[conspire] (forw) Re: Vulnerability Report (DMARC RECORD)
Rick Moen
rick at linuxmafia.com
Mon Jul 5 15:33:34 PDT 2021
Follow-up:
> Date: Thu, 1 Jul 2021 14:54:13 +0300 (EEST)
> From: ethical.security.researcher at inbox.eu
> To: rick at linuxmafia.com
> Subject: Vulnerability Report (DMARC RECORD)
>
> Hello Team,
> I am a security researcher and I founded this vulnerability.
[...]
> Date: Thu, 1 Jul 2021 15:33:19 -0700
> From: Rick Moen <rick at linuxmafia.com>
> To: ethical.security.researcher at inbox.eu
> Subject: Re: Vulnerability Report (DMARC RECORD)
>
> It should be impossible to believably forge my domain's SMTP because
> since 2001 my domain has published a strongly asserted (hardfail) SPF
> record that declares any mail originating from an IP other than mine
> forged, and recommending rejecting it:
[snip rest of my carefully polite response, where I thank him
for caring, and suggest how he might be able to make his "Vulnerability
Report" more meaningful in the future]
And... four days later, not a peep from this guy. Crickets.
I don't want to make it seem like I'm complaining, but I go through this
sort of firedrill a _lot_. To recap:
1. A self-described white-hat security researcher first writes to me
with a very vague but kind-of breathless e-mail (that I didn't
forward here) offering to let me know about major security
vulnerabilities in my site, and asking whether I offer bug
bounties for disclosure of security bugs.
That is a fraught situation for a site operator like me: Someone
just said "Dude, you're wide open to attack, and I might be
willing to tell you how. Are you offering money?" A lot of, say,
corporate CTOs utterly freak out when they get such mails, making the
somewhat paranoid inference of a threatened attack if they don't
pay. Sometimes, the CTOs start spewing out legal threats, etc.
(which, needless to say, is a bad plan).
I wasn't willing to pay bug bounties. For one thing, I'm not
exactly General Motors. But I also didn't want to be rude,
ungrateful, or dismissive of an offer of security insights, either.
It seemed best to be honest, polite, and communicative, be clear
I wouldn't be offering money, but say that I'd be grateful to hear
anything I didn't already know.
_And_, I made double-sure I had current, complete, verified,
off-system backups, just in case someone _did_ have a means to
remotely blow away my system, and for some reason hated me.
Anyway, I made sure to write my response to him with a _lot_ of
care to be concise, clear, and really nice and inviting. Which
naturally chewed up a good chunk of time.
2. So, two days later, on July 1st, the white-hat security guy's
big, earthshaking security "vulnerability report" arrives --
the one I forwarded. After all that care on my part...
(a) It's a fscking form letter.
(b) Despite the claim that he knew about a major security
vulnerabiity in my site, it's _not_ about any security hole
in my site at all. It's a claim that he could forge SMTP mail
(credibly) claiming to be from my domain.
(c) Which he can't actually do, so the claim is factually wrong.
Because my domain's SPF record means he can't.
(d) The entire basis for his security report was that the
"white-hat security researcher" ran a third-party CGI against
my domain, and _it_ claimed my DNS lacks a DMARC record.
(e) But even that's _wrong_, as my domain has a (deliberatly
non-compliant) DMARC record, that explains why I don't
implement DMARC and that my SPF record averts believable forgery.
(f) And the "security researcher" didn't notice any of this,
because the security researcher didn't bother to _do any_ security
research -- as is _very_ obvious from his form letter. Among
other things, he never actually personally queried, and never
read, the contents of TXT record _dmarc.linuxmafia.com,
or he'd have known that.
(g) Having done _no work_, and having received a (slightly wrong)
claim from the third-party CGI that my domain lacks a DMARC
record, the "security researcher" then claimed to have sent a
forged e-mail claiming to be from my domain, made possible by
my domain's lack of DMARC declaration -- but it's obvious that
he never _did_ send any such e-mail, as Yahoo's DMARC standard
spec requires observance of SPF, and any attempt to forge my
domain's mail that checked DMARC _would have been rejected_
because of SPF failure.
So, basically the guy lied.
(h) And, at the end of the form letter, the "security researcher"
held out the tin cup, again, wanting to get paid for having
fed the letters "linuxmafia.com" into someone else's Web CGI,
mindlessly misinterpreting its report, and lying about having
proved via supposed-but-nonexistent confirmatory test my domain
being vulnerable to SMTP forgery. For this, he wanted money?
3. Nonetheless, despite the misrepresentation, the lazy failure
to check work, and the lying, I sent a follow-up e-mail,
every bit as cordial as the first one, explaining _without_
any accusatory tone that, no, his "vulnerability report"
was not correct, _why_ it was incorrect, and how he could
better serve the public and better implement his alleged
professional expertise by improving his attention to
detail in the future.
I threw in some extra-niceness by presupposing he merely
needs to do some further debugging of his testing script,
and that he merely needs to repair it. That is an
optimistic assumption: On the evidence, it might be
that this "security researcher" doesn't ever do jack, and
merely runs other people's reporting tools off the public Web,
doesn't bother to understand what they say and what their
limitations are, and expects strangers to send him money
just for doing that.
4. For all my pains, I got... crickets. Not one damned word back.
Seems like he's now off to shake the tin cup at somebody
else, then.
My point: Understand that this is the reality of running a well-known
Internet domain in 2021. You're expected to be nice, and also
thoughtful, and also generous with your time and care, to unknown remote
persons who _might_ be competent white-hats, or _might_ be black-hats
trying to shake you down for money who will then destroy your site if
they're even slightly annoyed or for no reason at all, with or without
payment, or _might_ be dipsticks only barely smart enough to type a
domain's name into mxtoolbox.com/DMARC.aspx and send technically
incompetent, flimsy lies back to the domain's owner about the result.
You never know, in advance, which of the three it will prove to be.
More information about the conspire
mailing list