You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using the latest version of OpenDMARC and while playing with DMARC reporting, I came across a few issues that could raise opportunities for attackers to exploit.
There is no verification check if an external email address is specified in the rua tag of the sender's DMARC record. RFC recommends a verification strategy as defined here (https://datatracker.ietf.org/doc/html/rfc7489#section-7.1).
If multiple emails come from the same organizational domain, OpenDMARC shoots out separate reports for each received email even if the rua addresses are the same. This with the absence of an external destination verification mechanism can open up an opportunity for the attackers to flood any mailbox they want. Therefore, reports for the same organizational domain within the same reporting window should be aggregated.
Thanks.
The text was updated successfully, but these errors were encountered:
I am using the latest version of OpenDMARC and while playing with DMARC reporting, I came across a few issues that could raise opportunities for attackers to exploit.
Thanks.
The text was updated successfully, but these errors were encountered: