Hello dmarcian community,
Hoping someone has some insights. I have a client that has 50% of their DMARC reported email coming from what I believe is a botnet spoofing their domain to send spam for the past 6+ months.
The evidence I see for a botnet for non-complaint DMARC email:
-most of the sending servers are .nxdomain or .servfail (missing)
-IP addresses of senders are dispersed across 50+ countries
-most of the dmarc service reports are coming from mail.ru
-users are in Russia or former Soviet states
We have the p=quarantine, pct=100, so most of this stuff is being quarantined.
My question - are there other actions we can or should take to prevent this botnet action? Would setting p=reject help stop this spamming? Would prefer not to do this unless we understand it will be effective (it will affect some legitimate mail)
Any one with experience in managing these situations, would be great to hear any input.