Re: [dmarc-discuss] Experience 16 days with DMARC
> On Feb 10, 2016, at 1:55 AM, Roland Turner via dmarc-discuss
> <dmarc-discuss@dmarc.org> wrote:
>
> I'd suggest a few things:
>
> - You're looking a little too closely at daily changes, particularly around
> implementation time. Allow the thing some time to settle, perhaps a month,
> before considering next steps. Bear in mind that there are multiple,
> independent good and evil actors here, each reacting to the others all the
> time. This will take time to settle, a single day's (or week's) change is
> unlikely to be actionable. Note in particular that the larger receivers are
> almost certainly comparing their user feedback ("This is [not] Spam") with
> your DMARC policy ([un]authenticated messages that get reported as
> [not-]spam) as an input to their decision making. On the fairly small numbers
> that you're talking about, this calculation could take weeks to converge.
DMARC certainly provides another view into what is happening. I think what you
are saying is that my small traffic volume 15,000 messages are such a small
blip in the spammers world they will be doing some monthly analysis to notice
and adjust their routine accordingly.
> - The Forwarder and Threat/Unknown categories in Dmarcian are a mix of
> probabilistic assessments by email-receivers and by Dmarcian, not a reliable
> indication of what the email messages in question contain.
Yes, I have tracked legitimate emails through all the Dmarcian categories.
> They're interesting, but don't get hypnotised by them.
Looking forward to a drop off in traffic to break the spell...
> - How much is on-domain (vs. cousin-domain) impersonation costing you in
> fraud/support/churn losses? If it's costing you thousands of dollars a month,
> then by all means bring in the professionals. If you can't price it, or you
> haven't done so yet, or it's a trivial amount, then you're probably done.
That is good to know since nobody is directly paying to do this. I imagine that
I should just keep an eye on ARC and I could always become an early adopter of
that as way to improve things.
Thank you for taking the time to give me some perspective.
Ben
>
> - Roland
>
>
>Roland Turner
> Labs Director
> Mobile: +65 9670 0022
> 3 Phillip Street, #13-03 Royal Group Building, Singapore 048693
>
>
>www.trustsphere.com
>
>
>
>
>
> From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Ben
> Greenfield via dmarc-discuss <dmarc-discuss@dmarc.org>
> Sent: Sunday, 7 February 2016 18:42
> To: dmarc-discuss
> Subject: [dmarc-discuss] Experience 16 days with DMARC
>
> First off I think DMARC is great and I’m happy with and want to try to use
> the information to protect my domain name.
>
> I have been using dmarcian.com to analyze the reports and any terminology I
> use should be considered in the context of their tools. Their tools are all I
> know… so far.
>
> Since I started receiving DMARC reports and tracked down a few specific
> domain names from DMARC reports to actual emails, I’m comfortable with most
> of the traffic I see in Forwarders categories and it’s great to see some with
> 100% DKIM survival.
>
> I’m assuming that most of the servers in the category of forwarder are just
> moving mail around the world.
>
> Threat/Unknown I take this to mean emails that have my domain in the from
> field and our trying to delivery the forged email.
>
> This had fluctuated from around 4200 when I started on jan. 22nd to a low of
> 1900 email on jan. 30th this had a steady climb of up to 5985 on feb. 4th
> before spiking to 15,516 on feb. 5th.
>
> I see these fluctuations reflected in spam cop’s spam volume. Almost all the
> heavy traffic is coming from in order:
>
> Vietnam
> India
> Brazil
> UA
> Russia
>
>
> Is there anything I should be doing to try to clean up this problem?
> Is DMARC the best I can do right now?
>
> Thanks,
> Ben
>
>
>
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well terms
> (http://www.dmarc.org/note_well.html)
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well terms
> (http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Experience 16 days with DMARC
I'd suggest a few things:
- You're looking a little too closely at daily changes, particularly around
implementation time. Allow the thing some time to settle, perhaps a month,
before considering next steps. Bear in mind that there are multiple,
independent good and evil actors here, each reacting to the others all the
time. This will take time to settle, a single day's (or week's) change is
unlikely to be actionable. Note in particular that the larger receivers are
almost certainly comparing their user feedback ("This is [not] Spam") with your
DMARC policy ([un]authenticated messages that get reported as [not-]spam) as an
input to their decision making. On the fairly small numbers that you're talking
about, this calculation could take weeks to converge.
- The Forwarder and Threat/Unknown categories in Dmarcian are a mix of
probabilistic assessments by email-receivers and by Dmarcian, not a reliable
indication of what the email messages in question contain. They're interesting,
but don't get hypnotised by them.
- How much is on-domain (vs. cousin-domain) impersonation costing you in
fraud/support/churn losses? If it's costing you thousands of dollars a month,
then by all means bring in the professionals. If you can't price it, or you
haven't done so yet, or it's a trivial amount, then you're probably done.
- Roland
Roland Turner
Labs Director
Mobile: +65 9670 0022
3 Phillip Street, #13-03 Royal Group Building, Singapore 048693
www.trustsphere.com
From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Ben
Greenfield via dmarc-discuss <dmarc-discuss@dmarc.org>
Sent: Sunday, 7 February 2016 18:42
To: dmarc-discuss
Subject: [dmarc-discuss] Experience 16 days with DMARC
First off I think DMARC is great and I’m happy with and want to try to use the
information to protect my domain name.
I have been using dmarcian.com to analyze the reports and any terminology I use
should be considered in the context of their tools. Their tools are all I know…
so far.
Since I started receiving DMARC reports and tracked down a few specific domain
names from DMARC reports to actual emails, I’m comfortable with most of the
traffic I see in Forwarders categories and it’s great to see some with 100%
DKIM survival.
I’m assuming that most of the servers in the category of forwarder are just
moving mail around the world.
Threat/Unknown I take this to mean emails that have my domain in the from field
and our trying to delivery the forged email.
This had fluctuated from around 4200 when I started on jan. 22nd to a low of
1900 email on jan. 30th this had a steady climb of up to 5985 on feb. 4th
before spiking to 15,516 on feb. 5th.
I see these fluctuations reflected in spam cop’s spam volume. Almost all the
heavy traffic is coming from in order:
Vietnam
India
Brazil
UA
Russia
Is there anything I should be doing to try to clean up this problem?
Is DMARC the best I can do right now?
Thanks,
Ben
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
[dmarc-discuss] Experience 16 days with DMARC
First off I think DMARC is great and I’m happy with and want to try to use the information to protect my domain name. I have been using dmarcian.com to analyze the reports and any terminology I use should be considered in the context of their tools. Their tools are all I know… so far. Since I started receiving DMARC reports and tracked down a few specific domain names from DMARC reports to actual emails, I’m comfortable with most of the traffic I see in Forwarders categories and it’s great to see some with 100% DKIM survival. I’m assuming that most of the servers in the category of forwarder are just moving mail around the world. Threat/Unknown I take this to mean emails that have my domain in the from field and our trying to delivery the forged email. This had fluctuated from around 4200 when I started on jan. 22nd to a low of 1900 email on jan. 30th this had a steady climb of up to 5985 on feb. 4th before spiking to 15,516 on feb. 5th. I see these fluctuations reflected in spam cop’s spam volume. Almost all the heavy traffic is coming from in order: Vietnam India Brazil UA Russia Is there anything I should be doing to try to clean up this problem? Is DMARC the best I can do right now? Thanks, Ben ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
