Re: [dmarc-discuss] Increase in Forwarders Since Implementation of DMARC Reject Policy

2016-02-05 Thread Ben Greenfield via dmarc-discuss 
Hello Frank,

Thanks for pointing out your script I was excited to see that it was lua script 
and I see it require momentum but I thought it might be interesting to hear 
about your set-up.

Since I don’t really know anything about them and I’m experimenting right now.

Thanks,

Ben


> On Feb 1, 2016, at 6:15 PM, Franck Martin  wrote:
> 
> If you have p=none, then the email is accepted regardless where it comes from.
> 
> Once you put p!=none, then the email may be rejected unless it is coming from 
> known forwarders, in this case this flag is raised to let you know the email 
> should have been rejected but was accepted nevertheless because it is coming 
> from a known forwarder.
> 
> I took a different approach to indicate the exceptions when DMARC fails, even 
> for p=none. It requires additional compute time. You can see it at 
> https://github.com/linkedin/dmarc-msys/blob/master/dmarc.lua#L685 
> 
> 
> So it will all depend on how the receiver handles the exceptions to the DMARC 
> policy.
> 
> 
> On Mon, Feb 1, 2016 at 7:54 AM, Ben Greenfield via dmarc-discuss 
> > wrote:
> 
> > On Jan 31, 2016, at 5:16 AM, Ben Greenfield via dmarc-discuss 
> > > wrote:
> >
> > I finally got my google reports for the past 2 days and I was able to run 
> > them through dmarcian.com .
> >
> > I would say it takes about a week for a newly dmarc’ed domain to be pulled 
> > from the spambots to drop a domain.
> >
> > Since configuring dmarc started out with 4260 forwarders threat/unknown’s 
> > on 1/21  to a high of 10,025 on 1/27 moving to 181 for 1/30.
> 
> That 81 has no morphed in 2034 and for 1/31 I’m up to 2579 forwarders and 
> threats unknown.
> 
> Ben
> 
> 
> >
> > I like that trend.
> >
> > Thanks,
> >
> > Ben
> >
> >
> >> On Jan 27, 2016, at 7:45 PM, John Corey Miller via dmarc-discuss 
> >> > wrote:
> >>
> >> Thanks Tim!
> >>
> >> I currently don’t have a dmarcian account, I just use the site as a 
> >> resource for your tools and information.  I could join up tomorrow when I 
> >> get into work if it would help you solve this problem.  Our DKIM records 
> >> had to be changed just  a couple of days prior to going to full reject if 
> >> that might have caused this… but drastic measures had to be taken as our 
> >> dmarc reports were showing something like 80-95% was straight up junk.
> >>
> >> Thanks,
> >> John Miller
> >>
> >>> On Jan 27, 2016, at 6:51 PM, Tim Draegen via dmarc-discuss 
> >>> > wrote:
> >>>
>  On Jan 26, 2016, at 10:36 AM, John Corey Miller via dmarc-discuss 
>  > wrote:
> 
>  We have Google Apps for Business set-up with our domain name for our 
>  business.
> 
>  Since making the change to fully reject mail that fails dmarc, the 
>  number of messages counted as coming through "Forwarders" on our dmarc 
>  reports when run through this tool https://dmarcian.com/dmarc-xml/ 
>   has drastically increased.  In many 
>  cases these new "Forwarders" are the same IPs that previously were 
>  coming through as "Threat/Unknown" (clearly fishers.)
> 
>  Does this mean that after seeing that google started rejecting their 
>  e-mails they changed something about how they're sending them to attempt 
>  to circumvent these rejections?  If so, does any action have to be taken 
>  to prevent this circumvention?
> >>>
> >>>
> >>> Hi John,
> >>>
> >>> FWIW, you can email supp...@dmarcian.com  
> >>> with any dmarcian-related questions.  I spend a lot of time there 
> >>> answering questions.. which is a bit easier as then I can look & comment 
> >>> about your data!
> >>>
> >>> That said, some replies to this thread are likely true.  If you're seeing 
> >>> the "forwarded" flag explicitly set, then this means the receiver in 
> >>> question accepted the email regardless of your published policy, as they 
> >>> understand the email to..well, be forwarded.
> >>>
> >>> It is not exactly common, but over the past few years certain 
> >>> spammers/phishers have figured out how to exploit servers that are being 
> >>> recognized as "forwarders" by the big players.  Once these servers are 
> >>> identified, they try to deliver as much crap as they can before being 
> >>> stopped.   And... the cycle continues.
> >>>
> >>> A different idea is that "reject" happened after putting in place DKIM 
> >>> signatures.  The dmarcian site does a better job identifying "Forwarders" 
> >>> (as a category, and not as a flag in XML) when DKIM is in place.  So if 
> >>> you did DKIM and reject at ~same time,

Re: [dmarc-discuss] Increase in Forwarders Since Implementation of DMARC Reject Policy

2016-01-31 Thread Ben Greenfield via dmarc-discuss 
I finally got my google reports for the past 2 days and I was able to run them 
through dmarcian.com.

I would say it takes about a week for a newly dmarc’ed domain to be pulled from 
the spambots to drop a domain.

Since configuring dmarc started out with 4260 forwarders threat/unknown’s on 
1/21  to a high of 10,025 on 1/27 moving to 181 for 1/30.

I like that trend.

Thanks,

Ben


> On Jan 27, 2016, at 7:45 PM, John Corey Miller via dmarc-discuss 
>  wrote:
> 
> Thanks Tim!
> 
> I currently don’t have a dmarcian account, I just use the site as a resource 
> for your tools and information.  I could join up tomorrow when I get into 
> work if it would help you solve this problem.  Our DKIM records had to be 
> changed just  a couple of days prior to going to full reject if that might 
> have caused this… but drastic measures had to be taken as our dmarc reports 
> were showing something like 80-95% was straight up junk.
> 
> Thanks,
> John Miller
> 
>> On Jan 27, 2016, at 6:51 PM, Tim Draegen via dmarc-discuss 
>>  wrote:
>> 
>>> On Jan 26, 2016, at 10:36 AM, John Corey Miller via dmarc-discuss 
>>>  wrote:
>>> 
>>> We have Google Apps for Business set-up with our domain name for our 
>>> business.
>>> 
>>> Since making the change to fully reject mail that fails dmarc, the number 
>>> of messages counted as coming through "Forwarders" on our dmarc reports 
>>> when run through this tool https://dmarcian.com/dmarc-xml/ has drastically 
>>> increased.  In many cases these new "Forwarders" are the same IPs that 
>>> previously were coming through as "Threat/Unknown" (clearly fishers.)
>>> 
>>> Does this mean that after seeing that google started rejecting their 
>>> e-mails they changed something about how they're sending them to attempt to 
>>> circumvent these rejections?  If so, does any action have to be taken to 
>>> prevent this circumvention?
>> 
>> 
>> Hi John,
>> 
>> FWIW, you can email supp...@dmarcian.com with any dmarcian-related 
>> questions.  I spend a lot of time there answering questions.. which is a bit 
>> easier as then I can look & comment about your data!
>> 
>> That said, some replies to this thread are likely true.  If you're seeing 
>> the "forwarded" flag explicitly set, then this means the receiver in 
>> question accepted the email regardless of your published policy, as they 
>> understand the email to..well, be forwarded.
>> 
>> It is not exactly common, but over the past few years certain 
>> spammers/phishers have figured out how to exploit servers that are being 
>> recognized as "forwarders" by the big players.  Once these servers are 
>> identified, they try to deliver as much crap as they can before being 
>> stopped.   And... the cycle continues.
>> 
>> A different idea is that "reject" happened after putting in place DKIM 
>> signatures.  The dmarcian site does a better job identifying "Forwarders" 
>> (as a category, and not as a flag in XML) when DKIM is in place.  So if you 
>> did DKIM and reject at ~same time, this might be a factor.  However, if 
>> you're seeing junk from all over the world, it's worth dropping a note to 
>> supp...@dmarcian.com and we'll package up your data along with a note to the 
>> bigger players to plug their holes.
>> 
>> =- Tim
>> 
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>> 
>> NOTE: Participating in this list means you agree to the DMARC Note Well 
>> terms (http://www.dmarc.org/note_well.html)
> 
> 
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Increase in Forwarders Since Implementation of DMARC Reject Policy

2016-01-27 Thread Tim Draegen via dmarc-discuss 
> On Jan 26, 2016, at 10:36 AM, John Corey Miller via dmarc-discuss 
>  wrote:
> 
> We have Google Apps for Business set-up with our domain name for our business.
> 
> Since making the change to fully reject mail that fails dmarc, the number of 
> messages counted as coming through "Forwarders" on our dmarc reports when run 
> through this tool https://dmarcian.com/dmarc-xml/ 
>  has drastically increased.  In many cases 
> these new "Forwarders" are the same IPs that previously were coming through 
> as "Threat/Unknown" (clearly fishers.)
> 
> Does this mean that after seeing that google started rejecting their e-mails 
> they changed something about how they're sending them to attempt to 
> circumvent these rejections?  If so, does any action have to be taken to 
> prevent this circumvention?


Hi John,

FWIW, you can email supp...@dmarcian.com  with any 
dmarcian-related questions.  I spend a lot of time there answering questions.. 
which is a bit easier as then I can look & comment about your data!

That said, some replies to this thread are likely true.  If you're seeing the 
"forwarded" flag explicitly set, then this means the receiver in question 
accepted the email regardless of your published policy, as they understand the 
email to..well, be forwarded.

It is not exactly common, but over the past few years certain spammers/phishers 
have figured out how to exploit servers that are being recognized as 
"forwarders" by the big players.  Once these servers are identified, they try 
to deliver as much crap as they can before being stopped.   And... the cycle 
continues.

A different idea is that "reject" happened after putting in place DKIM 
signatures.  The dmarcian site does a better job identifying "Forwarders" (as a 
category, and not as a flag in XML) when DKIM is in place.  So if you did DKIM 
and reject at ~same time, this might be a factor.  However, if you're seeing 
junk from all over the world, it's worth dropping a note to 
supp...@dmarcian.com  and we'll package up your 
data along with a note to the bigger players to plug their holes.

=- Tim

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Increase in Forwarders Since Implementation of DMARC Reject Policy

2016-01-27 Thread John Corey Miller via dmarc-discuss 
Thanks Tim!

I currently don’t have a dmarcian account, I just use the site as a resource 
for your tools and information.  I could join up tomorrow when I get into work 
if it would help you solve this problem.  Our DKIM records had to be changed 
just  a couple of days prior to going to full reject if that might have caused 
this… but drastic measures had to be taken as our dmarc reports were showing 
something like 80-95% was straight up junk.

Thanks,
John Miller

> On Jan 27, 2016, at 6:51 PM, Tim Draegen via dmarc-discuss 
>  wrote:
> 
>> On Jan 26, 2016, at 10:36 AM, John Corey Miller via dmarc-discuss 
>>  wrote:
>> 
>> We have Google Apps for Business set-up with our domain name for our 
>> business.
>> 
>> Since making the change to fully reject mail that fails dmarc, the number of 
>> messages counted as coming through "Forwarders" on our dmarc reports when 
>> run through this tool https://dmarcian.com/dmarc-xml/ has drastically 
>> increased.  In many cases these new "Forwarders" are the same IPs that 
>> previously were coming through as "Threat/Unknown" (clearly fishers.)
>> 
>> Does this mean that after seeing that google started rejecting their e-mails 
>> they changed something about how they're sending them to attempt to 
>> circumvent these rejections?  If so, does any action have to be taken to 
>> prevent this circumvention?
> 
> 
> Hi John,
> 
> FWIW, you can email supp...@dmarcian.com with any dmarcian-related questions. 
>  I spend a lot of time there answering questions.. which is a bit easier as 
> then I can look & comment about your data!
> 
> That said, some replies to this thread are likely true.  If you're seeing the 
> "forwarded" flag explicitly set, then this means the receiver in question 
> accepted the email regardless of your published policy, as they understand 
> the email to..well, be forwarded.
> 
> It is not exactly common, but over the past few years certain 
> spammers/phishers have figured out how to exploit servers that are being 
> recognized as "forwarders" by the big players.  Once these servers are 
> identified, they try to deliver as much crap as they can before being 
> stopped.   And... the cycle continues.
> 
> A different idea is that "reject" happened after putting in place DKIM 
> signatures.  The dmarcian site does a better job identifying "Forwarders" (as 
> a category, and not as a flag in XML) when DKIM is in place.  So if you did 
> DKIM and reject at ~same time, this might be a factor.  However, if you're 
> seeing junk from all over the world, it's worth dropping a note to 
> supp...@dmarcian.com and we'll package up your data along with a note to the 
> bigger players to plug their holes.
> 
> =- Tim
> 
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Increase in Forwarders Since Implementation of DMARC Reject Policy

2016-01-27 Thread John Corey Miller via dmarc-discuss 
Okay, so the tool simply reports "Threat/Unknown" if the XML report from google 
shows both an SPF and a DKIM fail, these are all clearly phishers, shady IPs 
out of China and Eastern Europe (we're an American company.)  It reports 
"Forwarder" if under the  tag in google's XML report there is a tag 
 with the content "forwarded"

So it's actually Google's receiving server that is deciding these are 
forwarders.  This is actually a problem as in spite of the fact that our DMARC 
policy is 100% reject, for some reason Google is marking them as "quarantine" 
and even worse Yahoo is marking them as simply "disposition neutral".  The 
problem is getting worse as when I woke up to this morning's DMARC reports from 
google about 87% of all traffic it saw was "Forwarded" from these shady 
domains, over 200 messages came through like this over the ~30 messages our 
small business sent out during that day.  Previously we'd get about 40% of our 
traffic being illegitimate with 1-2 messages from "forwarders" that were 
actually forwarders (like comcast business).  Going from "quarantine" to 
"reject" has caused a MASSIVE spike in the number of these messages.  And as I 
said before, many of these IPs were the exact same ones that were being flagged 
as just straight SPF and DKIM fails.

> On Jan 27, 2016, at 2:20 AM, Roland Turner via dmarc-discuss 
> <dmarc-discuss@dmarc.org> wrote:
> 
> This would appear to be a Dmarcian question rather than a DMARC one as the 
> Threat/Unknown is a Dmarcian classification rather than a DMARC one. More 
> broadly, a/some receiver(s) and/or Dmarcian would appear to have decided at 
> about the time that you made your change to reclassify a bunch of mail as 
> forwarded. It is possible that this happened in response to your change, but 
> I'd suggest rather unlikely.
> 
> If a receiver has decided to treat a particular message/stream as being from 
> a trusted forwarder (i.e. to ignore the domain registrant's policy) then 
> there is probably very little that you as a domain registrant can do to 
> address that. If your total message volume is sufficient to warrant it then 
> you might consider talking to AMI and/or Return Path about access to failure 
> reports from the receivers in question and/or website deactivation services 
> like IID.
> 
> (I have no current commercial relationship with any of the above.)
> 
> - Roland
> 
>   Roland Turner 
> Labs Director 
> Mobile: +65 9670 0022 
> 3 Phillip Street, #13-03 Royal Group Building, Singapore 048693 
>   www.trustsphere.com
> 
> 
> 
> 
> From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of John Corey 
> Miller via dmarc-discuss <dmarc-discuss@dmarc.org>
> Sent: Tuesday, 26 January 2016 23:36
> To: dmarc-discuss@dmarc.org
> Subject: [dmarc-discuss] Increase in Forwarders Since Implementation of DMARC 
> Reject Policy
>  
> We have Google Apps for Business set-up with our domain name for our business.
> 
> Since making the change to fully reject mail that fails dmarc, the number of 
> messages counted as coming through "Forwarders" on our dmarc reports when run 
> through this tool https://dmarcian.com/dmarc-xml/ has drastically increased.  
> In many cases these new "Forwarders" are the same IPs that previously were 
> coming through as "Threat/Unknown" (clearly fishers.)
> 
> Does this mean that after seeing that google started rejecting their e-mails 
> they changed something about how they're sending them to attempt to 
> circumvent these rejections?  If so, does any action have to be taken to 
> prevent this circumvention?
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Increase in Forwarders Since Implementation of DMARC Reject Policy

2016-01-27 Thread Ben Greenfield via dmarc-discuss 
Hey All,

I saw an uptick in Forwarders as soon as I started to use a setting other 
“p=none”. I wondered what caused this.

Here is my wild theory about my situation and may apply to you and maybe wrong.

My mail server I believe is configured to be susceptible to I think the term is 
backscatter and I can’ figure out why. That is part of whyI implemented DMARC.

As soon as the policy for DMARC became quarantine or reject all of the forged 
email that were bouncing back to my server no-longer bouncing back to my server 
and were recognized as forgeries and placed in the forwarders. 

Forwarders being any email server other than our own that is forwarding email. 
Without DMARC it is ambiguous what to do with the forged bouncing email. Once 
DMARC establishes your email sources it becomes apparent to mail servers that 
the forwarder are frauds and that is the uptick.
If they were valid forwarders they could be established as such in the 
DMARC/spf config.

That is my theory for my situation.

Ben


> On Jan 27, 2016, at 10:30 AM, John Corey Miller via dmarc-discuss 
> <dmarc-discuss@dmarc.org> wrote:
> 
> Okay, so the tool simply reports "Threat/Unknown" if the XML report from 
> google shows both an SPF and a DKIM fail, these are all clearly phishers, 
> shady IPs out of China and Eastern Europe (we're an American company.)  It 
> reports "Forwarder" if under the  tag in google's XML report there is 
> a tag  with the content "forwarded"
> 
> So it's actually Google's receiving server that is deciding these are 
> forwarders.  This is actually a problem as in spite of the fact that our 
> DMARC policy is 100% reject, for some reason Google is marking them as 
> "quarantine" and even worse Yahoo is marking them as simply "disposition 
> neutral".  The problem is getting worse as when I woke up to this morning's 
> DMARC reports from google about 87% of all traffic it saw was "Forwarded" 
> from these shady domains, over 200 messages came through like this over the 
> ~30 messages our small business sent out during that day.  Previously we'd 
> get about 40% of our traffic being illegitimate with 1-2 messages from 
> "forwarders" that were actually forwarders (like comcast business).  Going 
> from "quarantine" to "reject" has caused a MASSIVE spike in the number of 
> these messages.  And as I said before, many of these IPs were the exact same 
> ones that were being flagged as just straight SPF and DKIM fails.
> 
>> On Jan 27, 2016, at 2:20 AM, Roland Turner via dmarc-discuss 
>> <dmarc-discuss@dmarc.org> wrote:
>> 
>> This would appear to be a Dmarcian question rather than a DMARC one as the 
>> Threat/Unknown is a Dmarcian classification rather than a DMARC one. More 
>> broadly, a/some receiver(s) and/or Dmarcian would appear to have decided at 
>> about the time that you made your change to reclassify a bunch of mail as 
>> forwarded. It is possible that this happened in response to your change, but 
>> I'd suggest rather unlikely.
>> 
>> If a receiver has decided to treat a particular message/stream as being from 
>> a trusted forwarder (i.e. to ignore the domain registrant's policy) then 
>> there is probably very little that you as a domain registrant can do to 
>> address that. If your total message volume is sufficient to warrant it then 
>> you might consider talking to AMI and/or Return Path about access to failure 
>> reports from the receivers in question and/or website deactivation services 
>> like IID.
>> 
>> (I have no current commercial relationship with any of the above.)
>> 
>> - Roland
>> 
>>  Roland Turner 
>> Labs Director 
>> Mobile: +65 9670 0022 
>> 3 Phillip Street, #13-03 Royal Group Building, Singapore 048693 
>>      www.trustsphere.com
>> 
>> 
>> 
>> 
>> From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of John 
>> Corey Miller via dmarc-discuss <dmarc-discuss@dmarc.org>
>> Sent: Tuesday, 26 January 2016 23:36
>> To: dmarc-discuss@dmarc.org
>> Subject: [dmarc-discuss] Increase in Forwarders Since Implementation of 
>> DMARC Reject Policy
>> 
>> We have Google Apps for Business set-up with our domain name for our 
>> business.
>> 
>> Since making the change to fully reject mail that fails dmarc, the number of 
>> messages counted as coming through "Forwarders" on our dmarc reports when 
>> run through this tool https://dmarcian.com/dmarc-xml/ has drastically 
>> increased.  In many cases these new "Forwarders" are the same IPs that 
>> previously were co

Re: [dmarc-discuss] Increase in Forwarders Since Implementation of DMARC Reject Policy

2016-01-26 Thread Roland Turner via dmarc-discuss 
This would appear to be a Dmarcian question rather than a DMARC one as the 
Threat/Unknown is a Dmarcian classification rather than a DMARC one. More 
broadly, a/some receiver(s) and/or Dmarcian would appear to have decided at 
about the time that you made your change to reclassify a bunch of mail as 
forwarded. It is possible that this happened in response to your change, but 
I'd suggest rather unlikely.


If a receiver has decided to treat a particular message/stream as being from a 
trusted forwarder (i.e. to ignore the domain registrant's policy) then there is 
probably very little that you as a domain registrant can do to address that. If 
your total message volume is sufficient to warrant it then you might consider 
talking to AMI and/or Return Path about access to failure reports from the 
receivers in question and/or website deactivation services like IID.


(I have no current commercial relationship with any of the above.)


- Roland


[https://www.trustsphere.com/images/signatures/trustsphere.gif] Roland Turner
Labs Director
Mobile: +65 9670 0022
3 Phillip Street, #13-03 Royal Group Building, Singapore 048693


[https://www.trustsphere.com/images/signatures/facebook.gif]<https://www.facebook.com/trustSphereco>
[https://www.trustsphere.com/images/signatures/twitter.gif] 
<https://twitter.com/trustsphere>   
[https://www.trustsphere.com/images/signatures/linkedin.gif] 
<https://www.linkedin.com/company/trustsphere> 
[https://www.trustsphere.com/images/signatures/youtube.gif] 
<https://www.youtube.com/user/trustsphere>  
www.trustsphere.com<http://www.trustsphere.com/>






From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of John Corey 
Miller via dmarc-discuss <dmarc-discuss@dmarc.org>
Sent: Tuesday, 26 January 2016 23:36
To: dmarc-discuss@dmarc.org
Subject: [dmarc-discuss] Increase in Forwarders Since Implementation of DMARC 
Reject Policy

We have Google Apps for Business set-up with our domain name for our business.

Since making the change to fully reject mail that fails dmarc, the number of 
messages counted as coming through "Forwarders" on our dmarc reports when run 
through this tool https://dmarcian.com/dmarc-xml/ has drastically increased.  
In many cases these new "Forwarders" are the same IPs that previously were 
coming through as "Threat/Unknown" (clearly fishers.)

Does this mean that after seeing that google started rejecting their e-mails 
they changed something about how they're sending them to attempt to circumvent 
these rejections?  If so, does any action have to be taken to prevent this 
circumvention?
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] Increase in Forwarders Since Implementation of DMARC Reject Policy

2016-01-26 Thread John Corey Miller via dmarc-discuss 
We have Google Apps for Business set-up with our domain name for our business.

Since making the change to fully reject mail that fails dmarc, the number of 
messages counted as coming through "Forwarders" on our dmarc reports when run 
through this tool https://dmarcian.com/dmarc-xml/ 
 has drastically increased.  In many cases 
these new "Forwarders" are the same IPs that previously were coming through as 
"Threat/Unknown" (clearly fishers.)

Does this mean that after seeing that google started rejecting their e-mails 
they changed something about how they're sending them to attempt to circumvent 
these rejections?  If so, does any action have to be taken to prevent this 
circumvention?___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)