Detect email abuse using DMARC reports

With DMARC, you can specify a destination for reports on e-mails (claiming to come) from your domain. This also allows you to detect when a malicious script on one or more of your own servers is sending unsolicited emails.

DMARC allows you to specify a destination for aggregate (rua) and failure (ruf) reports regarding emails (that claim to be) from your domain. This also allows you to detect when a malicious script on one or more of your servers sends unsolicited emails.

Last week, we saw a massive increase in aggregate and failure reports for one of our users. We informed the user, and after we’d resolved the problem, they kindly allowed us to use their anonymized data to show others how to detect and resolve this type of abuse.

DMARC aggregate

When a malicious script sends (vast amounts of) emails, the biggest problem is that SPF will not fail because the email originates from your server(s). If messages are sent through your MTA, the email is probably also signed with DKIM. Because both SPF and DKIM will align, the receiving mail servers will not reject the messages based on the DMARC policy.

The first thing you will probably notice is the massive increase in the number of reports you receive. For example, if your domain typically sends about 100 emails a day, and suddenly you receive reports for more than 190,000 emails, you are likely to have a problem.

URIports.com DMARC aggregate abuse detection

Liquid Layer Networks

Powered by:

HostCheetah Networks
Global Web Hosting, Domain Registration, and Internet Services