On 07/28/2012 17:14, Scott Kitterman wrote:
I'm not sure if this is significant or not, but I noticed that I can infer [some information about] subscribers to mailing lists based on either aggregate or FBR data I get from data providers.
My first reaction is that the victim of such exposure is already hosed based on their use of an address within in the organizational domain receiving the reporting. But I may just lack imagination...
The nub of it would have to be that the/an operator of the organizational domain (OD), who presumably receives the reporting, is discovering something previously unknown about the activities of somebody using an address in their OD. But I don't think this can be a new exposure in the sense that this activity can only ever be discovered through DMARC.
A dissident communicating with [email protected] is still subject to content filtering and to/from pairing based on logs - on the return messages even if they originate their messages from outside. If we have to posit one-way communications sent by forging the addresses outside their employer's or ISP's infrastructure, so that the OD would never otherwise see any of the traffic ... well we're getting into scenarios where the participants should be aware of the risks they're running and aware of better options. Exposure through DMARC reporting is not their biggest challenge.
Is it a significant information leak? No. Is it worth documenting? I'm not sure, thus the message to ask ...
I think it's worth noting somehow in the Security Considerations section, if it isn't already covered. If only because it's sure to come up again, and it would be better to be able to say "See section X.Y.Z, it's been noted."
--S. _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
