On Thu, 14 Jul 2016 09:28:48 -0400 Alvin Starr via talk <[email protected]> wrote: > A bitof history to start off. > Years ago we started putting spf records in our domains and email > clients domains and that is mostly where things stuck. > For the most part is was of little help but generally putting a > correctlyconfigured SPF statement did not hurt. > spf records already help a lot with spam/abuse
> I recentlydiscovered DMARC and decided to implement it on my own > domain as an experiment. DMARC has real interesting reporting, but many ISP's do not even respond to abuse@ so... we are a long way off from a perfect world :) Like your SPF v=spf1 mx a:mail.netvel.net ip4:54.236.96.217/32 -all many email servers will disregard even the -all (and the entire SPF) > After running for a while and looking at the information that came > back from the other dmarcians I noticed some interesting trends. > > 1) Some days there are lots of spam messages sent to google as > someone on my domain (likely me). > 2) There are not a whole lot of people who are honouring dmarc and > sending status messages. nope... and there are soo many that do not even respond to direct complaints.. recently on RIPE anti-abuse, an abuse-c record addition failed, due to simply too many objections... - If people/society does not even want to accept responsibility for what they transmit - how will they to co-op with DMARC... > 3) Something in my network is sending mail to CheatCodes.com > Here is a snippet from my dmarc log. > > Wed, 06 Jul 2016 14:47:25 -0400 CheatCodes.com 12 > Thu, 07 Jul 2016 19:59:59 -0400 google.com 2 > Thu, 07 Jul 2016 19:59:59 -0400 Yahoo! Inc. 2 > Fri, 08 Jul 2016 11:29:47 -0400 CheatCodes.com 10 > Sun, 10 Jul 2016 17:19:04 -0400 CheatCodes.com 3 > Mon, 11 Jul 2016 19:59:59 -0400 google.com 2 > Mon, 11 Jul 2016 14:45:57 -0400 CheatCodes.com 12 > Tue, 12 Jul 2016 12:00:00 -0400 Microsoft Corp. 1 > Tue, 12 Jul 2016 19:59:59 -0400 google.com 591 > Tue, 12 Jul 2016 19:59:59 -0400 Yahoo! Inc. 8 > Tue, 12 Jul 2016 15:22:56 -0400 CheatCodes.com 13 > Wed, 13 Jul 2016 19:59:59 -0400 google.com 785 > Wed, 13 Jul 2016 14:49:03 -0400 CheatCodes.com 3 > > So about cheatcodes.com. hmm, looks like this could be a fake reverse zone for a private ip on your home pvt network? If you look at my headers I have a pvt range setup with a inaddr to cow.co.za :) - my DMARC would report "cow.co.za" on the sec gw 192.168. - otherwise you could have malware, either way - you should have fun figuring it out :) > All the traffic to cheatcodes is comming from the outside address of > my firewall either home or cottage. > Since I only email via submission to my external mail-server there is > nothing inside my domain that should be sending email. > So I blocked ports 25,2525 and a few other well known ports for email > but still the mail is flowing. > Then I blocked the cheatcodes MX address class C... Still flowing. > I noticed that the IP source of the messages moved with my changing > location. > There are only 3 connected things that will move between these > locations. My laptop and 2 Android phones. > I guess its time to start more serious tracking of traffic from my > portable devices. > > So someone is connected and sending messages through non-regular > channels to CheatCodes.com. > This disturbs me. > I intend to keep working on this. > But it makes me ask the question: Who would go so far as to setup a > surreptitious email link and then run it through DMARC? > > I have to admit that I kind of like DMARC. > It is letting me get a feel for how much abuse of my domain is going > on and it is way more than I thought. > Its by no means a spam solution but it can cut down spam generated in > my name. > > --- Talk Mailing List [email protected] https://gtalug.org/mailman/listinfo/talk
