Hoping someone has some insights. I have a client that has 50% of their DMARC reported email coming from what I believe is a botnet spoofing their domain to send spam for the past 6+ months.
The evidence I see for a botnet for non-complaint DMARC email:
-most of the sending servers are .nxdomain or .servfail (missing)
-IP addresses of senders are dispersed across 50+ countries
-most of the dmarc service reports are coming from mail.ru
-users are in Russia or former Soviet states
We have the p=quarantine, pct=100, so most of this stuff is being quarantined.
My question - are there other actions we can or should take to prevent this botnet action? Would setting p=reject help stop this spamming? Would prefer not to do this unless we understand it will be effective (it will affect some legitimate mail)
Any one with experience in managing these situations, would be great to hear any input.
This is happening to my domain as well. Volume varies from week to week, but all of it gets reported by mail.ru … lot of nxdomain, serfail, and many many different country sources from IPs that have a poor reputation according to Talos.
As far as your question goes, I don’t think so. We have p=reject pct=100 due to this massive spam. My research hasn’t yielded and type of preventative action we can take. The best thing you can do is improve your compliance with your legitimate email sources and increase the aggressiveness of your DMARC policy.
I can’t guarantee that this will solve the issue but my main suggestion would be to move the domain’s dmarc policy to the “reject” level. The enforcement of dmarc is dependent on how the receiving server is programmed to handle it. From what I have observed, some servers do not seem to treat dmarc failures much (if any) differently at the “quarantine” level than they do at the “none” level. However, changing to a “reject” policy seemed more likely to produce hard failures for malicious messages in my experience. This is what you want - hard bounces/undelivered mail. “Quarantine” might land the message in the recipients junkmail folder, but it is still delivered and no bounce failure message is produced. From the spammers perspective there is still a chance their message gets read since it didn’t bounce. With cybercrime “profits” reaching higher than ever, my assumption is that badguys might just be paying enough attention to their “business” that if their e-mails are bouncing a lot for a particular spoofed domain, that they would cull it from their inventory and focus on spamming with other domains that are easier to spoof. Whether or not that is reality I’m not sure but if you’re not at the “reject” level, then there’s still more you can do with dmarc before you throw your hands up in the air.
Also, if the domain’s SPF record doesn’t include a “-all” hard fail, make sure to put this setting in place as well. You want the spam messages that spoof your client’s domain to bounce. Do everything possible to make that happen.
Have you thought of submitting IP addresses to ISPs? Tried to get in contact with a couple of providers, but couldn’t get a response via publicly available info. DMARC reject data probably has a really good map of botnet sources.
Remember, you cannot prevent determined people from sending mail “from your domain”. With DMARC, you can only suggest (p=) that receiving mail exchanges quarantine or reject mails that doesn’t pass as legitimate/authorized in DMARC checks.
