I have been thinking about the other way that an attacker could have two >From addresses: by having two From headers. Not a problem as long as the evaluator rejects the message based on standards violation.
But what if the evaluator does not test for dual headers because the configuration is so unexpected? The DKIM logic will evaluate the bottommost From hader, and may be able to produce DMARC PASS or NoPolicy based on that From address. But then the MUA might display the uppermost From address, or a combination of the two, allowing the recipient to be deceived. Google prevents this type of attack by oversigning the From header, which is a best practice, but it is not a universal practice. Therefore, I suggest that a sentence is worthwhile to remind evaluators to enforce uniqueness of unique headers. D.F. On Sat, Feb 10, 2024 at 7:47 PM Scott Kitterman <[email protected]> wrote: > On Saturday, February 10, 2024 7:39:37 PM EST Murray S. Kucherawy wrote: > > On Sat, Feb 10, 2024 at 12:34 PM Jim Fenton <[email protected]> > wrote: > > > > No, it's perfectly fine to declare that DMARC only applies to certain > > > > classes of messages. > > > > > > This actually concerns me a bit. If having multiple From: addresses > causes > > > a message to be out of scope for DMARC and therefore bypass a p=reject > > > policy, that sounds like a reason that attackers might start sending > > > messages with multiple From: addresses in order to accomplish that. > > > > What we said in RFC 7489, and what I think we're saying here, is that > > experience (at the time of that RFC, at least) suggests that such > messages, > > even though they're legal by RFC 5322, tend to get dropped or rejected > > before they get to any DMARC engine because they're considered unusual or > > dangerous or some other concerning adjective, so it was sufficient to > call > > them out of scope. I believe Gmail has indicated that messages that do > > have a multi-valued From tend to clearly be spam or other abuse. > > > > What that tells me is that it would be reasonable for a receiver to > discard > > or reject them before they even get to DMARC, meaning we don't have to > > worry about it in DMARC directly. > > > > If we decide we need to make DMARC bulletproof even in this case, then > > perhaps the move is indeed to codify the "check them all" logic that's > been > > suggested. But I don't think we can say in this document that > multi-valued > > > > >From is no longer valid; that's perhaps in EMAILCORE's scope, not in > ours. > > Are we waiting for anything else before WGLC? > > I suggest we put in some non-normative words about check them all and move > on. > Let's throw this thing over the finish line. > > Scott K > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
