[GTALUG] Email problem and some observations.

Alvin Starr alvin at netvel.net
Thu Jul 14 10:37:32 EDT 2016 

On 07/14/2016 09:55 AM, ac via talk wrote:
> On Thu, 14 Jul 2016 09:28:48 -0400
> Alvin Starr via talk <talk at gtalug.org> wrote:
>> A bitof history to start off.
>> Years ago we started putting spf records in our domains and email
>> clients domains and that is mostly where things stuck.
>> For the most part is was of little help but generally putting a
>> correctlyconfigured SPF statement did not hurt.
>>
> spf records already help a lot with spam/abuse
True enough but hype and initial exuberance did not quite pan out the 
way some claimed.
But it does work and helps.

>
>> I recentlydiscovered DMARC and decided to implement it on my own
>> domain as an experiment.
> DMARC has real interesting reporting, but many ISP's do not even
> respond to abuse@ so... we are a long way off from a perfect world :)
Sadly the usual addresses like postmaster and abuse make for an easy 
target for spammers so its the kind of address that gets quickly ignored.

Postmaster is so bad the its almost all noise now.

>
> Like your SPF v=spf1 mx a:mail.netvel.net ip4:54.236.96.217/32 -all
> many email servers will disregard even the -all (and the entire SPF)
I was looking at an email problem yesterday and got a message from a 
spam filtering service that my client uses.
"1)  The simplest, and since SPF is only beneficial to large corporate 
domains, we would suggest that they log into their DNS Providers site 
and delete their SPF record."

With that kind of attitude its not surprising that SPF is used at all.

>
>> After running for a while and looking at the information that came
>> back from the other dmarcians I noticed some interesting trends.
>>
>> 1) Some days there are lots of spam messages sent to google as
>> someone on my domain (likely me).
>> 2) There are not a whole lot of people who are honouring dmarc and
>> sending status messages.
> nope... and there are soo many that do not even respond to direct
> complaints.. recently on RIPE anti-abuse, an abuse-c record addition
> failed, due to simply too many objections... - If people/society does
> not even want to accept responsibility for what they transmit - how will
> they to co-op with DMARC...
I cannot help all those that will not work within the system but enough 
people are using DMARC that it is causing problems for mail list 
operators so its gaining some traction.


>   
>> 3) Something in my network is sending mail to CheatCodes.com
>> Here is a snippet from my dmarc log.
>>
>> Wed, 06 Jul 2016 14:47:25 -0400 	CheatCodes.com 	12
>> Thu, 07 Jul 2016 19:59:59 -0400 	google.com 	2
>> Thu, 07 Jul 2016 19:59:59 -0400 	Yahoo! Inc. 	2
>> Fri, 08 Jul 2016 11:29:47 -0400 	CheatCodes.com 	10
>> Sun, 10 Jul 2016 17:19:04 -0400 	CheatCodes.com 	3
>> Mon, 11 Jul 2016 19:59:59 -0400 	google.com 	2
>> Mon, 11 Jul 2016 14:45:57 -0400 	CheatCodes.com 	12
>> Tue, 12 Jul 2016 12:00:00 -0400 	Microsoft Corp. 	1
>> Tue, 12 Jul 2016 19:59:59 -0400 	google.com 	591
>> Tue, 12 Jul 2016 19:59:59 -0400 	Yahoo! Inc. 	8
>> Tue, 12 Jul 2016 15:22:56 -0400 	CheatCodes.com 	13
>> Wed, 13 Jul 2016 19:59:59 -0400 	google.com 	785
>> Wed, 13 Jul 2016 14:49:03 -0400 	CheatCodes.com 	3
>>
>> So about cheatcodes.com.
> hmm, looks like this could be a fake reverse zone for a private ip on
> your home pvt network?
> If you look at my headers I have a pvt range setup with a inaddr to
> cow.co.za :) - my DMARC would report "cow.co.za"  on the sec gw
> 192.168. - otherwise you could have malware, either way - you should
> have fun figuring it out :)
DMARC reports the sending IP. and in my case the sending ip is my firewall.
That is what got me going.

I know it cannot be my laptop because that runs Linux and we all know 
that is impervious to hacks.
OOPS. My android phones also run Linux(of sorts)...
Possibly its time to re-evaluate this belief.


>
>

-- 
Alvin Starr                   ||   voice: (905)513-7688
Netvel Inc.                   ||   Cell:  (416)806-0133
alvin at netvel.net              ||

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20160714/67600561/attachment.html>

More information about the talk mailing list