On 11/01/2024 18:15, Todd Herr wrote:
On Thu, Jan 11, 2024 at 11:51 AM Damien Alexandre wrote:
https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.1
"The case of a syntactically valid multi-valued RFC5322.From field
presents a particular challenge. The process in this case is to
apply the DMARC check using each of those domains found in the
RFC5322.From field as the Author Domain and apply the most strict
policy selected among the checks that fail.”
[...]
DMARCbis has rewritten these sections and has text that you may find
helpful.
The declaration in Section 5.7.1 and elsewhere in this document that
messages that do not contain precisely one RFC5322.From domain are
outside the scope of this document exposes an attack vector that must
be taken into consideration. >
Because such messages are outside the scope of this document, an attacker
can craft messages with multiple RFC5322.From domains, including the
spoofed domain, in an effort to bypass DMARC validation and get the
fraudulent message to be displayed by the victim's MUA with the spoofed
domain successfully shown to the victim. In those cases where such messages
are not rejected due to other reasons (for example, many such messages
would violate RFC5322's requirement that there be precisely one From:
header), care must be taken by the receiving MTA to recognize such messages
as the threats they might be and handle them appropriately.
A sensible behavior for a signing filter would be to replace
multi-valued From: lines with ones having the first mailbox only and the
phrase "et al." added to the friendly name. The original multi-valued
From: can be saved to Author:. (Adding this to my TODO list).
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
