IETF Logo Mail Archive

Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains

Ian Levy <ian.levy@ncsc.gov.uk> Sat, 20 January 2018 16:00 UTC

Return-Path: <ian.levy@ncsc.gov.uk>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC83112D832 for <dmarc@ietfa.amsl.com>; Sat, 20 Jan 2018 08:00:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LvOupNzeYJis for <dmarc@ietfa.amsl.com>; Sat, 20 Jan 2018 08:00:10 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20129.outbound.protection.outlook.com [40.107.2.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E864A12D82E for <dmarc@ietf.org>; Sat, 20 Jan 2018 08:00:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kTfI4wWYuTGI17+9vVVsbJiiiv21dA834bh7GaTrMh8=; b=LQA76N8sMOP1gMQg9b52V7WFZnagFPbFi7pBZmtMJY1an7yPFFRALlHb9Xjam01Rt7lyKZ1vzMd6OVCnlbKuuAyFL0qyKEB2CZUXELJ0LLxlj4YXKA5gNEtG8bOS7SGErADHBxX33XgLx+f8Sl1vtawbVAy1tGKP/09ejFslWLU=
Received: from LOXP12301MB1655.GBRP123.PROD.OUTLOOK.COM (10.167.32.148) by LOXP12301MB1653.GBRP123.PROD.OUTLOOK.COM (10.167.32.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.428.17; Sat, 20 Jan 2018 16:00:05 +0000
Received: from LOXP12301MB1655.GBRP123.PROD.OUTLOOK.COM ([10.167.32.148]) by LOXP12301MB1655.GBRP123.PROD.OUTLOOK.COM ([10.167.32.148]) with mapi id 15.20.0428.019; Sat, 20 Jan 2018 16:00:05 +0000
From: Ian Levy <ian.levy@ncsc.gov.uk>
To: John R Levine <johnl@taugh.com>
CC: "Kurt Andersen (b)" <kboth@drkurt.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Preventing abuse of public-suffix-level domains
Thread-Index: AQHTdevoT2ysiWzEvUO1V0Z1nq0wk6NHbc2AgAOAYQCAAPZqoIAAnvOAgAAIy4CAAtzJ4IAAIRGAgCC04WA=
Date: Sat, 20 Jan 2018 16:00:05 +0000
Message-ID: <LOXP12301MB1655E73E997FC03489D08D9EC9EE0@LOXP12301MB1655.GBRP123.PROD.OUTLOOK.COM>
References: <MMXP12301MB1663B5D4F60BE1B26A9A74ECC90E0@MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM> <20171219171548.EA07418299CE@ary.qy> <MMXP12301MB16634F06ED93BD0E9B16FBCBC90C0@MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM> <CABuGu1pBF0L8N5z=__LQ0D7KazY4CC7ZB=FF4SU4MKs4a4OdbA@mail.gmail.com> <alpine.OSX.2.21.1712201247540.62094@ary.qy> <MMXP12301MB16634237BE562EF02C574FFAC9020@MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM> <alpine.OSX.2.21.1712221036290.8789@ary.qy>
In-Reply-To: <alpine.OSX.2.21.1712221036290.8789@ary.qy>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.levy@ncsc.gov.uk;
x-originating-ip: [165.225.81.62]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; LOXP12301MB1653; 7:3BsKn29uWlH8KGswiXYBAsF1ym0oXr+XBKxqVvLcRhfydkRW6GQ6AzWzFuVL2YxjOf1Q+KUY4QPy95wh3LGXewhDvol0/sOt77dwY2QUN7griZL6amgVbYiJuM4jxp1T1yj/oYcmlaFfbBeD0QcsCtCA1GgMxAWpiwzyluDQQ4eK7Jtphlythj4uKrHtE89xVg7/rPAjSkyl5Z+pXKEfjCRusrbYR6tztN9TPF2zojoOfVmHrGEfz1/El29hdRJD
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 482beb10-0d8d-45c1-d993-08d5601edf90
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534125)(4602075)(7168020)(4627221)(201703031133081)(201702281549075)(2017052603307)(7153060)(7193020); SRVR:LOXP12301MB1653;
x-ms-traffictypediagnostic: LOXP12301MB1653:
x-microsoft-antispam-prvs: <LOXP12301MB1653E834F5F24BE87CF544D7C9EE0@LOXP12301MB1653.GBRP123.PROD.OUTLOOK.COM>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(189930954265078)(45079756050767)(27231711734898);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(3231023)(2400081)(944501161)(93006095)(93001095)(10201501046)(3002001)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(20161123562045)(20161123564045)(6072148)(201708071742011); SRVR:LOXP12301MB1653; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:LOXP12301MB1653;
x-forefront-prvs: 0558D3C5AC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39380400002)(396003)(39840400004)(376002)(346002)(199004)(189003)(13464003)(81156014)(53936002)(3846002)(8936002)(6306002)(86362001)(45080400002)(6116002)(55016002)(6246003)(9686003)(8676002)(81166006)(305945005)(3660700001)(2906002)(74482002)(478600001)(229853002)(7736002)(966005)(68736007)(74316002)(3280700002)(6436002)(7696005)(2900100001)(25786009)(93886005)(4326008)(59450400001)(76176011)(55236004)(42882006)(53546011)(230783001)(102836004)(6916009)(2950100002)(105586002)(99286004)(106356001)(77096007)(5660300001)(75922002)(14454004)(66066001)(54906003)(97736004)(26005)(33656002)(6506007)(316002); DIR:OUT; SFP:1102; SCL:1; SRVR:LOXP12301MB1653; H:LOXP12301MB1655.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-microsoft-antispam-message-info: D4EgOoONELrUHC7vgrWtFsVC5dJQiHUQ1K7qwv1NOyrc6GCFJ2xh99f6kl7QpQu5+6zDAvP5j7lzvZMcaGCgeg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 482beb10-0d8d-45c1-d993-08d5601edf90
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jan 2018 16:00:05.7796 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LOXP12301MB1653
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/WxI1JpPLSfOo_ErBaxqHGXQ5sqw>
Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jan 2018 16:00:13 -0000

John, all,
We did some work over the holidays and couple of weeks ago implemented something along these lines. It all seems to be working and we're collecting data about spoofs of non-existent domains and some interesting (apparent) misconfigurations that are nothing to do with DMARC.

We'll report on the results when we've got sufficient data and done the analysis.

Thanks again for the pointer!

Ta.

I.

--
Dr Ian Levy
Technical Director
National Cyber Security Centre

Staff Officer : Kate Atkins, kate.a@ncsc.gov.uk

-----Original Message-----
From: John R Levine [mailto:johnl@taugh.com]
Sent: 22 December 2017 15:39
To: Ian Levy <ian.levy@ncsc.gov.uk>
Cc: Kurt Andersen (b) <kboth@drkurt.com>; dmarc@ietf.org
Subject: RE: [dmarc-ietf] Preventing abuse of public-suffix-level domains

> Thanks for this. I think we'd decided this wouldn't work (along with JISC, who currently run the authoritative DNS for gov.uk). For the life of me, I can't remember why though!

It's worth reading RFC 4592, a fairly dense description of how DNS wildcards work, to be clear about what names *.gov.uk wil match and what they won't so you know what to expect.  People even within the IETF can find them confusing.

R's,
John


>
> We'll have another look at it after the holidays. We have every intention of making delegates responsible for doing something sensible in their namespace as well.
>
> Thanks again.
>
> Ta.
>
> I.
>
> --
> Dr Ian Levy
> Technical Director
> National Cyber Security Centre
>
> Staff Officer : Kate Atkins, kate.a@ncsc.gov.uk
>
> -----Original Message-----
> From: John R Levine [mailto:johnl@taugh.com]
> Sent: 20 December 2017 17:58
> To: Kurt Andersen (b) <kboth@drkurt.com>
> Cc: Ian Levy <ian.levy@ncsc.gov.uk>; dmarc@ietf.org
> Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level
> domains
>
> On Wed, 20 Dec 2017, Kurt Andersen (b) wrote:
>>> I need to be able to emulate in some way the effect of SPF and DMARC
>>> records for non-existent first level subdomains under the PSL gov.uk
>>> - to stop spoof mail apparently coming from them being delivered.
>
>> I'm quite sure that you will need to do this via synthetic records
>> being returned either by the gov.uk name servers or by having gov.uk
>> refer to a general "parked domain" name server (farm) for all of the
>> non-existent subdomains ...
>
> With your current DNS setup, you could add this, no new name servers
> needed:
>
> *.gov.uk. IN TXT "v=spf1 -all"
> *.gov.uk. IN TXT "v=DMARC1; p=reject; rua=mailto:<something>; ruf=mailto:<something>"
>
> This will cover all undelegated names below gov.uk, e.g. abc.gov.uk and abc.def.gov.uk.  It won't cover names under existing subdomains, e.g.
> abc.mod.gov.uk but it's better than nothing.
>
> Unless the people who host your DNS are willing to let you use customized stunt servers, which seems unlikely considering who they are, that's about the best you can do without getting the cooperation of your delegatees.
>
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail.
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjl.
> ly&data=02%7C01%7Cian.levy%40ncsc.gov.uk%7Cbd63e2124c974606c8a808d547d
> 33b16%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C636493894920036818&
> sdata=iUTep54zAORBtIwqsMU%2BjEg51F%2FhxgAEPX%2BXl9IEfmU%3D&reserved=0
> This information is exempt under the Freedom of Information Act 2000
> (FOIA) and may be exempt under other UK information legislation. Refer
> any FOIA queries to ncscinfoleg@ncsc.gov.uk
>
>

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjl.ly&data=02%7C01%7Cian.levy%40ncsc.gov.uk%7C6d5ee308376e4b91cd4408d549522859%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C636495539574482595&sdata=bAmgktrJccTyMBNd35VYt2EGGn3iPAboKD6ywMNrEQI%3D&reserved=0
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

v2.23.0 | Report a Bug | By Email