[GTALUG] Email problem and some observations.
ac
ac at main.me
Thu Jul 14 09:55:42 EDT 2016
On Thu, 14 Jul 2016 09:28:48 -0400
Alvin Starr via talk <talk at gtalug.org> wrote:
> A bitof history to start off.
> Years ago we started putting spf records in our domains and email
> clients domains and that is mostly where things stuck.
> For the most part is was of little help but generally putting a
> correctlyconfigured SPF statement did not hurt.
>
spf records already help a lot with spam/abuse
> I recentlydiscovered DMARC and decided to implement it on my own
> domain as an experiment.
DMARC has real interesting reporting, but many ISP's do not even
respond to abuse@ so... we are a long way off from a perfect world :)
Like your SPF v=spf1 mx a:mail.netvel.net ip4:54.236.96.217/32 -all
many email servers will disregard even the -all (and the entire SPF)
> After running for a while and looking at the information that came
> back from the other dmarcians I noticed some interesting trends.
>
> 1) Some days there are lots of spam messages sent to google as
> someone on my domain (likely me).
> 2) There are not a whole lot of people who are honouring dmarc and
> sending status messages.
nope... and there are soo many that do not even respond to direct
complaints.. recently on RIPE anti-abuse, an abuse-c record addition
failed, due to simply too many objections... - If people/society does
not even want to accept responsibility for what they transmit - how will
they to co-op with DMARC...
> 3) Something in my network is sending mail to CheatCodes.com
> Here is a snippet from my dmarc log.
>
> Wed, 06 Jul 2016 14:47:25 -0400 CheatCodes.com 12
> Thu, 07 Jul 2016 19:59:59 -0400 google.com 2
> Thu, 07 Jul 2016 19:59:59 -0400 Yahoo! Inc. 2
> Fri, 08 Jul 2016 11:29:47 -0400 CheatCodes.com 10
> Sun, 10 Jul 2016 17:19:04 -0400 CheatCodes.com 3
> Mon, 11 Jul 2016 19:59:59 -0400 google.com 2
> Mon, 11 Jul 2016 14:45:57 -0400 CheatCodes.com 12
> Tue, 12 Jul 2016 12:00:00 -0400 Microsoft Corp. 1
> Tue, 12 Jul 2016 19:59:59 -0400 google.com 591
> Tue, 12 Jul 2016 19:59:59 -0400 Yahoo! Inc. 8
> Tue, 12 Jul 2016 15:22:56 -0400 CheatCodes.com 13
> Wed, 13 Jul 2016 19:59:59 -0400 google.com 785
> Wed, 13 Jul 2016 14:49:03 -0400 CheatCodes.com 3
>
> So about cheatcodes.com.
hmm, looks like this could be a fake reverse zone for a private ip on
your home pvt network?
If you look at my headers I have a pvt range setup with a inaddr to
cow.co.za :) - my DMARC would report "cow.co.za" on the sec gw
192.168. - otherwise you could have malware, either way - you should
have fun figuring it out :)
> All the traffic to cheatcodes is comming from the outside address of
> my firewall either home or cottage.
> Since I only email via submission to my external mail-server there is
> nothing inside my domain that should be sending email.
> So I blocked ports 25,2525 and a few other well known ports for email
> but still the mail is flowing.
> Then I blocked the cheatcodes MX address class C... Still flowing.
> I noticed that the IP source of the messages moved with my changing
> location.
> There are only 3 connected things that will move between these
> locations. My laptop and 2 Android phones.
> I guess its time to start more serious tracking of traffic from my
> portable devices.
>
> So someone is connected and sending messages through non-regular
> channels to CheatCodes.com.
> This disturbs me.
> I intend to keep working on this.
> But it makes me ask the question: Who would go so far as to setup a
> surreptitious email link and then run it through DMARC?
>
> I have to admit that I kind of like DMARC.
> It is letting me get a feel for how much abuse of my domain is going
> on and it is way more than I thought.
> Its by no means a spam solution but it can cut down spam generated in
> my name.
>
>
More information about the talk
mailing list