DMARC mitigation fails if TXT record name contains uppercase
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
Low
|
Mark Sapiro |
Bug Description
Using Mailman 2.1.33. I noticed that occasionally, DMARC mitigations for aol.com "From" addresses were not being applied.
I tracked us down to the fact that DNS records can in rare cases return "AOL" in uppercase in the answer of the TXT record lookup. Here's an example where I caught it happening:
$ dig _dmarc.aol.com TXT
[...]
;; QUESTION SECTION:
;_dmarc.aol.com. IN TXT
;; ANSWER SECTION:
_dmarc.AOL.com. 492 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:<email address hidden>; ruf=mailto:<email address hidden>;"
Note that we requested "_dmarc.aol.com" in the question section, but got back "_dmarc.AOL.com" in the answer section. That case mismatch makes this code in Mailman/Utils.py skip the record:
for name in want_names:
if name not in results_by_name:
I believe the solution is to lowercase the result after the lookup. Patch attached.
Related branches
Changed in mailman: | |
status: | Triaged → Fix Committed |
Changed in mailman: | |
status: | Fix Committed → Fix Released |
Thank you for the report. I've never seen this (or maybe just never noticed it), but I accept that it happens. I suspect at some point Mailman may have received a message From: <email address hidden> and looked up _dmarc.AOL.com in DNS and a result is cached. This message may be properly mitigated because there was no case mismatch, but a subsequent message From: <email address hidden> gets the cached result and there is a case mismatch.
However, when I try `dig _dmarc.aol.com TXT` and `dig _dmarc.AOL.com TXT` multiple times in succession the case in the answer always matches the question, so that may not be the reason.