On 10/4/19 6:43 AM, A. Schulze wrote:
that happen from time to time but currently I suspect the sender like to trigger a Bug in OpenDMARC to generate dmarc=pass for messages that otherwise would be classified as dmarc=reject.
Based on my understanding of DMARC, which could be wrong, I don't think this is a bug in OpenDMARC, as an implementation, but rather an unexpected behavior around the DMARC standard.
My understanding is that the DMARC standard is to check alignment of the From: address, which means the part inside angle brackets, outside of the optional double quoted friendly name.
From: "John Doe <j...@example.net>" <doe.j...@example.com>Thus DMARC is supposed to /only/ check <doe.j...@exmaple.com> and /not/ check <j...@example.net>.
As such, some enterprising individuals have taken to using putting an address they want to pretend to be inside the double quoted friendly name while using something else they control in the actual from address. Thus their messages /do/ /pass/ DMARC alignment tests while still appearing to be from what humans (mis)perceive as the address inside the double quoted friendly name.
To me, this is what the DMARC specification states. Thus why enterprising individuals have taken to using this work around to make messages appear to be from j...@example.net.
This is also why some DMARC implementations have started going beyond the DMARC specification and looking for what appears to be an email address inside the double quoted friendly name and applying DMARC alignment tests to that in addition to what the specification says. Hence why I referred to these implementations as over zealous.
I'm aware, the Debian package of opendmarc was updated some weeks ago: https://www.debian.org/security/2019/dsa-4526
I thought that this bug was based on multiple From: headers in a message. From: "unknown" <spam...@example.org> From: "John Doe <j...@example.net>" <doe.j...@example.com>The first part of this issue centering around the fact that some DMARC implementations would test the first From: header for alignment and ignoring other From: headers, assuming that there is only one.
The second part of this issue centering around the fact that some MUAs only display the last From: header and ignore other From: headers.
The combined interaction being that the questionable message passes DMARC alignment tests without any problems and the last From: address is displayed to the end user. Thus making a message seemingly from John Doe <j...@example.net> passed DMARC when <spam...@example.org> was the real sender that passed DMARC.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
