On Thu, 14 Jul 2016 09:28:48 -0400 Alvin Starr via talk <talk@gtalug.org> wrote:

A bitof history to start off. Years ago we started putting spf records in our domains and email clients domains and that is mostly where things stuck. For the most part is was of little help but generally putting a correctlyconfigured SPF statement did not hurt.

spf records already help a lot with spam/abuse

I recentlydiscovered DMARC and decided to implement it on my own domain as an experiment.

After running for a while and looking at the information that came back from the other dmarcians I noticed some interesting trends.

1) Some days there are lots of spam messages sent to google as someone on my domain (likely me). 2) There are not a whole lot of people who are honouring dmarc and sending status messages. nope... and there are soo many that do not even respond to direct complaints.. recently on RIPE anti-abuse, an abuse-c record addition failed, due to simply too many objections... - If people/society does not even want to accept responsibility for what they transmit - how will

DMARC has real interesting reporting, but many ISP's do not even respond to abuse@ so... we are a long way off from a perfect world :) Like your SPF v=spf1 mx a:mail.netvel.net ip4:54.236.96.217/32 -all many email servers will disregard even the -all (and the entire SPF) they to co-op with DMARC...

3) Something in my network is sending mail to CheatCodes.com Here is a snippet from my dmarc log.

Wed, 06 Jul 2016 14:47:25 -0400 CheatCodes.com 12 Thu, 07 Jul 2016 19:59:59 -0400 google.com 2 Thu, 07 Jul 2016 19:59:59 -0400 Yahoo! Inc. 2 Fri, 08 Jul 2016 11:29:47 -0400 CheatCodes.com 10 Sun, 10 Jul 2016 17:19:04 -0400 CheatCodes.com 3 Mon, 11 Jul 2016 19:59:59 -0400 google.com 2 Mon, 11 Jul 2016 14:45:57 -0400 CheatCodes.com 12 Tue, 12 Jul 2016 12:00:00 -0400 Microsoft Corp. 1 Tue, 12 Jul 2016 19:59:59 -0400 google.com 591 Tue, 12 Jul 2016 19:59:59 -0400 Yahoo! Inc. 8 Tue, 12 Jul 2016 15:22:56 -0400 CheatCodes.com 13 Wed, 13 Jul 2016 19:59:59 -0400 google.com 785 Wed, 13 Jul 2016 14:49:03 -0400 CheatCodes.com 3

So about cheatcodes.com.

hmm, looks like this could be a fake reverse zone for a private ip on your home pvt network? If you look at my headers I have a pvt range setup with a inaddr to cow.co.za :) - my DMARC would report "cow.co.za" on the sec gw 192.168. - otherwise you could have malware, either way - you should have fun figuring it out :)

All the traffic to cheatcodes is comming from the outside address of my firewall either home or cottage. Since I only email via submission to my external mail-server there is nothing inside my domain that should be sending email. So I blocked ports 25,2525 and a few other well known ports for email but still the mail is flowing. Then I blocked the cheatcodes MX address class C... Still flowing. I noticed that the IP source of the messages moved with my changing location. There are only 3 connected things that will move between these locations. My laptop and 2 Android phones. I guess its time to start more serious tracking of traffic from my portable devices.

So someone is connected and sending messages through non-regular channels to CheatCodes.com. This disturbs me. I intend to keep working on this. But it makes me ask the question: Who would go so far as to setup a surreptitious email link and then run it through DMARC?

I have to admit that I kind of like DMARC. It is letting me get a feel for how much abuse of my domain is going on and it is way more than I thought. Its by no means a spam solution but it can cut down spam generated in my name.