On Fri 29/Apr/2022 18:24:04 +0200 Bernardo Reino wrote:
On Fri, 29 Apr 2022, Tobias Fiebig via mailop wrote:
This might be a bit of a theoretical attack thing, but looking over the bounces
for my nightly outbound DMARC reports I actually started to wonder about this;
(Mostly because I am getting scared by regularly sending DMARC reports to non
-existing accounts on a major ESP ;-)).
It's scary, and your scenario looks very real.
I regularly get bounces from Google due to DMARC reports being sent to
non-existant addresses handled by Google.
Sorry to be late...
Note that example.com should set rua=mailto:[email protected]; that is, they
should receive reports at their own domain. If they setup a recipient to an
external domain, the latter must acknowledge that setting.
For example, googlemail.com addresses to an external, albeit similar, domain:
~$ dig +short _dmarc.googlemail.com txt
"v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:[email protected]";
That ought to be acknowledged by google.com:
~$ dig +short googlemail.com._report._dmarc.google.com txt
"v=DMARC1"
Check that before sending!
I've even considered stopping sending DMARC reports entirely, as one could
argue that they don't serve any positive purpose for the reporter, and may even
have a negative impact, as you have described.
There /are/ a couple of positive effects for reporters. One, for small
senders, is to contribute scraping out a minimal footprint.
As for non-existing accounts, recall that the acknowledge record —almost empty
in the above example— can override the rua= tag in order to direct to a working
mailbox. So, if it bounces, it is entirely their own fault, and they should be
smart enough not to blame third parties.
Best
Ale
--
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
