[HN Gopher] Learn and Test DMARC
___________________________________________________________________
Learn and Test DMARC
Author : timsneath
Score : 123 points
Date : 2023-10-01 19:58 UTC (3 hours ago)
(HTM) web link (www.learndmarc.com)
(TXT) w3m dump (www.learndmarc.com)
| normaldist wrote:
| Appears to be operated by uriports.com, in case anyone wondered
| where their email was going..
| guessmyname wrote:
| I sent an email via Apple's "Hide My Email" service [1].
|
| > _Unhandled Promise Rejection:_
|
| > _TypeError: a.from.replace( /[<]/gi," is not a function. (In
| 'a.from.replace(/[<]/gi,"(")', 'a.from.replace(/[<]/gi,"' is
| undefined)_
|
| > _dist.min.js:3:32767_
|
| This error occurred after the interface began displaying the
| following information:
|
| > _Here are the message headers and message body:_
|
| > _DKIM-Signature: d=icloud.com s=1a1hai_
|
| It's been over a year since the website was featured on Hacker
| News (January 10, 2022), so I suspect that the JavaScript code
| may have become outdated and non-functional. It's possible that
| it never supported Safari browsers in the first place, or perhaps
| it's a combination of both issues. Nevertheless, I've learned a
| lot from the initial [2] and second [3] parts of the DMARC test,
| which gives me some insight into what might be happening in the
| subsequent steps.
|
| [1] https://support.apple.com/en-us/HT210425
|
| [2] dig +noall +answer -t TXT <EMAIL_DOMAIN> | grep -i SPF
|
| [3] dig +noall +answer -t A <HOSTNAME>
| jrockway wrote:
| I also get the same error (in Chrome) when testing a forged
| email: telnet learndmarc.com 25 Trying
| 87.239.13.42... Connected to learndmarc.com. Escape
| character is '^]'. 220 allspark.uriports.com ESMTP
| URIports Mail Portal 1.03.2 Sun, 01 Oct 2023 21:55:40 +0000
| HELO there 250 allspark.uriports.com Hello <my host> [<ip
| address>] MAIL From: me@example.com 250 OK
| RCPT To: ld-49101f55f6@learndmarc.com 250 Accepted
| DATA 354 Enter message, ending with "." on a line by
| itself . 250 OK id=1qn4QF-00CUhd-5j
|
| It's funny because while I was typing this, it's like "you
| don't have to write a love letter". Maybe not, but you do have
| to repeat the From: and To: header in the data segment, I
| guess.
|
| I remain amused at how much email I've sent over the years with
| "HELO there" instead of my hostname in there. I also wonder
| what % of internet traffic is "Enter message, ending with . on
| a line by itself".
| jauntywundrkind wrote:
| You sent an email without a "from" field and it broke.
| Programmer didn't think to test for bad users doing bad things.
| Nothing special here, no big conspiracy.
| [deleted]
| [deleted]
| dang wrote:
| Related:
|
| _See how DMARC, SPF, and DKIM work interactively_ -
| https://news.ycombinator.com/item?id=29869266 - Jan 2022 (108
| comments)
| [deleted]
| ChrisArchitect wrote:
| Bunch of discussion from 2022:
|
| https://news.ycombinator.com/item?id=29869266
| graypegg wrote:
| This is so cool! I would love to see this for other protocols
| actually, maybe SSL or something!
| [deleted]
| supriyo-biswas wrote:
| For TLS, there's https://bytebybyte.dev/ and
| https://tls13.xargs.org/
| teddyh wrote:
| See also: <https://webencrypt.org/illustrated-tls/>
| supriyo-biswas wrote:
| (For reference, the original is here,
| https://tls13.xargs.org/)
| [deleted]
| patmorgan23 wrote:
| https://www.ssllabs.com/ssltest/
| pests wrote:
| Very cool.
|
| > For DMARC to pass, DKIM and/or SPF checks need to pass and the
| domains must be in alignment.
|
| AFAIK this is incorrect.
|
| It is not "and/or" but rather "or" - only DKIM or SPF needs to
| pass. There is no method to require both.
| rob-olmos wrote:
| Dunno why you're being downvoted, you're correct that it's only
| "or".
| bawolff wrote:
| I think you are just misparsing their grammer. I believe and/or
| just means inclusive or. It does not mean "and" is neccesarily
| an option.
| pests wrote:
| I think its unambiguous. If they want "and/or" to just mean
| inclusive or why not just use "or". Its shorter, simpler,
| easier to understand. I also feel "and/or" in general usually
| means either option are possible/acceptable.
|
| The point I was making is that "DMARC passes if DKIM _and_
| SPF passes" and "DMARC passes if DKIM _or_ SPF passes" are
| both true - you can't specify "DMARC passes if, and only if,
| DKIM _and_ SPF passes"
| pests wrote:
| This was a recent problem with Cloudflares partnership with
| MailChannels[1] that allowed email spoofing which was related
| to this.
|
| The basic problem being that mailchannel did not require
| authentication - cloudflare workers could just hit an API
| endpoint on mailchannel to send email. Mailchannel required you
| to add an include: record to your SPF policy. This allowed
| anyone to impersonate anyone else due to mailchannel being a
| valid sender for all domains.
|
| Only ~400 domains of the 2M hosted had DKIM set up but even if
| they did the passing SPF caused DMARC to pass.
|
| [1] https://blog.cloudflare.com/sending-email-from-workers-
| with-...
| bawolff wrote:
| I mean i dont think requiring dkim would stop attacks based
| on totally broken authentication. In that scenario, mailchimp
| might as well be signing the emails for the incorrect domain
| as well.
| pests wrote:
| True. MailChannels, not MailChip though. They handle email
| for a lot of webhosting providers.
| sylware wrote:
| And if you use IP address literals instead of paying for a
| domain, you get a free SPF:
|
| If the "From:"/"Reply-To:" fields contains only the email
| address with the IP address literal, you get your "SPF" and it
| gets a much better score in order to avoid grey listing for the
| first transaction. And if there are no URLs in the content,
| even better.
|
| But that is common sense.
| amelius wrote:
| This is how email is _supposed_ to work. In reality, there are
| whitelists ...
| ingen0s wrote:
| Dope af
___________________________________________________________________
(page generated 2023-10-01 23:00 UTC)