<delurk – intro at the end> I think Kurt’s question comes from a conversation he and I were having. I’ll try to provide a bit more detail. As part of the UK Government’s Active Cyber Defence programme, we’re trying to get DMARC across all public facing brands in the UK, starting with all public sector domains. We’ve found a couple of interesting things while trying to implement DMARC at scale.
1. Gov.uk shouldn’t be sending any mail at all. There’s no intended use case where we’d send mail from an @gov.uk address – all HMG mail is from subdomains. Criminals seem to like [email protected]<mailto:[email protected]> and similar, so we set a top level SPF record (-all) and DMARC record (p=reject) to try to make things more difficult for them. From our processing of reports over the last year or so, it looks like a couple of million spoofs have been reported. That’s fine. Of those, about 9% of those are deemed trusted in some way by the receiver – either SPF or DKIM passed. We can’t really see how those judgements can be made, given the published policies on gov.uk. Of the 91% that have in some way failed validation, only 20% of those are reported as blocked by the receiver, leaving some 80% of the mail that’s failed validation turning up to end users in some way. We’re looking into commonalities in the cases where this happens and I wonder if there are policies receivers are making that override domain owners, or there’s a bug in some commonly used component. We wondered if anyone had any other ideas why this could be the case. I can’t find anything that would change processing of validation just because a record is on a domain on the PSL, but if anyone has any ideas we’d love to hear them! 1. As we’ve started to make criminals’ lives harder in abusing Government brands, they’re moving to deceptive domains (relatively easy to manage) and non-existent subdomains of gov.uk. We’ve got over 5000 valid subdomains of gov.uk and not all of them are compliant with our policies yet, so we can’t just set an sp=reject policy (and it’s not clear it works in all circumstances anyway). So, we’ve been trying to come up with a way of synthesising the relevant SPF, DKIM and DMARC records for non-existent domains of gov.uk, using the authoritative name server. This appears to be harder than we’d want. We can’t just use a wildcard CNAME record because there doesn’t seem to be any way to generate the necessary second level subdomain that we need (the _dmarc.baddomain.gov.uk). DNAME would be the most obvious way to do this, but it’d need a wildcard DNAME and they’re ‘frowned upon’ ☺. Before we start thinking about doing something kludgy (probably looking for failed lookups for TXT records in logs and adding the subdomain to the zone, which sucks), does anyone have any ideas that we could try? I can’t believe this is the first time this has been encountered! Any thoughts very welcome. Ta. I. Intro : Hi, I’m Ian Levy, Technical Director of the UK’s National Cyber Security Centre (NCSC), the UK Government agency charged with being the single, authoritative voice on cybersecurity for the UK. One of the things we’re doing is being more active in the protection of the UK at scale. There’s a blog from me on the NCSC website introducing the whole programme, but getting DMARC adopted at scale is part of it. The bit most relevant to this discussion is at www.ncsc.gov.uk/active-cyber-defence<http://www.ncsc.gov.uk/active-cyber-defence> which talks about the active services, including email security and anti-spoofing. MailCheck is our DMARC processing and analysis platform, which we intend to release as open source early January. -- Dr Ian Levy Technical Director National Cyber Security Centre Staff Officer : Kate Atkins, [email protected]<mailto:[email protected]> From: dmarc [mailto:[email protected]] On Behalf Of Kurt Andersen (b) Sent: 15 December 2017 21:30 To: [email protected] Subject: [dmarc-ietf] Preventing abuse of public-suffix-level domains I know that there had been some very preliminary thoughts about protecting the PSL domains themselves, but those never got very far (they were in the context of the DBOUND WG). I've heard from one of my contacts that country-level TLDs like gov.za<http://gov.za> are being used for attacks and that there is not a particularly effective way to protect against that or to protect against non-existent subdomains being abused. (It's even worse if those public suffix level domains are being used to send mail, but if they aren't, how do you protect it?) Any ideas here? --Kurt Andersen This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
