IETF Logo Mail Archive

Re: [dmarc-ietf] dmarc and forwarding

Steven M Jones <smj@crash.com> Fri, 31 January 2014 08:01 UTC

Return-Path: <smj@crash.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76C9A1A056E for <dmarc@ietfa.amsl.com>; Fri, 31 Jan 2014 00:01:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.537
X-Spam-Level:
X-Spam-Status: No, score=-2.537 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BT1o_fTtmhus for <dmarc@ietfa.amsl.com>; Fri, 31 Jan 2014 00:01:10 -0800 (PST)
Received: from segv.crash.com (segv.crash.com [IPv6:2001:470:1:1e9::4415]) by ietfa.amsl.com (Postfix) with ESMTP id 3E7611A04FA for <dmarc@ietf.org>; Fri, 31 Jan 2014 00:01:10 -0800 (PST)
Received: from [10.10.10.41] (70-36-157-26.static.sonic.net [70.36.157.26]) (authenticated bits=0) by segv.crash.com (8.14.5/8.14.5/cci-colo-1.6) with ESMTP id s0V80vnl021621 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dmarc@ietf.org>; Fri, 31 Jan 2014 00:01:03 -0800 (PST) (envelope-from smj@crash.com)
X-DKIM: OpenDKIM Filter v2.4.3 segv.crash.com s0V80vnl021621
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crash.com; s=20130426; t=1391155263; bh=vvETdmvx0gJEuakPBB1QFfkWmDzNdiiHH4DzMqZA+hU=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=A7Yqla0rSuXaelAa7jtoXMPPHwnnE8egLEyBtgd+Zyt7Jl9yN3HtySpEkBFXegS/1 U+DSAyqAj4zwCjWQogjvhUemVNr6muhoSk0SSzME8o7zKmhe9JaKPW7gda/MoibAqm O1ciHewRSM+bIRD6I9DTpFIV/sNSr9ZyEK0Xu/gc=
X-Authentication-Warning: segv.crash.com: Host 70-36-157-26.static.sonic.net [70.36.157.26] claimed to be [10.10.10.41]
Message-ID: <52EB583B.7050103@crash.com>
Date: Fri, 31 Jan 2014 00:00:59 -0800
From: Steven M Jones <smj@crash.com>
Organization: Crash Computing, Inc.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10
MIME-Version: 1.0
To: dmarc@ietf.org
References: <20140130220330.GA25608@roeckx.be> <52EACDBF.2050003@bluepopcorn.net> <20140130222320.GB25641@roeckx.be> <WM!6bb3f78a7feaec45cd6e16db08822359f618288053561e2a2c08e397644e063795fab5be7076e0d2e8163de4e710e3ff!@asav-2.01.com> <1762762424.26365.1391121588323.JavaMail.zimbra@peachymango.org> <20140130225152.GA27685@roeckx.be> <CAL0qLwbpy7R0gF9YPXJwFqrYr0F_ESxjLFS7ZSaxxTHpBF6KPA@mail.gmail.com> <20140131001732.GA29928@roeckx.be> <CAL0qLwaZfyTYkUcowWSOBtmC-UQFHC70CO+9cPfyyGRpRM3WLQ@mail.gmail.com> <CABDkrv2d=T9+bJTZr5Qq6dzANj7L5dLBnPb=V436ayh-6QX_mg@mail.gmail.com>
In-Reply-To: <CABDkrv2d=T9+bJTZr5Qq6dzANj7L5dLBnPb=V436ayh-6QX_mg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (segv.crash.com [72.52.75.15]); Fri, 31 Jan 2014 00:01:03 -0800 (PST)
Subject: Re: [dmarc-ietf] dmarc and forwarding
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2014 08:01:11 -0000

On 01/30/2014 10:38 PM, Mike Jones wrote:
>
> [The] thing about spoofing is that one never knows when one will 
> become a victim.  We often see domains that go periods of time without 
> a spoofing issue and then are hit hard on one day.

I'd like to reinforce this point from experience as a domain owner. At a 
major financial institution, we put SPF "-all" and DMARC "p=reject" 
records on some domains that had been retired a several years earlier. 
These domains seldom saw more than 1,000 messages per month - again, 
none from or authorized by the owning organization - but they were 
prominent names you would recognize, and this seemed like a prudent 
precaution.

Sure enough, one holiday weekend somebody tried to send over 1.75 
million messages using one of these domains. While we surely weren't 
receiving reports from every domain receiving the spoofed messages, from 
the receivers that did report - including Microsoft, AOL, Google, and 
Yahoo - over 99.5% of those messages never reached an inbox. And I can 
tell you, we did not see blocking rates that high from similar domains 
where we had not put DMARC policies in place, no matter how lame the 
fraudulent messages were.

--Steve.

v2.23.0 | Report a Bug | By Email