Looks like an abuse campaign doing what it can to mask sending from
something like a direct IP based address like @[w.x.y.z] - in this case the
IP is reportedly in Madrid.
--Kurt
On Mon, Mar 26, 2018 at 1:13 PM, John R. Levine wrote:
> A friend looking at DNS traces says he's
A friend looking at DNS traces says he's seeing a lot of queries like
this.
_dmarc.78.0x18.0143.0031
The numbers vary, some don't have the 0x. Any idea what it is? The
_dmarc suggest something thinks it's finding those domains on From: lines
but I'm having trouble imagining what it is.