[GTALUG] Email problem and some observations.

ac ac at main.me
Thu Jul 14 09:55:42 EDT 2016 

On Thu, 14 Jul 2016 09:28:48 -0400
Alvin Starr via talk <talk at gtalug.org> wrote:
> A bitof history to start off.
> Years ago we started putting spf records in our domains and email 
> clients domains and that is mostly where things stuck.
> For the most part is was of little help but generally putting a 
> correctlyconfigured SPF statement did not hurt.
> 
spf records already help a lot with spam/abuse 

> I recentlydiscovered DMARC and decided to implement it on my own
> domain as an experiment.

DMARC has real interesting reporting, but many ISP's do not even
respond to abuse@ so... we are a long way off from a perfect world :)

Like your SPF v=spf1 mx a:mail.netvel.net ip4:54.236.96.217/32 -all
many email servers will disregard even the -all (and the entire SPF)

> After running for a while and looking at the information that came
> back from the other dmarcians I noticed some interesting trends.
> 
> 1) Some days there are lots of spam messages sent to google as
> someone on my domain (likely me).
> 2) There are not a whole lot of people who are honouring dmarc and 
> sending status messages.
nope... and there are soo many that do not even respond to direct
complaints.. recently on RIPE anti-abuse, an abuse-c record addition
failed, due to simply too many objections... - If people/society does
not even want to accept responsibility for what they transmit - how will
they to co-op with DMARC...
 
> 3) Something in my network is sending mail to CheatCodes.com
> Here is a snippet from my dmarc log.
> 
> Wed, 06 Jul 2016 14:47:25 -0400 	CheatCodes.com 	12
> Thu, 07 Jul 2016 19:59:59 -0400 	google.com 	2
> Thu, 07 Jul 2016 19:59:59 -0400 	Yahoo! Inc. 	2
> Fri, 08 Jul 2016 11:29:47 -0400 	CheatCodes.com 	10
> Sun, 10 Jul 2016 17:19:04 -0400 	CheatCodes.com 	3
> Mon, 11 Jul 2016 19:59:59 -0400 	google.com 	2
> Mon, 11 Jul 2016 14:45:57 -0400 	CheatCodes.com 	12
> Tue, 12 Jul 2016 12:00:00 -0400 	Microsoft Corp. 	1
> Tue, 12 Jul 2016 19:59:59 -0400 	google.com 	591
> Tue, 12 Jul 2016 19:59:59 -0400 	Yahoo! Inc. 	8
> Tue, 12 Jul 2016 15:22:56 -0400 	CheatCodes.com 	13
> Wed, 13 Jul 2016 19:59:59 -0400 	google.com 	785
> Wed, 13 Jul 2016 14:49:03 -0400 	CheatCodes.com 	3
> 
> So about cheatcodes.com.

hmm, looks like this could be a fake reverse zone for a private ip on
your home pvt network? 
If you look at my headers I have a pvt range setup with a inaddr to
cow.co.za :) - my DMARC would report "cow.co.za"  on the sec gw
192.168. - otherwise you could have malware, either way - you should
have fun figuring it out :) 

> All the traffic to cheatcodes is comming from the outside address of
> my firewall either home or cottage.
> Since I only email via submission to my external mail-server there is 
> nothing inside my domain that should be sending email.
> So I blocked ports 25,2525 and a few other well known ports for email 
> but still the mail is flowing.
> Then I blocked the cheatcodes MX address class C... Still flowing.
> I noticed that the IP source of the messages moved with my changing 
> location.
> There are only 3 connected things that will move between these 
> locations. My laptop and 2 Android phones.
> I guess its time to start more serious tracking of traffic from my 
> portable devices.
> 
> So someone is connected and sending messages through non-regular 
> channels to CheatCodes.com.
> This disturbs me.
> I intend to keep working on this.
> But it makes me ask the question: Who would go so far as to setup a 
> surreptitious email link and then run it through DMARC?
> 
> I have to admit that I kind of like DMARC.
> It is letting me get a feel for  how much abuse of my domain is going
> on and it is way more than I thought.
> Its by no means a spam solution but it can cut down spam generated in
> my name.
> 
>

More information about the talk mailing list