[dmarc-discuss] Inbound spoofed mails

Dotzero dotzero at gmail.com
Wed Aug 21 01:00:43 PDT 2019


Typically your exchange server is inside your firewall/perimeter.
Therefore, anything SMTP connecting from the outside of your firewall
claiming to be from your Mail From domain is not from you.

On Wed, Aug 21, 2019 at 3:49 AM Blason R <blason16 at gmail.com> wrote:

> " As was pointed out, the display name is free form but you can set a rule
> to block if the email address in a display name doesn't match the email
> address in the From email address."
>
> Is that such policy available? I am not sure about excahgne but AFAIK most
> of the AntiSpams does not offer such policy. Or is there mechanism you are
> talking about DMARC?
>
> On Wed, Aug 21, 2019 at 12:51 PM Dotzero <dotzero at gmail.com> wrote:
>
>> SPF/DKIM/DMARC can help on the inbound side. You already know which hosts
>> your own email originate from so you can block just based on that knowledge
>> as well. As was pointed out, the display name is free form but you can set
>> a rule to block if the email address in a display name doesn't match the
>> email address in the From email address.
>>
>> Michael Hammer
>>
>> On Tue, Aug 20, 2019 at 10:59 PM Blason R via dmarc-discuss <
>> dmarc-discuss at dmarc.org> wrote:
>>
>>> Thanks a nice solutions and description however my questions was for
>>> DMARC for incoming mails.
>>>
>>> On Tue, Aug 20, 2019 at 9:05 PM Pete Holzmann <Webbed.Pete at gmail.com>
>>> wrote:
>>>
>>>> I realize this is a Very Late Response to Blason's query... (I've had
>>>> serious medical challenges this year; "should" be dead yet here I am ;) )
>>>>
>>>> I thought you might be encouraged by our experience.
>>>>
>>>> *Scenario:*
>>>> - We have a Very Old Domain (ds.org) that's ONLY used for
>>>> infrastructure. NOT web, and not even sending/receiving email (
>>>> user at ds.org). Yet our email server is aster.ds.org
>>>> - In spite of not sending any email, more and more we were being marked
>>>> as spammers by various block lists.
>>>> - If you think about it, we have a perfect honeypot for spam. ANY email
>>>> to or from that domain is by definition invalid :) :)
>>>>
>>>> *Solution:*
>>>> - I finally implemented SPF, DKIM and DMARC...
>>>> - *WHAM!!! * Over a thousand spams a day (mostly from Asia) were being
>>>> sent faking our domain as source.
>>>> - Challenge #1: our DMARC report processor initially had to tweak a few
>>>> things. We're honestly not a large volume emailer... yet they were
>>>> processing quite a few records ;)
>>>> - Challenge #2: we ended up implementing "non standard" subdomain
>>>> wildcards due to a
>>>>   variety of fake subdomains being spoofed.
>>>>
>>>> *Result:*
>>>> - We're no longer accused of being spammers
>>>> - "Only" ~600 spams detected in the last *week* (by DMARC-capable
>>>> servers)
>>>> - All were trying to spoof our domain
>>>> - Of those, ~500 were from *.nxdomain, the rest at least had a real IP
>>>> entry.
>>>>
>>>> Blessings,
>>>> Pete
>>>>
>>>> ------------------------------
>>>>
>>>> On 9 Jan 2019 Blason R via dmarc-discuss said...
>>>>
>>>> Hi Edward,
>>>>
>>>> How do I make it work for Inbound if my MTA/AntiSpam does not support?
>>>> Not sure if I understood your question correctly but would appreciate if
>>>> you can shed some light on this? lets say I am on google apps.
>>>>
>>>> Google Apps I guess bydefault takes care of Incoming mail. But what if
>>>> I am using third party MTA which does not support Inbound DMARC checks? Yes
>>>> most of them do support SPF and DKIM validation but not DMARC I guess.
>>>>
>>>> Please correct me if I am wrong.
>>>>
>>>> Thanks and regards,
>>>> Blason R
>>>>
>>>> On Wed, Jan 9, 2019 at 7:00 PM Edward Siewick via dmarc-discuss <
>>>> dmarc-discuss at dmarc.org> wrote:
>>>>
>>>> > Blason,
>>>> >
>>>> > Actually, consider implementing testing (SPF, DKIM) and DMARC for
>>>> > inbound.  Since you've implemented for everybody else, why not put
>>>> these to
>>>> > use for your own organization?
>>>> >
>>>> > Edward S.
>>>> >
>>>> >
>>>> > On 1/8/2019 10:26 PM, Blason R via dmarc-discuss wrote:
>>>> >
>>>> > Hi DMARC Team,
>>>> >
>>>> > What I understand is DMARC is very beneficial for the mails which
>>>> are
>>>> > being sent from my domain to third party. But can we stop the emails
>>>> coming
>>>> > at me pretending to be my own domain? My assumption again here is we
>>>> can
>>>> > not and need to have AntiSpam policy to block looking at SPF and
>>>> DKIM?
>>>> >
>>>> > TIA
>>>> > Thanks and Regards
>>>> > Blason R
>>>> >
>>>> > _______________________________________________
>>>> > dmarc-discuss mailing
>>>> listdmarc-discuss at dmarc.orghttp://www.dmarc.org/mailman/listinfo/dmarc
>>>> -discuss
>>>> >
>>>> > NOTE: Participating in this list means you agree to the DMARC Note
>>>> Well terms (http://www.dmarc.org/note_well.html)
>>>> >
>>>> > _______________________________________________
>>>> > dmarc-discuss mailing list
>>>> > dmarc-discuss at dmarc.org
>>>> > http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>> >
>>>> > NOTE: Participating in this list means you agree to the DMARC Note
>>>> Well
>>>> > terms (http://www.dmarc.org/note_well.html)
>>>>
>>>>
>>> _______________________________________________
>>> dmarc-discuss mailing list
>>> dmarc-discuss at dmarc.org
>>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>
>>> NOTE: Participating in this list means you agree to the DMARC Note Well
>>> terms (http://www.dmarc.org/note_well.html)
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20190821/a4a2d6d7/attachment-0001.html>


More information about the dmarc-discuss mailing list