Hey All, I saw an uptick in Forwarders as soon as I started to use a setting other “p=none”. I wondered what caused this.
Here is my wild theory about my situation and may apply to you and maybe wrong. My mail server I believe is configured to be susceptible to I think the term is backscatter and I can’ figure out why. That is part of whyI implemented DMARC. As soon as the policy for DMARC became quarantine or reject all of the forged email that were bouncing back to my server no-longer bouncing back to my server and were recognized as forgeries and placed in the forwarders. Forwarders being any email server other than our own that is forwarding email. Without DMARC it is ambiguous what to do with the forged bouncing email. Once DMARC establishes your email sources it becomes apparent to mail servers that the forwarder are frauds and that is the uptick. If they were valid forwarders they could be established as such in the DMARC/spf config. That is my theory for my situation. Ben > On Jan 27, 2016, at 10:30 AM, John Corey Miller via dmarc-discuss > <dmarc-discuss@dmarc.org> wrote: > > Okay, so the tool simply reports "Threat/Unknown" if the XML report from > google shows both an SPF and a DKIM fail, these are all clearly phishers, > shady IPs out of China and Eastern Europe (we're an American company.) It > reports "Forwarder" if under the <reason> tag in google's XML report there is > a tag <type> with the content "<type>forwarded</type>" > > So it's actually Google's receiving server that is deciding these are > forwarders. This is actually a problem as in spite of the fact that our > DMARC policy is 100% reject, for some reason Google is marking them as > "quarantine" and even worse Yahoo is marking them as simply "disposition > neutral". The problem is getting worse as when I woke up to this morning's > DMARC reports from google about 87% of all traffic it saw was "Forwarded" > from these shady domains, over 200 messages came through like this over the > ~30 messages our small business sent out during that day. Previously we'd > get about 40% of our traffic being illegitimate with 1-2 messages from > "forwarders" that were actually forwarders (like comcast business). Going > from "quarantine" to "reject" has caused a MASSIVE spike in the number of > these messages. And as I said before, many of these IPs were the exact same > ones that were being flagged as just straight SPF and DKIM fails. > >> On Jan 27, 2016, at 2:20 AM, Roland Turner via dmarc-discuss >> <dmarc-discuss@dmarc.org> wrote: >> >> This would appear to be a Dmarcian question rather than a DMARC one as the >> Threat/Unknown is a Dmarcian classification rather than a DMARC one. More >> broadly, a/some receiver(s) and/or Dmarcian would appear to have decided at >> about the time that you made your change to reclassify a bunch of mail as >> forwarded. It is possible that this happened in response to your change, but >> I'd suggest rather unlikely. >> >> If a receiver has decided to treat a particular message/stream as being from >> a trusted forwarder (i.e. to ignore the domain registrant's policy) then >> there is probably very little that you as a domain registrant can do to >> address that. If your total message volume is sufficient to warrant it then >> you might consider talking to AMI and/or Return Path about access to failure >> reports from the receivers in question and/or website deactivation services >> like IID. >> >> (I have no current commercial relationship with any of the above.) >> >> - Roland >> >> Roland Turner >> Labs Director >> Mobile: +65 9670 0022 >> 3 Phillip Street, #13-03 Royal Group Building, Singapore 048693 >> www.trustsphere.com >> >> >> >> >> From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of John >> Corey Miller via dmarc-discuss <dmarc-discuss@dmarc.org> >> Sent: Tuesday, 26 January 2016 23:36 >> To: dmarc-discuss@dmarc.org >> Subject: [dmarc-discuss] Increase in Forwarders Since Implementation of >> DMARC Reject Policy >> >> We have Google Apps for Business set-up with our domain name for our >> business. >> >> Since making the change to fully reject mail that fails dmarc, the number of >> messages counted as coming through "Forwarders" on our dmarc reports when >> run through this tool https://dmarcian.com/dmarc-xml/ has drastically >> increased. In many cases these new "Forwarders" are the same IPs that >> previously were coming through as "Threat/Unknown" (clearly fishers.) >> >> Does this mean that after seeing that google started rejecting their e-mails >> they changed something about how they're sending them to attempt to >> circumvent these rejections? If so, does any action have to be taken to >> prevent this circumvention? >> _______________________________________________ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) > > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
