At AOL we see this as well, and for now we're treating it as "they're still figuring this DMARC thing out". If it's someone we have a regular relationship with and it's not a blip, we'll reach out and ask what's up. If it appears to be a serious issue - a domain getting heavily abused for example - we'll also try and reach out.
We're not currently using it as a feature in our reputation systems, so not taking your DMARC reports isn't going to impact your reputation here at AOL (for now). We consider it bad form, but that's about it. The @dmarc.org (and similar) reporting addresses make us giggle, but again we're not holding that against anyone yet. As for DoS via DMARC - that's one of the (many) reasons we don't do forensic reporting. I can't tell you how many times we've seen small orgs with no or misconfigured SPF being abused by spammers with horrible lists that generate lots of bounces. We try to catch that before it's too bad for the small org, but we've unintentionally crushed a mail server or three because of this. What we haven't seen yet, and I'm not really sure it's worth the trouble for the bad guys seeing that there are soo many easier ways to cause trouble, is someone setting up a ton of domains that all send reports to a victim/target. Of course, now that I've said that, someone will do it tomorrow. On Sat, Sep 10, 2016 at 12:53 PM, John Levine via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > >There's a semi-related issue I'm seeing. A number of domains have used > >addresses @dmarc.org for their aggregate reports, and some report > >generators have not implemented cross-domain reporting authorization > >checks. This volume pales in comparison to the volume of spam directed > >at the same reporting address, but is anybody else seeing this and > >thinks it's a problem? > > I think you're just observing the truism that no good deed goes > unpunished. Perhaps you could treat it as lead generation, collect > the reports and offer to sell advice to both the people sending them > and the ones reported on to improve their DMARC setup. > > > >> Do postmasters risk bad reputation if they continue to send DMARC > reports? > > > >Another question a friendly large mailbox provider could possibly answer > >for us... Has anybody asked Spamhaus to see if this is on their radar? > > I'm reasonably sure it is not. > > >That inspires another question -- has anybody seen a real-world abuse or > >DoS involving DMARC reporting? There's a potential there, and I believe > >we identified it in the security considerations in RFC7489, but is there > >any indication this is a problem that needs more attention? > > Unless a really gigantic provider pointed their reports at you, it > seems unlikely. I've been collecting reports for a dozen domains > since 2012 and the total number of aggregate reports since I've > started is less than 100,000, failure reports less than 60,000. > > R's, > John > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > -- PAUL ROCK Principal Software Engineer | AOL Mail P: 703-265-5734 | C: 703-980-8380 AIM: paulsrock 22070 Broderick Dr.| Dulles, VA | 20166-9305
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
