Feature request: auto-break mail loops

Open source DMARC implementation

Status: Inactive

Brought to you by: cm-msk, gushi

This project can now be found here.

#109 Feature request: auto-break mail loops

Milestone: 1.3.0

Status: open

Owner: Murray S. Kucherawy

Labels: None

Updated: 2017-07-07

Created: 2014-10-21

Creator: theaudiobible

Private: No

This weekend I had a mail loop generating in excess of 26000 emails. I had set the following in opendmarc.conf:
FailureReports true
RejectFailures true

I had sucessfully received an email from fedex.com. That night my system sent out the aggregate reports, including one to the RUA published for fedex.com - dmarc@fedex.com .

However, for some bizarre reason, Fedex refused to receive this email with a "550 Denied by policy" bounce message from Mailer-Daemon@mx??.infosec.fedex.com . The latter message was not DKIM signed, hence failed DKIM alignment. It also failed SPF alignment and hence failed DMARC and so my system sent a failure report to dmarc@fedex.com... and so on for thousands of times.

I have had to set FailureReports to false (and have also set RejectFailures to false) to break the loop.

Is it possible to add a feature to opendmarc to automatically detect and break mail loops?

Thanks
Steve

Discussion

A. Schulze - 2014-10-21

what about not sending failure reports for messages with empty envelope sender?
or - and that goes in the same direction as Ticket 96 -
implement lookup tables. That way users could explicit disable reporting for broken domains.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Murray S. Kucherawy - 2017-03-04

assigned_to: Murray S. Kucherawy
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Steve W - 2017-03-09

Seeing a similar problem with paypal.com since last week.
The following message to dk@bounce.paypal.com was undeliverable.
The reason for the problem:
5.1.2 - Bad destination host 'DNS Hard Error looking up bounce.paypal.com (MX): NXDomain'

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Andrew Meredith - 2017-05-12

I regularly get issues with report mailboxes simply being over-quota and rejecting reports .. with invalid SPF/DKIM .. which creates another report, which gets rejected, and so on.

A file listing blacklisted domains that don't get sent reports would be very good.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Juri Haberland - 2017-05-12
  
  You might want to look at the patch in tickt #205. This does what you want.
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Eneas Ulir de Queiroz - 2017-07-07

I haven't had this issue yet, but I've encontered a similar (although not as severe) endless loop with aggregate reports. I've noticed hosts sending me a report of a single message everyday. I have figured out we were sending each other aggregate reports about the delivery of each other's aggregate reports. What I have done was to create a config entry with a list of email addresses that would prevent opendmarc from recording a history file entry, and I've exteded it to not generate a failure report as well. This should break the loops, as the bounce is supposed to be returned to the sender, which being in the list, would not generate another report. I have not tested this thoroughly, but it has apparently worked here.

opendmarc-1.3.2-break_mail_loops.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.