On Fri 25/Oct/2019 22:13:44 +0200 John Levine wrote: > In article <682972a4-38e4-f5b2-3180-c5a03a3a0...@tana.it> you write: >>Looking at aggregate reports, you cannot tell whether an authentication >>failure >>is a sacrosanct signaling of your domain being abused rather than a legitimate >>user going through external forwarders. > > Sure you can, you look at the IP address and see who it is. In my reports I > see bursts of authentication failures from hosts that are obviously mailing > list servers, and lots of failures in China which are random spambots.
Right, to add a country lookup during XSLT transform is a nice hint. IP reputation sites are not quite as handy. >>In theory, reports can be something more than a debugging aid. It has the >>potential to assemble a community where bad actors are identified and >>dismissed. > > No, that's not what they're for and they don't have the necessary > info. There are systems that compile data for IP reputation but > that's not what DMARC is. The point of DMARC is to try to tell "is > this message really from X", not "is this message spam." There are spammers who abuse other domains, and not all of them are phishers. While hard policies don't seem to be a goal for seldom-abused domains, failed p=none hardly map to some kind of score. So, yes, it looks like some necessary info is missing. But why would more info hurt? The biggest obstacle is admins' reluctance to divulge internal data about their mailflows. Perhaps we should instead look for something that mail site admins are eager to communicate to their peers. I, for one, see many more DMARC target domains than sources (73 to 13 this morning, most of the latter from my yesterday's posts to this list). I guess such ratios are rather common, possibly worse for large sites. Correct? Curiously, in general, people and organizations seem to have a lot to say, while they are often reluctant to listen. How come DMARC, as a channel, induces the opposite behavior? Just thinking aloud Ale -- _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
