Hello Frank, Thanks for pointing out your script I was excited to see that it was lua script and I see it require momentum but I thought it might be interesting to hear about your set-up.
Since I don’t really know anything about them and I’m experimenting right now. Thanks, Ben > On Feb 1, 2016, at 6:15 PM, Franck Martin <fmar...@linkedin.com> wrote: > > If you have p=none, then the email is accepted regardless where it comes from. > > Once you put p!=none, then the email may be rejected unless it is coming from > known forwarders, in this case this flag is raised to let you know the email > should have been rejected but was accepted nevertheless because it is coming > from a known forwarder. > > I took a different approach to indicate the exceptions when DMARC fails, even > for p=none. It requires additional compute time. You can see it at > https://github.com/linkedin/dmarc-msys/blob/master/dmarc.lua#L685 > <https://github.com/linkedin/dmarc-msys/blob/master/dmarc.lua#L685> > > So it will all depend on how the receiver handles the exceptions to the DMARC > policy. > > > On Mon, Feb 1, 2016 at 7:54 AM, Ben Greenfield via dmarc-discuss > <dmarc-discuss@dmarc.org <mailto:dmarc-discuss@dmarc.org>> wrote: > > > On Jan 31, 2016, at 5:16 AM, Ben Greenfield via dmarc-discuss > > <dmarc-discuss@dmarc.org <mailto:dmarc-discuss@dmarc.org>> wrote: > > > > I finally got my google reports for the past 2 days and I was able to run > > them through dmarcian.com <http://dmarcian.com/>. > > > > I would say it takes about a week for a newly dmarc’ed domain to be pulled > > from the spambots to drop a domain. > > > > Since configuring dmarc started out with 4260 forwarders threat/unknown’s > > on 1/21 to a high of 10,025 on 1/27 moving to 181 for 1/30. > > That 81 has no morphed in 2034 and for 1/31 I’m up to 2579 forwarders and > threats unknown. > > Ben > > > > > > I like that trend. > > > > Thanks, > > > > Ben > > > > > >> On Jan 27, 2016, at 7:45 PM, John Corey Miller via dmarc-discuss > >> <dmarc-discuss@dmarc.org <mailto:dmarc-discuss@dmarc.org>> wrote: > >> > >> Thanks Tim! > >> > >> I currently don’t have a dmarcian account, I just use the site as a > >> resource for your tools and information. I could join up tomorrow when I > >> get into work if it would help you solve this problem. Our DKIM records > >> had to be changed just a couple of days prior to going to full reject if > >> that might have caused this… but drastic measures had to be taken as our > >> dmarc reports were showing something like 80-95% was straight up junk. > >> > >> Thanks, > >> John Miller > >> > >>> On Jan 27, 2016, at 6:51 PM, Tim Draegen via dmarc-discuss > >>> <dmarc-discuss@dmarc.org <mailto:dmarc-discuss@dmarc.org>> wrote: > >>> > >>>> On Jan 26, 2016, at 10:36 AM, John Corey Miller via dmarc-discuss > >>>> <dmarc-discuss@dmarc.org <mailto:dmarc-discuss@dmarc.org>> wrote: > >>>> > >>>> We have Google Apps for Business set-up with our domain name for our > >>>> business. > >>>> > >>>> Since making the change to fully reject mail that fails dmarc, the > >>>> number of messages counted as coming through "Forwarders" on our dmarc > >>>> reports when run through this tool https://dmarcian.com/dmarc-xml/ > >>>> <https://dmarcian.com/dmarc-xml/> has drastically increased. In many > >>>> cases these new "Forwarders" are the same IPs that previously were > >>>> coming through as "Threat/Unknown" (clearly fishers.) > >>>> > >>>> Does this mean that after seeing that google started rejecting their > >>>> e-mails they changed something about how they're sending them to attempt > >>>> to circumvent these rejections? If so, does any action have to be taken > >>>> to prevent this circumvention? > >>> > >>> > >>> Hi John, > >>> > >>> FWIW, you can email supp...@dmarcian.com <mailto:supp...@dmarcian.com> > >>> with any dmarcian-related questions. I spend a lot of time there > >>> answering questions.. which is a bit easier as then I can look & comment > >>> about your data! > >>> > >>> That said, some replies to this thread are likely true. If you're seeing > >>> the "forwarded" flag explicitly set, then this means the receiver in > >>> question accepted the email regardless of your published policy, as they > >>> understand the email to..well, be forwarded. > >>> > >>> It is not exactly common, but over the past few years certain > >>> spammers/phishers have figured out how to exploit servers that are being > >>> recognized as "forwarders" by the big players. Once these servers are > >>> identified, they try to deliver as much crap as they can before being > >>> stopped. And... the cycle continues. > >>> > >>> A different idea is that "reject" happened after putting in place DKIM > >>> signatures. The dmarcian site does a better job identifying "Forwarders" > >>> (as a category, and not as a flag in XML) when DKIM is in place. So if > >>> you did DKIM and reject at ~same time, this might be a factor. However, > >>> if you're seeing junk from all over the world, it's worth dropping a note > >>> to supp...@dmarcian.com <mailto:supp...@dmarcian.com> and we'll package > >>> up your data along with a note to the bigger players to plug their holes. > >>> > >>> =- Tim > >>> > >>> _______________________________________________ > >>> dmarc-discuss mailing list > >>> dmarc-discuss@dmarc.org <mailto:dmarc-discuss@dmarc.org> > >>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss > >>> <http://www.dmarc.org/mailman/listinfo/dmarc-discuss> > >>> > >>> NOTE: Participating in this list means you agree to the DMARC Note Well > >>> terms (http://www.dmarc.org/note_well.html > >>> <http://www.dmarc.org/note_well.html>) > >> > >> > >> _______________________________________________ > >> dmarc-discuss mailing list > >> dmarc-discuss@dmarc.org <mailto:dmarc-discuss@dmarc.org> > >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss > >> <http://www.dmarc.org/mailman/listinfo/dmarc-discuss> > >> > >> NOTE: Participating in this list means you agree to the DMARC Note Well > >> terms (http://www.dmarc.org/note_well.html > >> <http://www.dmarc.org/note_well.html>) > > > > > > _______________________________________________ > > dmarc-discuss mailing list > > dmarc-discuss@dmarc.org <mailto:dmarc-discuss@dmarc.org> > > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > <http://www.dmarc.org/mailman/listinfo/dmarc-discuss> > > > > NOTE: Participating in this list means you agree to the DMARC Note Well > > terms (http://www.dmarc.org/note_well.html > > <http://www.dmarc.org/note_well.html>) > > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org <mailto:dmarc-discuss@dmarc.org> > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > <http://www.dmarc.org/mailman/listinfo/dmarc-discuss> > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html <http://www.dmarc.org/note_well.html>) >
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
