Add dnsdmarc module, address #1626 #2044
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds dnsdmarc module, refer to #1626 for more info.
Addresses #1626, partial relevance to #1682
I feel this needs some review, particularly for the VULNERABILITY events that are emitted.
e.g.
For anyone reviewing, the following domains and sample scan outputs/events are worth considering.
Sample scans/events,
apple.com, RUA+RUF email addresses, no vulnerabilities.
mastodon.social, RUA email only, sub-domains likely vulnerable to spoofing in some way,
mastodon.com ( a common mistake when trying to get to mastodon's web presence and what I'd use if I wanted to appear to be sending emails from "Mastodon" ;-) ), no DMARC policy, spoofability limited only by SPF.
33across.com - totally default "report-only" policy except there's no RUA or RUF destination provided.
adriver.ru - wildcard TXT responses are also returned, dnsdmarc module correctly ignores them for anything other than RAW_DNS_RECORD events.
w55c.net - RFC non-compliant DMARC policy due to v=DMARC; instead of v=DMARC1; and extra " at end of TXT content.
onenote.net - wildcard SPF TXT response only, no DMARC policy.
themoviedb.org - totally invalid TXT/CNAME configuration...
webex.com - partial (in fact zero) enforcement,
richaudience.com - invalid policy action due to typeo,
Sample SIEM-friendly JSON event,
Another one,