The Grumpy Troll

Ramblings of a grumpy troll.

Mailing-list recipient disclosures with DMARC, redux

In February, I wrote the post How private is your mailing-list subscriber list?.

It gets worse.

Combine authentication-failure reports, VERP, mailing-lists and what appears to be a buggy verifier.

VERP is Variable Envelope Return Path, a name for a technique where a mailing-list encodes information about the recipient's email address into the SMTP Envelope Sender. This is used so that if there is a delivery problem, the "bounce" which comes back will, for any not-massively-broken mail-system generating the bounce, identify the subscriber to the list who had problems. This way, the list can automatically disable delivery as needed, etc.

I sent mail today to a mailing-list; the list did not adjust the content of the message in a way that affected DKIM verification: the copy I received back passed DKIM verification. The list uses VERP. I sign with DKIM and have a DMARC policy published in DNS.

As a result, 163.com have let me know the exact email address for one of their users who is subscribed to the mailing-list.

The message sent was “multipart/report”, which is reasonable and expected. The first part was the human-targetted blurb:
This is a spf/dkim authentication-failure report for an email message received from IP 203.24.36.2 on Wed, 18 Jul 2012 07:58:45
+0800.
Below is some detail information about this message:
1. SPF-authenticated Identifiers: none;
2. DKIM-authenticated Identifiers: none;
3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC mechanism check failures;

The second part was of type “message/feedback-report” and here is the censored content:
Feedback-Type: auth-failure
User-Agent: NtesDmarcReporter/1.0
Version: 1
Original-Mail-From: <LISTNAME-return-17180-RECIPLHS=163.com@LISTDOMAIN>
Arrival-Date: Wed, 18 Jul 2012 07:58:45 +0800
Source-IP: TROLL_CENSORED
Reported-Domain: spodhuis.org
Original-Envelope-Id: TcCowECZbXYy_AVQABUECQ--.1414S2
Authentication-Results: 163.com; spf=none smtp.mailfrom=LISTNAME-return-17180-RECIPLHS=163.com@LISTDOMAIN
Delivery-Result: delivered

So, I receive back a copy of the message because I'm subscribed, it passes validation. Somewhere between the list hosting in the USA and the recipient's email provider in China, something happened to the message which caused DKIM validation to fail; the mailing-list was in the envelope sender, etc etc, but the DMARC policy for the email address used in the From: header resulted in the DMARC notification recipient for my domain spodhuis.org finding out about a recipient of the mailing-list.

For lists with open subscription, this isn't a major hole. For lists with closed subscriber lists, it is a troubling disclosure.

I think, but am not certain, that the problem in this case is a faulty email verifier at 163.com rather than a problem with the DMARC specification itself.

-The Grumpy Troll
Categories: email dkim VERP dmarc privacy