On Jul 3, 2014, at 2:33 PM, Vladimir Dubrovin via dmarc-discuss <[email protected]> wrote:
> > Not sure if it was already discussed: I believe there is a serios security > flaw in DMARC forensic reports feature. > > Problem description: > > It's possible to obtain subscribers list. If list has individual > "unsubscribe" links or direct list-unsubscribe header, authentication token > can be stealed. So, attacker can e.g. unsubscribe all DMARC-protected > mailboxes from well-known public mailing list and subscribe everyone to his > own. > > Attack scenario: > > 1. Register domain > 2. Setup _dmarc "reject" policy and forensic reporting for this domain > 3. Send DKIM-unsigned message with this domain in From: to mailing list (or > e-mail with DKIM-signed header which is always modified by list, e.g. > List-Unsubscribe) > > mailman since 2.1.18 can check DMARC records, but it can easily be bypassed > by showing different DNS records to mailing list operator and mailbox > provider. > > becase both SPF and DKIM checks fail for received message, receiver will > create a forensic report with full headers. There is also a chance recepient > will be automatically unsubscribed from the list due to undelivered messages. > > 4. Check forensic reports mailbox - you should get a report for every message > sent to DMARC-aware mail server with all headers, including unsubscribe > links. Potentially this link may leak authentication token. > > Solution: > 1. Either forensic reporting must be removed from the standard or this class > of attack must be well documented. > 2. Recommendation must be given to mailbox providers to hold on this feature > or to use it for approved list of trusted domains only, until most public > mailing lists are DMARC-compatible or to prevent forensic reports for > messages with e.g. List-Unsubscribe links. Last case allows to bypass > forensic reports. > Usually, if you are a mailing list subscriber, you have access to the membership list. If a list is setup with members not having access to the membership list, then they need to be careful with this scenario, but I think they have other problems to deal with… But yet have access to the unsubscribe links could be a worry. I think it ought to be mentioned in the BCP.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
