OpenDMARC sends report to unauthorized domains

Open source DMARC implementation

Status: Inactive

Brought to you by: cm-msk, gushi

This project can now be found here.

#206 OpenDMARC sends report to unauthorized domains

Milestone: 1.3.1

Status: open

Owner: nobody

Labels: None

Updated: 2017-02-26

Created: 2017-02-24

Creator: Dirk Stoecker

Private: No

OpenDMARC sent emails for a domain it should not send emails for:

DNS says:

host -t TXT _dmarc.mail.hobbyking.com
_dmarc.mail.hobbyking.com descriptive text "v=DMARC1\; p=none\;rua=mailto:dmarc-722-08-92xze@emvdmarc.com\; rf=afrf\; pct=100\;"

But emvdmarc.com says:
host -t TXT mail.hobbyking.com._report._dmarc.emvdmarc.com
Host hobbyking.com._report._dmarc.emvdmarc.com not found: 3(NXDOMAIN)

This means these reports should not be issued, as the target domain does not authorize them! Anyway my instance tried to send these mails.

That's a serious issues, as it allows to flood a remote domain e.g. with ruf reports.

Discussion

Dirk Stoecker - 2017-02-25

P.S. I'm talking about the rua-reports. I don't have ruf's enabled and maybe they are different as sent in another place.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Juri Haberland - 2017-02-26

I have a patch that implements such authorization checks and it is running here in production for a couple of month now, without problems.
It has only two drawbacks:
a) it needs a new Perl module Domain::PublicSuffix, which is only included in Debian-based Linux distibutions (don't know about *BSD)
b) it currently expects an up-to-date version of the PublicSuffixList at /etc/opendmarc/public_suffix_list.dat (if this is not found, it falls back to the outdated internal list from the Domain::PublicSuffix module)

Last edit: Juri Haberland 2017-02-26

z03_reportDestVerificationV2.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Dirk Stoecker - 2017-02-26
  
  Why do you need that module? Why is there a fallback to root domain at all? That seems no correct to me.
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Juri Haberland - 2017-02-26

I'm not quite sure what you mean with "fallback to root domain", but according to RFC 7489, section 7.1, (https://tools.ietf.org/html/rfc7489#page-28) first the "organizational domain" of the rua tag has to be compared with the organizational domain of the From: address. An organizational domain is the most top domain under the TLD. So having "sender@foo.example.com", the org-dom is "example.com", whereas if we have "sender@example.co.uk", the org-dom is "example.co.uk", not "co.uk".
The PublicSuffixList holds the information, what the TLD is, and where an organizational domain starts; the Domain::PublicSuffix module makes the use of this list comfortable and easy.

Last edit: Juri Haberland 2017-02-28

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.