On Friday, December 10, 2021 2:45:29 PM EST John Levine wrote: > It appears that Scott Kitterman <[email protected]> said: > >> apply the DMARC check using each of those domains found in the > >> > >> RFC5322 <https://datatracker.ietf.org/doc/html/rfc5322>.From field > >> > >> as the Author Domain and apply the most strict > >> > >> policy selected among the checks that fail. > >> > >> Option 1 above is proposed in DMARCbis as a way to mitigate the risk of a > >> DoS attack by a bad guy inserting a From: header with umpteen domains, > >> each > >> of which would have to be checked. > > > >Thanks. I had lost track of that. > > > >In that case it might be better to impose a limit (two maybe) to check > >rather than toss out the check entirely? > > Seems like a quality of implmentation issue. Given the volume of mail that > flows through servers these days, it seems very implausible that you could > cause any new damage by putting a few more domains to test in a From > header. DMARC has been around for the better part of a decade so I think > we can assume someone will already have tried any useful attack. > > As a practical matter, I have seen very few messages with more than one > address and I don't think I've ever seen a message with more than two other > than as to prove it's possible. So if one decided to toss anything with > three addresses into the bin without even doing other checks, I suspect > nobody would even notice.
I agree. I think we should go back to the RFC 7489 text and call it done. If someone is really worried they can write something for the security considerations to remind people not to let themselves get DOS'ed. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
