Last week I wrote about how my domain is being used for spoofing. I also mentioned how the only way to try to protect your domain reputation from spoofing is to add a DMARC DNS record to your domain. Unfortunately anyone can send spam and malware messages and add your email address as the sender; there is nothing to stop anyone from misrepresenting who they are.
There are spam laws in place (such as the Australian Spam Act 2003) however spammers are very adept at making it extremely difficult for the authorities to prosecute the spammers. It is very important that domain owners make it as difficult as possible for spoofers (such as by adding and monitoring DMARC records).
Can you stop your domain being used for email spoofing?
I have had alot of contact from people enquiring whether my actions of adding a DMARC DNS record has helped. Unfortunately it really isn’t possible to answer whether my adding a DMARC record has been a success. What I have done in the past week is change the DMARC policy from quarantine to reject. The effect of making this change is that receiving servers should then eliminate the unaligned messages rather than place them in the recipients spam or junk folder. I did this because I had contact from quite a few people (particularly Bigpond customers) that checked their junk message folders and then contacted me asking that I don’t send spam email to them (most of the email messages were advertising Bitcoin services).
[DMARC] gives the legitimate owner of an Internet domain a way to request that illegitimate messages – spoofed spam, phishing – be put directly in the spam folder or rejected outright. DMARC.org
When the spoofing started, the originating servers were mostly GMX servers with the following IP addresses; 82.165.159.130, 82.165.159.131, 74.208.4.200 and 74.208.4.201. In the past week over 102,000 messages have been reported via DMARC as being sent by my domain with a minute fraction actually being sent by me or the services I use (e.g. Mailchimp). The services I use align with DMARC (as I’ve added the necessary SPF and DKIM records to my domain DNS) and don’t appear to be rejected (which is as expected per the DMARC policy I’ve set).
The number of email messages being sent as spoofing my domain has grown considerably since last week but I’m hoping that receiving mail servers are adhering to my request that messages that don’t align with SPF or DMARC are rejected.
Which domains are used for spoofing
Below are some of the domains and IP addresses that, over the past week, have sent several hundred messages or more where I haven’t sent the message (i.e. the below domains are being used for spoofing):
guidedviews.com
5.9.73.252
5.9.73.234
5.9.73.253
5.9.73.254
Wiseappearance.net
103.94.27.29
103.94.27.102
103.94.27.24
103.94.27.25
103.94.27.30
gmx.com
74.208.4.200
74.208.4.201
82.165.159.131
82.165.159.130
specialmenus.net
103.73.191.40
103.73.191.72
103.73.191.92
103.73.191.48
103.73.191.42
artsandnature.net
103.73.191.107
103.73.191.113
103.73.191.126
103.73.191.118
103.73.191.150
takeconsistent.com
103.73.191.170
103.73.191.177
103.73.191.194
103.73.191.19
103.73.191.160
kidfact5.com
103.82.235.13
103.82.235.15
103.82.235.12
103.82.235.8
103.82.235.14
traditionalflavor.net
103.73.191.230
103.73.191.32
103.73.191.254
103.73.191.212
103.73.191.219
programprix.com
103.82.235.211
103.82.235.204
103.82.235.202
Hi Gary,
Any news on your fight against spoofers? I was getting invested in the tale and wanted to hear how things turned out.
Andrey
Hi Andrey,
The DMARC policy has worked extremely well. Whilst I continue to have my email address used by spoofers I monitor using Postmark and the numbers are very low.
I advise all my clients to use DMARC!