[conspire] (forw) Re: Vulnerability Report (DMARC RECORD)

Rick Moen rick at linuxmafia.com
Mon Jul 5 15:33:34 PDT 2021 

Follow-up:

> Date: Thu,  1 Jul 2021 14:54:13 +0300 (EEST)
> From: ethical.security.researcher at inbox.eu
> To: rick at linuxmafia.com
> Subject: Vulnerability Report (DMARC RECORD)
> 
> Hello Team, 
> I am a security researcher and I founded this vulnerability.
[...]


> Date: Thu, 1 Jul 2021 15:33:19 -0700
> From: Rick Moen <rick at linuxmafia.com>
> To: ethical.security.researcher at inbox.eu
> Subject: Re: Vulnerability Report (DMARC RECORD)
> 
> It should be impossible to believably forge my domain's SMTP because
> since 2001 my domain has published a strongly asserted (hardfail) SPF
> record that declares any mail originating from an IP other than mine 
> forged, and recommending rejecting it:

[snip rest of my carefully polite response, where I thank him
for caring, and suggest how he might be able to make his "Vulnerability
Report" more meaningful in the future]


And... four days later, not a peep from this guy.  Crickets.

I don't want to make it seem like I'm complaining, but I go through this
sort of firedrill a _lot_.  To recap:

1.  A self-described white-hat security researcher first writes to me
    with a very vague but kind-of breathless e-mail (that I didn't
    forward here) offering to let me know about major security
    vulnerabilities in my site, and asking whether I offer bug 
    bounties for disclosure of security bugs.

    That is a fraught situation for a site operator like me:  Someone
    just said "Dude, you're wide open to attack, and I might be 
    willing to tell you how.  Are you offering money?"  A lot of, say,
    corporate CTOs utterly freak out when they get such mails, making the
    somewhat paranoid inference of a threatened attack if they don't 
    pay.  Sometimes, the CTOs start spewing out legal threats, etc.
    (which, needless to say, is a bad plan).

    I wasn't willing to pay bug bounties.  For one thing, I'm not
    exactly General Motors.  But I also didn't want to be rude, 
    ungrateful, or dismissive of an offer of security insights, either.
    It seemed best to be honest, polite, and communicative, be clear
    I wouldn't be offering money, but say that I'd be grateful to hear
    anything I didn't already know.  

    _And_, I made double-sure I had current, complete, verified, 
    off-system backups, just in case someone _did_ have a means to
    remotely blow away my system, and for some reason hated me.

    Anyway, I made sure to write my response to him with a _lot_ of
    care to be concise, clear, and really nice and inviting.  Which
    naturally chewed up a good chunk of time.

2.  So, two days later, on July 1st, the white-hat security guy's
    big, earthshaking security "vulnerability report" arrives --
    the one I forwarded.  After all that care on my part...

    (a) It's a fscking form letter.

    (b) Despite the claim that he knew about a major security 
    vulnerabiity in my site, it's _not_ about any security hole
    in my site at all.  It's a claim that he could forge SMTP mail
    (credibly) claiming to be from my domain.

    (c) Which he can't actually do, so the claim is factually wrong.
    Because my domain's SPF record means he can't.

    (d) The entire basis for his security report was that the 
    "white-hat security researcher" ran a third-party CGI against
    my domain, and _it_ claimed my DNS lacks a DMARC record.

    (e) But even that's _wrong_, as my domain has a (deliberatly 
    non-compliant) DMARC record, that explains why I don't 
    implement DMARC and that my SPF record averts believable forgery.

    (f) And the "security researcher" didn't notice any of this, 
    because the security researcher didn't bother to _do any_ security
    research -- as is _very_ obvious from his form letter.  Among
    other things, he never actually personally queried, and never
    read, the contents of TXT record  _dmarc.linuxmafia.com,
    or he'd have known that.

    (g) Having done _no work_, and having received a (slightly wrong)
    claim from the third-party CGI that my domain lacks a DMARC
    record, the "security researcher" then claimed to have sent a
    forged e-mail claiming to be from my domain, made possible by
    my domain's lack of DMARC declaration -- but it's obvious that
    he never _did_ send any such e-mail, as Yahoo's DMARC standard 
    spec requires observance of SPF, and any attempt to forge my 
    domain's mail that checked DMARC _would have been rejected_
    because of SPF failure.  

    So, basically the guy lied.

    (h) And, at the end of the form letter, the "security researcher"
    held out the tin cup, again, wanting to get paid for having 
    fed the letters "linuxmafia.com" into someone else's Web CGI,
    mindlessly misinterpreting its report, and lying about having
    proved via supposed-but-nonexistent confirmatory test my domain 
    being vulnerable to SMTP forgery.  For this, he wanted money?

3.  Nonetheless, despite the misrepresentation, the lazy failure 
    to check work, and the lying, I sent a follow-up e-mail,
    every bit as cordial as the first one, explaining _without_ 
    any accusatory tone that, no, his "vulnerability report"
    was not correct, _why_ it was incorrect, and how he could
    better serve the public and better implement his alleged
    professional expertise by improving his attention to
    detail in the future.

    I threw in some extra-niceness by presupposing he merely
    needs to do some further debugging of his testing script,
    and that he merely needs to repair it.  That is an 
    optimistic assumption:  On the evidence, it might be 
    that this "security researcher" doesn't ever do jack, and 
    merely runs other people's reporting tools off the public Web, 
    doesn't bother to understand what they say and what their
    limitations are, and expects strangers to send him money
    just for doing that.

4.  For all my pains, I got... crickets.  Not one damned word back.
    Seems like he's now off to shake the tin cup at somebody
    else, then.


My point:  Understand that this is the reality of running a well-known
Internet domain in 2021.  You're expected to be nice, and also
thoughtful, and also generous with your time and care, to unknown remote
persons who _might_ be competent white-hats, or _might_ be black-hats
trying to shake you down for money who will then destroy your site if
they're even slightly annoyed or for no reason at all, with or without
payment, or _might_ be dipsticks only barely smart enough to type a
domain's name into mxtoolbox.com/DMARC.aspx and send technically
incompetent, flimsy lies back to the domain's owner about the result.
You never know, in advance, which of the three it will prove to be.

More information about the conspire mailing list