[GTALUG] Email problem and some observations.

Alvin Starr alvin at netvel.net
Thu Jul 14 09:28:48 EDT 2016


A bitof history to start off.

Years ago we started putting spf records in our domains and email 
clients domains and that is mostly where things stuck.
For the most part is was of little help but generally putting a 
correctlyconfigured SPF statement did not hurt.

I recentlydiscovered DMARC and decided to implement it on my own domain 
as an experiment.
After running for a while and looking at the information that came back 
from the other dmarcians I noticed some interesting trends.

1) Some days there are lots of spam messages sent to google as someone 
on my domain (likely me).
2) There are not a whole lot of people who are honouring dmarc and 
sending status messages.
3) Something in my network is sending mail to CheatCodes.com
Here is a snippet from my dmarc log.

Wed, 06 Jul 2016 14:47:25 -0400 	CheatCodes.com 	12
Thu, 07 Jul 2016 19:59:59 -0400 	google.com 	2
Thu, 07 Jul 2016 19:59:59 -0400 	Yahoo! Inc. 	2
Fri, 08 Jul 2016 11:29:47 -0400 	CheatCodes.com 	10
Sun, 10 Jul 2016 17:19:04 -0400 	CheatCodes.com 	3
Mon, 11 Jul 2016 19:59:59 -0400 	google.com 	2
Mon, 11 Jul 2016 14:45:57 -0400 	CheatCodes.com 	12
Tue, 12 Jul 2016 12:00:00 -0400 	Microsoft Corp. 	1
Tue, 12 Jul 2016 19:59:59 -0400 	google.com 	591
Tue, 12 Jul 2016 19:59:59 -0400 	Yahoo! Inc. 	8
Tue, 12 Jul 2016 15:22:56 -0400 	CheatCodes.com 	13
Wed, 13 Jul 2016 19:59:59 -0400 	google.com 	785
Wed, 13 Jul 2016 14:49:03 -0400 	CheatCodes.com 	3



So about cheatcodes.com.
All the traffic to cheatcodes is comming from the outside address of my 
firewall either home or cottage.
Since I only email via submission to my external mail-server there is 
nothing inside my domain that should be sending email.
So I blocked ports 25,2525 and a few other well known ports for email 
but still the mail is flowing.
Then I blocked the cheatcodes MX address class C... Still flowing.
I noticed that the IP source of the messages moved with my changing 
location.
There are only 3 connected things that will move between these 
locations. My laptop and 2 Android phones.
I guess its time to start more serious tracking of traffic from my 
portable devices.

So someone is connected and sending messages through non-regular 
channels to CheatCodes.com.
This disturbs me.
I intend to keep working on this.
But it makes me ask the question: Who would go so far as to setup a 
surreptitious email link and then run it through DMARC?

I have to admit that I kind of like DMARC.
It is letting me get a feel for  how much abuse of my domain is going on 
and it is way more than I thought.
Its by no means a spam solution but it can cut down spam generated in my 
name.


-- 
Alvin Starr                   ||   voice: (905)513-7688
Netvel Inc.                   ||   Cell:  (416)806-0133
alvin at netvel.net              ||

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20160714/aa621a16/attachment.html>


More information about the talk mailing list