Hector Santos wrote: > MH Michael Hammer (5304) wrote: >> >> Remember, it's not static, it's dynamic. What was a non-phished domain >> yesterday could be a phished domain today or tomorrow. DKIM isn't a >> magic bullet, it's one more tool in the toolbox. I've found that in >> combination with SPF it works very nicely on double fail and none/fail >> as far as catching badness with very little impact on legitimate mail. >> > > What sort of phishing are we talking about? Identities or the context?
This is what I see in today's log or malicious spoofing and phishing of our three main domains (all rejected). From: Rolex.com <hec...@santronics.com> From: announceme...@santronics.com From: sa...@santronics.com From: Rolex.com <hsan...@santronics.com> From: Rolex.com <usiqb...@santronics.com> From: Rolex.com <hec...@santronics.com> From: Rolex.com <johnsmith...@santronics.com> From: Rolex.com <andrea.san...@santronics.com> From: Rolex.com <jua...@winserver.com> From: Rolex.com <powersgilh...@winserver.com> From: andy.armstr...@winserver.com From: Rolex.com <andrew.al...@winserver.com> From: Rolex.com <hec...@winserver.com> From: Rolex.com <huddlestonlu...@winserver.com> From: floydjj...@winserver.com From: Rolex.com <hurstfwrf...@winserver.com> From: floydjj...@winserver.com From: samuel.mang...@winserver.com From: ildefo...@winserver.com From: Rolex.com <michael.a....@winserver.com> From: Rolex.com <samuel.mang...@winserver.com> From: Rolex.com <guawaldemarwalde...@winserver.com> From: Rolex.com <matt.rineh...@winserver.com> From: Rolex.com <hurstfwrf...@winserver.com> From: codeproj...@winserver.com From: Rolex.com <h...@winserver.com> From: Rolex.com <h...@winserver.com> From: Rolex.com <john.kl...@winserver.com> From: Rolex.com <joshua.saund...@winserver.com> From: xml-...@winserver.com From: chris.shuema...@winserver.com From: aaron.de.br...@winserver.com From: Rolex.com <hurstfwrf...@winserver.com> From: Rolex.com <jeremiah.ragsd...@winserver.com> From: Rolex.com <hsan...@isdg.net> Note the common sender using "rolex.com" user id part and I noticed the ones that don't have this, all of them where also from the rolex.com spammer. So this just boils down to one spammer today doing this. None of them were DKIM signed, but they would of been rejected as non-signed if the logic was enabled to reject on a failed ADSP. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html