Okay, so the tool simply reports "Threat/Unknown" if the XML report from google shows both an SPF and a DKIM fail, these are all clearly phishers, shady IPs out of China and Eastern Europe (we're an American company.) It reports "Forwarder" if under the <reason> tag in google's XML report there is a tag <type> with the content "<type>forwarded</type>"
So it's actually Google's receiving server that is deciding these are forwarders. This is actually a problem as in spite of the fact that our DMARC policy is 100% reject, for some reason Google is marking them as "quarantine" and even worse Yahoo is marking them as simply "disposition neutral". The problem is getting worse as when I woke up to this morning's DMARC reports from google about 87% of all traffic it saw was "Forwarded" from these shady domains, over 200 messages came through like this over the ~30 messages our small business sent out during that day. Previously we'd get about 40% of our traffic being illegitimate with 1-2 messages from "forwarders" that were actually forwarders (like comcast business). Going from "quarantine" to "reject" has caused a MASSIVE spike in the number of these messages. And as I said before, many of these IPs were the exact same ones that were being flagged as just straight SPF and DKIM fails. > On Jan 27, 2016, at 2:20 AM, Roland Turner via dmarc-discuss > <[email protected]> wrote: > > This would appear to be a Dmarcian question rather than a DMARC one as the > Threat/Unknown is a Dmarcian classification rather than a DMARC one. More > broadly, a/some receiver(s) and/or Dmarcian would appear to have decided at > about the time that you made your change to reclassify a bunch of mail as > forwarded. It is possible that this happened in response to your change, but > I'd suggest rather unlikely. > > If a receiver has decided to treat a particular message/stream as being from > a trusted forwarder (i.e. to ignore the domain registrant's policy) then > there is probably very little that you as a domain registrant can do to > address that. If your total message volume is sufficient to warrant it then > you might consider talking to AMI and/or Return Path about access to failure > reports from the receivers in question and/or website deactivation services > like IID. > > (I have no current commercial relationship with any of the above.) > > - Roland > > Roland Turner > Labs Director > Mobile: +65 9670 0022 > 3 Phillip Street, #13-03 Royal Group Building, Singapore 048693 > www.trustsphere.com > > > > > From: dmarc-discuss <[email protected]> on behalf of John Corey > Miller via dmarc-discuss <[email protected]> > Sent: Tuesday, 26 January 2016 23:36 > To: [email protected] > Subject: [dmarc-discuss] Increase in Forwarders Since Implementation of DMARC > Reject Policy > > We have Google Apps for Business set-up with our domain name for our business. > > Since making the change to fully reject mail that fails dmarc, the number of > messages counted as coming through "Forwarders" on our dmarc reports when run > through this tool https://dmarcian.com/dmarc-xml/ has drastically increased. > In many cases these new "Forwarders" are the same IPs that previously were > coming through as "Threat/Unknown" (clearly fishers.) > > Does this mean that after seeing that google started rejecting their e-mails > they changed something about how they're sending them to attempt to > circumvent these rejections? If so, does any action have to be taken to > prevent this circumvention? > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
