I've been amused by the number of rows in my aggregate report that show
people forwarding mail from their employer's mailbox to an external
provider (mostly Gmail and Yahoo). Of course most employers have
policies forbidding this; the fact the people do it anyway is one of the
things that keep me employed.
While using DMARC's aggregate reports to detect data leaks seems too
crude for corporate espionage, it does seem to have possibilities for
corporate compliance. It could work like this: once a month, I send all
my employees a reminder about corporate compliance rules. The sending
domain is unique, with correct SPF, DKIM and DMARC. When the RUA
arrives, it'll show how many people are forwarding their mail to Gmail
and whatnot. Games can be played with the domain, selector, or time of
day to statistically isolate the guilty party.
Interesting use case? Scary use case? Or Carl just demonstrating his
grasp of the obvious?
(Of course the outbound mail servers or firewall are the correct place
to detect and block forwarding. But this trick would find people who are
bypassing the outbound mail servers, or perhaps detect a flaw in the
output policy rules.)
<csg>
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
