Re: [exim] DMARC / Abuse

Top Page
Delete this message
Reply to this message
Author: Ken Simpson
Date:  
To: John Schmerold
CC: exim-users@exim.org >> exim users
Subject: Re: [exim] DMARC / Abuse
On Tue, Jan 27, 2015 at 8:55 AM, John Schmerold <schmerold2@???>
wrote:

> Everyday, my abuse mailbox is filled with messages from Microsoft, Google
> and Yahoo (MGY) reporting that others have sent suspicious emails using our
> domain.
>
> We have SPF & DKIM configured, not sure what if anything I should do with
> these messages from MGY.
>
> What do you do with this information? Our primary domain is katy.com
> <https://app.relateiq.com/r?url=http%3A%2F%2Fkaty.com%2F&t=AFwhZf2Zyl-jVo0saIOHrzk7KmTP-uK07oqzXPbiU7vUxOMIZpejOcpdOPMplV4iWs_2ZymOzzLCFCOrw9T9wvbqTjaKC-LD5qkrG54sDzoXq2iAW1eGCPtOPbOt1phaGOgR4t4MES7T>
> I
> believe we have it properly configured...perhaps not.
>
>

I see you have enabled DMARC for your domain:

_dmarc.katy.com descriptive text "v=DMARC1\;p=none\;pct=100\;rua=mailto:
abuse@???\;ruf=mailto:abuse@katy.com\;"

This configuration will cause you to receive reports of unauthorized domain
use. The reports are generally useless to you, unless you have customers
whom you might want to know are being phished via spoofing of your domain.

If you have a genuine need to understand these reports, I suggest working
with Agari (http://agari.com/what-we-do/
<https://app.relateiq.com/r?url=http%3A%2F%2Fagari.com%2Fwhat-we-do%2F&t=AFwhZf2Zyl-jVo0saIOHrzk7KmTP-uK07oqzXPbiU7vUxOMIZpejOcpdOPMplV4iWs_2ZymOzzLCFCOrw9T9wvbqTjaKC-LD5qkrG54sDzoXq2iAW1eGCPtOPbOt1phaGOgR4t4MES7T>),
who suck in DMARC report data and make sense of it to help you improve your
security.


Otherwise, just turn off feedback reporting in DMARC by removing the ruf=
setting. The aggregate reports are probably more than enough to give you a
sense of whether there is a widespread attack on your domain:
Do I want to receive Failure Reports (ruf=)?

*No, you do not!* *(at least not initially)*

Failure reports are very useful for forensic analysis to help identify both
bugs in your own mail sending software and some kinds of phishing or other
impersonation attacks, but...

...a failure report is sent immediately, every time a receiver rejects an
email due to DMARC. The receiver may even send a report if the mail is
accepted but one of the authentication mechanism does not pass the
alignement test. A forensic report can be the complete copy of the rejected
email in Abuse Reporting Format (ARF). You may think your sending practices
are good, and there should be few emails rejected, but every email that
spoofs your domain will be rejected too and you will get a copy. This could
be several times the volume of your legitimate emails. So no, you do not
want to receive Failure Reports until you are well prepared for them.

The strategy we recommend is to first publish a simple record in monitor
mode (i.e. "p=none") just to get aggregate reports.

_dmarc.example.com IN TXT "v=DMARC1;p=none;pct=100;rua=mailto:
dmarc-rua@???"

Study the aggregate reports, understand your mail infrastructure,
understand what would happen if you change the policy to reject, especially
how many failure reports you are likely to receive. Once you are confident,
add the "ruf=" tag pointing to a different mailbox than the rua= tag points
to. If you get too many failure reports, this will not fill up the
aggregate report mailbox, so you can keep your statistics running.

_dmarc.example.com IN TXT "v=DMARC1;p=reject;pct=100;rua=mailto:
dmarc-rua@???;ruf=mailto:dmarc-ruf@example.com"