I noted at the DMARC session -117, that with the p=reject downgrade to quarantine language, this increases the risk of SPF upgrade attacks due to forwarding. The reply was to propose language for this and below is the suggested text for the proposed "11.9 Quarantined Forwarded Mail Security Risk"
===== 11.9 Quarantined Forwarded Mail Security Risk When receivers apply the "MUST NOT reject" in Section 8.6 to accept unauthenticated messages as quarantined messages, receivers SHOULD carefully review how they forward mail traffic to prevent additional security risk. That is, this downgrade can enable spoofed messages that are SPF DMARC authenticated with a fraudulent From identity despite having an associated strong DMARC policy of "p=reject". A malicious sender needs two properties to perform such a SPF upgrade attack: 1) a receiver that will forward quarantined messages, and 2) the spammer finds a SPF policy that covers the forwarding IPs. Such a sender crafts a message with From header assuming the identity of the domain with the SPF policy and matching MAIL FROM. Consequently the receiver evaluates message authentication and finds that the MAIL FROM does not authenticate but does not reject the message and instead quarantines it. Vulnerable receivers then forward the message to some subsequent receiver with the message taking the authenticated identity of the From header. That forwarding may be under control of the malicious sender perhaps via auto-forwarding or enterprise policy. Receivers SHOULD consider restricting forwarding when the message is SPF unauthenticated. SPF upgrade attack and other considerations are discussed further in Liu et. al. [1]. [1] Liu, Enze et al. "Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy", Proceedings of the 8th IEEE European Symposium on Security and Privacy, 2023.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
