A small volume of incoming messages will be rejected because the recipient account is over quota, the recipient account has been terminated, or the sender accidentally entered an incorrect address. If the sender is known to be legitimate and acceptable, then the sender should be notified of these occurrences.
However, the vast majority of rejected messages are some form of attack, detected because of: - negative sender reputation, - negative content score, or - incorrect recipient addresses that represent a directory harvesting attack. In these cases, the attacking sender's interests are in direct conflict with the recipient evaluator's interest. Under these conditions, information transfer from evaluator to sender can only help the sender at the expense of the evaluator. A rejection says, "This attack strategy has failed. To penetrate my defenses, you must use a different strategy." This information motivates the attacker to attack in a different way. By comparison, silent discard communicates to the sender that the attack succeeded, even though it did not, so the sender has no indication that a tactical change is needed. Therefore, the optimal security strategy is to only provide non-delivery information to known-good senders. For other senders, the optimal security strategy is to report success with 250 OK, and then silently discard. DMARC reporting adds another layer of risk to this process. An attacker can use two domains to test impersonation defenses, one performing impersonation and one being impersonated. The impersonated domain chooses different policy postures, then the impersonating domain performs attacks. The controller of the attack receives information from dual sources: The impersonation domain captures any delivery status, while the impersonated domain captures any aggregate or failure reporting. By combining these sources, the attacker is likely to find an impersonation attack strategy that is likely to succeed. Consequently, DMARC feedback also falls under the principle that feedback should only be provided to known-good domain owners. Doug Foster
_______________________________________________ dmarc mailing list -- dmarc@ietf.org To unsubscribe send an email to dmarc-le...@ietf.org
