>There's a semi-related issue I'm seeing. A number of domains have used >addresses @dmarc.org for their aggregate reports, and some report >generators have not implemented cross-domain reporting authorization >checks. This volume pales in comparison to the volume of spam directed >at the same reporting address, but is anybody else seeing this and >thinks it's a problem?
I think you're just observing the truism that no good deed goes unpunished. Perhaps you could treat it as lead generation, collect the reports and offer to sell advice to both the people sending them and the ones reported on to improve their DMARC setup. >> Do postmasters risk bad reputation if they continue to send DMARC reports? > >Another question a friendly large mailbox provider could possibly answer >for us... Has anybody asked Spamhaus to see if this is on their radar? I'm reasonably sure it is not. >That inspires another question -- has anybody seen a real-world abuse or >DoS involving DMARC reporting? There's a potential there, and I believe >we identified it in the security considerations in RFC7489, but is there >any indication this is a problem that needs more attention? Unless a really gigantic provider pointed their reports at you, it seems unlikely. I've been collecting reports for a dozen domains since 2012 and the total number of aggregate reports since I've started is less than 100,000, failure reports less than 60,000. R's, John _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
