[dmarc-discuss] Inbound spoofed mails

Blason R blason16 at gmail.com
Tue Aug 20 19:53:54 PDT 2019


Thanks a nice solutions and description however my questions was for DMARC
for incoming mails.

On Tue, Aug 20, 2019 at 9:05 PM Pete Holzmann <Webbed.Pete at gmail.com> wrote:

> I realize this is a Very Late Response to Blason's query... (I've had
> serious medical challenges this year; "should" be dead yet here I am ;) )
>
> I thought you might be encouraged by our experience.
>
> *Scenario:*
> - We have a Very Old Domain (ds.org) that's ONLY used for infrastructure.
> NOT web, and not even sending/receiving email (user at ds.org). Yet our
> email server is aster.ds.org
> - In spite of not sending any email, more and more we were being marked as
> spammers by various block lists.
> - If you think about it, we have a perfect honeypot for spam. ANY email to
> or from that domain is by definition invalid :) :)
>
> *Solution:*
> - I finally implemented SPF, DKIM and DMARC...
> - *WHAM!!! * Over a thousand spams a day (mostly from Asia) were being
> sent faking our domain as source.
> - Challenge #1: our DMARC report processor initially had to tweak a few
> things. We're honestly not a large volume emailer... yet they were
> processing quite a few records ;)
> - Challenge #2: we ended up implementing "non standard" subdomain
> wildcards due to a
>   variety of fake subdomains being spoofed.
>
> *Result:*
> - We're no longer accused of being spammers
> - "Only" ~600 spams detected in the last *week* (by DMARC-capable servers)
> - All were trying to spoof our domain
> - Of those, ~500 were from *.nxdomain, the rest at least had a real IP
> entry.
>
> Blessings,
> Pete
>
> ------------------------------
>
> On 9 Jan 2019 Blason R via dmarc-discuss said...
>
> Hi Edward,
>
> How do I make it work for Inbound if my MTA/AntiSpam does not support? Not
> sure if I understood your question correctly but would appreciate if you
> can shed some light on this? lets say I am on google apps.
>
> Google Apps I guess bydefault takes care of Incoming mail. But what if I
> am using third party MTA which does not support Inbound DMARC checks? Yes
> most of them do support SPF and DKIM validation but not DMARC I guess.
>
> Please correct me if I am wrong.
>
> Thanks and regards,
> Blason R
>
> On Wed, Jan 9, 2019 at 7:00 PM Edward Siewick via dmarc-discuss <
> dmarc-discuss at dmarc.org> wrote:
>
> > Blason,
> >
> > Actually, consider implementing testing (SPF, DKIM) and DMARC for
> > inbound.  Since you've implemented for everybody else, why not put
> these to
> > use for your own organization?
> >
> > Edward S.
> >
> >
> > On 1/8/2019 10:26 PM, Blason R via dmarc-discuss wrote:
> >
> > Hi DMARC Team,
> >
> > What I understand is DMARC is very beneficial for the mails which
> are
> > being sent from my domain to third party. But can we stop the emails
> coming
> > at me pretending to be my own domain? My assumption again here is we
> can
> > not and need to have AntiSpam policy to block looking at SPF and
> DKIM?
> >
> > TIA
> > Thanks and Regards
> > Blason R
> >
> > _______________________________________________
> > dmarc-discuss mailing
> listdmarc-discuss at dmarc.orghttp://www.dmarc.org/mailman/listinfo/dmarc
> -discuss
> >
> > NOTE: Participating in this list means you agree to the DMARC Note
> Well terms (http://www.dmarc.org/note_well.html)
> >
> > _______________________________________________
> > dmarc-discuss mailing list
> > dmarc-discuss at dmarc.org
> > http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> >
> > NOTE: Participating in this list means you agree to the DMARC Note
> Well
> > terms (http://www.dmarc.org/note_well.html)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20190821/da3b660e/attachment.html>


More information about the dmarc-discuss mailing list