On 3/20/13 3:29 PM, "Carl S. Gutekunst" <[email protected]> wrote:
> >> Wouldn't it be easier to read your email logs instead? >> > >Yes it would, but as I said in my original posting: > >>> (Of course the outbound mail servers or firewall are the correct place >>> to detect and block forwarding. But this trick would find people who >>>are >>> bypassing the outbound mail servers, or perhaps detect a flaw in the >>> output policy rules.) > >If I have an enforced policy in the mail server that alerts or blocks >forwarding, people who really want to will try to find ways to bypass >it, e.g., using port 465. The potential to flag such leaks is what makes >this mechanism interesting. (Yes, yes, I know I can block ports. That's >not my point.) Thanks for the explanations, trying to figure out where you are coming from. I think while you can use it to discover which user forwards his emails, if you can put a p=reject on their email address, it will stop them from using say gmail to send using their corporate address. Quickly it becomes painful to forward emails to be treated elsewhere. In your case, I would create a domain example.net, put a p=reject, send from that domain to all users of example.com, and collect stats and see how many emails have ended up at other providers, you would also get the source IPs, helping you find the leaks... _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
