[tor-bugs] #12821 [TorBirdy]: using torbirdy + thunderbird: domains emailing with dmarc

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Aug 7 07:54:55 UTC 2014 

#12821: using torbirdy + thunderbird: domains emailing with dmarc
-------------------------------------------------+-------------------------
 Reporter:  cypherpunks                          |          Owner:  ioerror
     Type:  project                              |         Status:  new
 Priority:  normal                               |      Milestone:
Component:  TorBirdy                             |        Version:  Tor:
 Keywords:  torbirdy, thunderbird, dmarc, dkim,  |  unspecified
  adsp, spf, email                               |  Actual Points:
Parent ID:                                       |         Points:
-------------------------------------------------+-------------------------
 im a little concerned about the following and still trying to figure it
 out:

 ...[i also realise it may be difficult to test without having specific
 access to a domain with dmarc setup]...

 PM me or ping back on tor-talk - i have a domain with dnssec, dkim, adsp,
 spf, dmarc - im doing some testing with NIST soon at had-pilot.biz
 (unrelated to torbirdy)

 if multiple parties are using torbirdy with thunderbird and lets say
 some domain owners have dmarc setup with reporting enabled

 other dmarc capable domains (gmail, hotmail, or any ISP even from their
 abuse email) will send back reports with the IP used for mail transmission
 & respond with fail or pass; a fail will occur if you use torbirdy
 everytime, and you can also see interesting results from abuse if other
 try to spoof sending from your domain with fake addresses

 the reports can contain IP addresses from which emails were sent from a
 domain
 ie i believe the IP that you logged into to thunderbird and sent mail

 essentially you'll see fail every time if you use torbirdy *and* your
 domain is configured with dmarc, and its going to leak the IP you sent
 email from (logged in with thunderbird to send) defeating the purpose of
 using torbirdy

 the dmarc queries are going out in the usual clear dns

 are there any other shortcomings here that are of concern?

 is dmarc reporting too privacy invasive in this situation to bother
 implementing, and better left to business/companies ?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12821>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list