On January 15, 2024 4:49:10 PM UTC, Alessandro Vesely <[email protected]> wrote: >On 11/01/2024 18:15, Todd Herr wrote: >> On Thu, Jan 11, 2024 at 11:51 AM Damien Alexandre wrote: >> >>> https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.1 >>> >>> "The case of a syntactically valid multi-valued RFC5322.From field >>> presents a particular challenge. The process in this case is to >>> apply the DMARC check using each of those domains found in the >>> RFC5322.From field as the Author Domain and apply the most strict >>> policy selected among the checks that fail.” >>> [...] >> >> DMARCbis has rewritten these sections and has text that you may find >> helpful. >> >> The declaration in Section 5.7.1 and elsewhere in this document that >> messages that do not contain precisely one RFC5322.From domain are >> outside the scope of this document exposes an attack vector that must >> be taken into consideration. > >> Because such messages are outside the scope of this document, an attacker >> can craft messages with multiple RFC5322.From domains, including the >> spoofed domain, in an effort to bypass DMARC validation and get the >> fraudulent message to be displayed by the victim's MUA with the spoofed >> domain successfully shown to the victim. In those cases where such messages >> are not rejected due to other reasons (for example, many such messages >> would violate RFC5322's requirement that there be precisely one From: >> header), care must be taken by the receiving MTA to recognize such messages >> as the threats they might be and handle them appropriately. > > >A sensible behavior for a signing filter would be to replace multi-valued >From: lines with ones having the first mailbox only and the phrase "et al." >added to the friendly name. The original multi-valued From: can be saved to >Author:. (Adding this to my TODO list). > I don't think that's sensible at all. It's not the place of a signing filter to modify the message. I think it would be reasonable to either add a signature for each from domain or to decline to sign it at all, but since DKIM doesn't care about from domain at all, I think it would be up to whatever calls the signing filter to specify.
Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
