[dmarc-discuss] Inbound spoofed mails

Blason R blason16 at gmail.com
Wed Aug 21 00:49:09 PDT 2019


" As was pointed out, the display name is free form but you can set a rule
to block if the email address in a display name doesn't match the email
address in the From email address."

Is that such policy available? I am not sure about excahgne but AFAIK most
of the AntiSpams does not offer such policy. Or is there mechanism you are
talking about DMARC?

On Wed, Aug 21, 2019 at 12:51 PM Dotzero <dotzero at gmail.com> wrote:

> SPF/DKIM/DMARC can help on the inbound side. You already know which hosts
> your own email originate from so you can block just based on that knowledge
> as well. As was pointed out, the display name is free form but you can set
> a rule to block if the email address in a display name doesn't match the
> email address in the From email address.
>
> Michael Hammer
>
> On Tue, Aug 20, 2019 at 10:59 PM Blason R via dmarc-discuss <
> dmarc-discuss at dmarc.org> wrote:
>
>> Thanks a nice solutions and description however my questions was for
>> DMARC for incoming mails.
>>
>> On Tue, Aug 20, 2019 at 9:05 PM Pete Holzmann <Webbed.Pete at gmail.com>
>> wrote:
>>
>>> I realize this is a Very Late Response to Blason's query... (I've had
>>> serious medical challenges this year; "should" be dead yet here I am ;) )
>>>
>>> I thought you might be encouraged by our experience.
>>>
>>> *Scenario:*
>>> - We have a Very Old Domain (ds.org) that's ONLY used for
>>> infrastructure. NOT web, and not even sending/receiving email (
>>> user at ds.org). Yet our email server is aster.ds.org
>>> - In spite of not sending any email, more and more we were being marked
>>> as spammers by various block lists.
>>> - If you think about it, we have a perfect honeypot for spam. ANY email
>>> to or from that domain is by definition invalid :) :)
>>>
>>> *Solution:*
>>> - I finally implemented SPF, DKIM and DMARC...
>>> - *WHAM!!! * Over a thousand spams a day (mostly from Asia) were being
>>> sent faking our domain as source.
>>> - Challenge #1: our DMARC report processor initially had to tweak a few
>>> things. We're honestly not a large volume emailer... yet they were
>>> processing quite a few records ;)
>>> - Challenge #2: we ended up implementing "non standard" subdomain
>>> wildcards due to a
>>>   variety of fake subdomains being spoofed.
>>>
>>> *Result:*
>>> - We're no longer accused of being spammers
>>> - "Only" ~600 spams detected in the last *week* (by DMARC-capable
>>> servers)
>>> - All were trying to spoof our domain
>>> - Of those, ~500 were from *.nxdomain, the rest at least had a real IP
>>> entry.
>>>
>>> Blessings,
>>> Pete
>>>
>>> ------------------------------
>>>
>>> On 9 Jan 2019 Blason R via dmarc-discuss said...
>>>
>>> Hi Edward,
>>>
>>> How do I make it work for Inbound if my MTA/AntiSpam does not support?
>>> Not sure if I understood your question correctly but would appreciate if
>>> you can shed some light on this? lets say I am on google apps.
>>>
>>> Google Apps I guess bydefault takes care of Incoming mail. But what if I
>>> am using third party MTA which does not support Inbound DMARC checks? Yes
>>> most of them do support SPF and DKIM validation but not DMARC I guess.
>>>
>>> Please correct me if I am wrong.
>>>
>>> Thanks and regards,
>>> Blason R
>>>
>>> On Wed, Jan 9, 2019 at 7:00 PM Edward Siewick via dmarc-discuss <
>>> dmarc-discuss at dmarc.org> wrote:
>>>
>>> > Blason,
>>> >
>>> > Actually, consider implementing testing (SPF, DKIM) and DMARC for
>>> > inbound.  Since you've implemented for everybody else, why not put
>>> these to
>>> > use for your own organization?
>>> >
>>> > Edward S.
>>> >
>>> >
>>> > On 1/8/2019 10:26 PM, Blason R via dmarc-discuss wrote:
>>> >
>>> > Hi DMARC Team,
>>> >
>>> > What I understand is DMARC is very beneficial for the mails which
>>> are
>>> > being sent from my domain to third party. But can we stop the emails
>>> coming
>>> > at me pretending to be my own domain? My assumption again here is we
>>> can
>>> > not and need to have AntiSpam policy to block looking at SPF and
>>> DKIM?
>>> >
>>> > TIA
>>> > Thanks and Regards
>>> > Blason R
>>> >
>>> > _______________________________________________
>>> > dmarc-discuss mailing
>>> listdmarc-discuss at dmarc.orghttp://www.dmarc.org/mailman/listinfo/dmarc
>>> -discuss
>>> >
>>> > NOTE: Participating in this list means you agree to the DMARC Note
>>> Well terms (http://www.dmarc.org/note_well.html)
>>> >
>>> > _______________________________________________
>>> > dmarc-discuss mailing list
>>> > dmarc-discuss at dmarc.org
>>> > http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>> >
>>> > NOTE: Participating in this list means you agree to the DMARC Note
>>> Well
>>> > terms (http://www.dmarc.org/note_well.html)
>>>
>>>
>> _______________________________________________
>> dmarc-discuss mailing list
>> dmarc-discuss at dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20190821/48e311fc/attachment.html>


More information about the dmarc-discuss mailing list