better, etc. Daniel K. _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
