external destination verification and report aggregation missing in DMARC reporting

[Ashiq5]

I am using the latest version of OpenDMARC and while playing with DMARC reporting, I came across a few issues that could raise opportunities for attackers to exploit.

1. There is no verification check if an external email address is specified in the rua tag of the sender's DMARC record. RFC recommends a verification strategy as defined here (https://datatracker.ietf.org/doc/html/rfc7489#section-7.1).
2. If multiple emails come from the same organizational domain, OpenDMARC shoots out separate reports for each received email even if the rua addresses are the same. This with the absence of an external destination verification mechanism can open up an opportunity for the attackers to flood any mailbox they want. Therefore, reports for the same organizational domain within the same reporting window should be aggregated.

Thanks.

[thegushi]

1. I believe the check you're talking about is done in libopendmarc/opendmarc_policy.c at around line 650. If you have evidence that this is not happening, please contact me privately (github at gushi dot org) with examples of this so I can reproduce.

2. Aggregate reports absolutely should be aggregated, via the usual database/sendind periodically via cron. The "individual" reports are forensic reports. Could you possbily get me samples of the reports being sent (again, if you need to do so confidentially, the address is above).