Last week I wrote about how my domain is being used for spoofing. I also mentioned how the only way to try to protect your domain reputation from spoofing is to add a DMARC DNS record to your domain. Unfortunately anyone can send spam and malware messages and add your email address as the sender; there is nothing to stop anyone from misrepresenting who they are.
There are spam laws in place (such as the Australian Spam Act 2003) however spammers are very adept at making it extremely difficult for the authorities to prosecute the spammers. It is very important that domain owners make it as difficult as possible for spoofers (such as by adding and monitoring DMARC records).
Can you stop your domain being used for email spoofing?
I have had alot of contact from people enquiring whether my actions of adding a DMARC DNS record has helped. Unfortunately it really isn’t possible to answer whether my adding a DMARC record has been a success. What I have done in the past week is change the DMARC policy from quarantine to reject. The effect of making this change is that receiving servers should then eliminate the unaligned messages rather than place them in the recipients spam or junk folder. I did this because I had contact from quite a few people (particularly Bigpond customers) that checked their junk message folders and then contacted me asking that I don’t send spam email to them (most of the email messages were advertising Bitcoin services).
[DMARC] gives the legitimate owner of an Internet domain a way to request that illegitimate messages – spoofed spam, phishing – be put directly in the spam folder or rejected outright. DMARC.org
When the spoofing started, the originating servers were mostly GMX servers with the following IP addresses; 18.104.22.168, 22.214.171.124, 126.96.36.199 and 188.8.131.52. In the past week over 102,000 messages have been reported via DMARC as being sent by my domain with a minute fraction actually being sent by me or the services I use (e.g. Mailchimp). The services I use align with DMARC (as I’ve added the necessary SPF and DKIM records to my domain DNS) and don’t appear to be rejected (which is as expected per the DMARC policy I’ve set).
The number of email messages being sent as spoofing my domain has grown considerably since last week but I’m hoping that receiving mail servers are adhering to my request that messages that don’t align with SPF or DMARC are rejected.
Which domains are used for spoofing
Below are some of the domains and IP addresses that, over the past week, have sent several hundred messages or more where I haven’t sent the message (i.e. the below domains are being used for spoofing):