Most active commenters
  • JumpCrisscross(4)

←back to thread

Spammers are better at SPF, DKIM, and DMARC than everyone else

(toad.social)
429 points pabs3 | 22 comments | 25 Mar 25 08:14 UTC | HN request time: 0s | source | bottom
Show context
jeroenhd ◴[25 Mar 25 11:00 UTC] No.43469827[source]
For me, as someone with their own mail server, these technologies mostly serve to inform me that Russian IP addresses are still trying to send email in the name of my domain for some stupid reason.

It makes sense that people whose business is sending email know how to set up email correctly. I'm mostly surprised at how many legitimate sysadmins struggle with getting the basics correct. Surely those dozens of DMARC emails you get that your sendgrid email has been refused because of a bad SPF signature should set in motion some kind of plan to ask if maybe marketing is using them legitimately?

Automated signatures are of limited value but I rarely see rejections based on SPF and DKIM that are a mistake. Things are probably worse for big organizations but as a small email server, technical rejections are usually the right call. The only exception is mailing lists, but the dozens of people who still use those can usually figure out how to add an exception for them.

replies(6): >>43470005 #>>43470195 #>>43470668 #>>43471472 #>>43473790 #>>43482338 #
JumpCrisscross ◴[25 Mar 25 13:00 UTC] No.43470668[source]
> Russian IP addresses are still trying to send email in the name of my domain for some stupid reason

For what it's worth, I've started seeing cybersecurity insurers requiring riders and extra payments if you don't block Russian IPs.

replies(3): >>43471030 #>>43471308 #>>43477981 #
1. CableNinja ◴[25 Mar 25 13:30 UTC] No.43471030[source]
Ive got a server hosting a number of things, amd monitoring setup for a lot of stats. Got tired of seeing blips because various countries were beating on my server, not a DoS, but enough requests to notice, and sometimes generate an alert. I blocked 7 countries, in full, and the impact was fantastic. No more 2gb of logs generated every day by countries that have no business accessing my server.

Unless you own a global business, i see no reason to even allow other countries access. The potential for attacks is too great, especially from some very specific countries.

replies(4): >>43471056 #>>43471322 #>>43471670 #>>43473772 #
2. JumpCrisscross ◴[25 Mar 25 13:31 UTC] No.43471056[source]
> I blocked 7 countries

Russia, China, Nigeria, Romania, North Korea, Iran and Belarus [1]?

[1] https://www.ox.ac.uk/news/2024-04-10-world-first-cybercrime-...

replies(3): >>43471351 #>>43477230 #>>43479195 #
3. smithkl42 ◴[25 Mar 25 13:52 UTC] No.43471322[source]
I'm the CTO of a US-based insurance company. Apart from some reinsurers in London and Bermuda, and a couple contractors in Canada, we don't do business outside the US. We've blocked all countries except those, and it has cut down massively on the folks attacking us.
replies(3): >>43471833 #>>43473634 #>>43476777 #
4. ziddoap ◴[25 Mar 25 13:54 UTC] No.43471351[source]
How/why did you pick these 7?

Using your link: Ukraine, USA, UK, Brazil, & India all rank higher than Iran and Belarus. US & Ukraine rank higher than Nigeria and Romania.

replies(2): >>43471467 #>>43472466 #
5. kasey_junk ◴[25 Mar 25 14:03 UTC] No.43471467{3}[source]
Those countries likely have a higher chance of real traffic as well. If I’m doing business in Nigeria then obviously I can’t block it even if it ranks high on the threat level.
replies(1): >>43471581 #
6. ziddoap ◴[25 Mar 25 14:11 UTC] No.43471581{4}[source]
Yes, obviously you don't block the countries you plan to do business with. I got that much.

It probably makes sense to leave the US out of the list, assuming the CableNinja is in North America.

The rest seems pretty arbitrarily chosen, though. JumpCrisscross gave no additional context to why they left out Ukraine, Brazil, India, UK, when picking countries from the list they linked. They have higher cybercrime index ranks.

Whether they have a higher chance of "real" traffic is highly dependent on the business in question.

I'm sure there is some amount of thought behind the choice, beyond just using the index, which is why I'm asking.

replies(1): >>43472105 #
7. jamespo ◴[25 Mar 25 14:18 UTC] No.43471670[source]
A nice GH project for this: https://github.com/friendly-bits/geoip-shell?tab=readme-ov-f...
8. elcritch ◴[25 Mar 25 14:33 UTC] No.43471833[source]
Lots of companies do this on their websites now using cloud flare or something similar. It’s practical. Still it’s frustrating as a user when you’re traveling over in Europe and can’t access your accounts to pay bills or whatnot.
replies(1): >>43472068 #
9. robocat ◴[25 Mar 25 14:52 UTC] No.43472068{3}[source]
Next time I travel overseas I'll have a VPN ready.

My bank had some technical problem that prevented access from overseas last time I traveled and I couldn't access my account (which was extremely inconvenient).

replies(2): >>43472262 #>>43473007 #
10. aftbit ◴[25 Mar 25 14:54 UTC] No.43472105{5}[source]
Let me throw out a guess: Ukraine is a wartime ally, Brazil is the seventh largest country in the world, India is the first, and the UK speaks English and has a lot of connections to USA.
replies(1): >>43472342 #
11. elcritch ◴[25 Mar 25 15:08 UTC] No.43472262{4}[source]
Commercial VPNs are often blocked too. I found a p2p vpn to my home network + ssh socks5 proxy to work well.
12. JumpCrisscross ◴[25 Mar 25 15:13 UTC] No.43472342{6}[source]
They're each also popular IT outsourcing destinations who aren't sanctioned. You may not do business in Ukraine or Brazil, but chances are one of your customers or contractors do, and blocking those IPs isn't usually in the first or second swipe. (If you're blocking the UK and India, you're probably blocking all foreign IPs.)
13. edm0nd ◴[25 Mar 25 15:25 UTC] No.43472466{3}[source]
We (a US org) block all countries listed on the OFAC list

https://ofac.treasury.gov/sanctions-programs-and-country-inf...

14. gabeio ◴[25 Mar 25 16:15 UTC] No.43473007{4}[source]
Most banks that will work with. For what ever reason the bank I now use knows most vpn providers and completely blocks all traffic from them so using a vpn is not an option either. The “vpn” I’ll have to use is tunneling back to my home ip. It’s actually quite frustrating.
15. ZeroTalent ◴[25 Mar 25 17:18 UTC] No.43473634[source]
Kinda similar, but when I looked at the finances, I was surprised by how much money we're getting from places like the Cayman Islands, Switzerland, and the Emirates.
16. jillyboel ◴[25 Mar 25 17:30 UTC] No.43473772[source]
just close the tcp sockets and you wont even notice them trying to connect and failing

do you also log everyone who looks at your house? it's a self inflicted problem

replies(1): >>43475685 #
17. fc417fc802 ◴[25 Mar 25 20:38 UTC] No.43475685[source]
At least in the case of VPS my experience has been 99% failed ssh attempts. I just use nftables to rate limit those to 2 failed attempts per minute. Log size is quite modest and can easily filter out failed attempts when viewing.
18. trod1234 ◴[25 Mar 25 22:32 UTC] No.43476777[source]
Have you considered the additional cost of making it harder for your customers to do business with you, as well as the limited visibility that you set up for attacks that may become multi-stage in nature later?

You never see or collect the information by blocking everything at the outset.

In a world where you can proxy past these blocks fairly trivially, that's information you don't have for attribution later.

Defense in depth, or layered defenses are a best approach, but not if they blind you equally.

replies(1): >>43479119 #
19. CableNinja ◴[25 Mar 25 23:33 UTC] No.43477230[source]
Pretty close tbh. Sub romania for brazil, and nigeria, for... i dont remember right now
20. UltraSane ◴[26 Mar 25 05:26 UTC] No.43479119{3}[source]
As someone who has whitelisted only US IP address space for my employer and blocked everything else I can attest that is DRASTICALLY reduces hostile traffic to us. I have an RDP honeypot that was blocking dozens of IPs every day before the whitelist and now it blocks 1 or 2 a day.
21. throwaway2037 ◴[26 Mar 25 05:42 UTC] No.43479195[source]
Romania!? I did a double-take, as it is a member of the European Union. I would think if their cyber-reputation was so terrible, there would be pressure from inside the EU to fix it.
replies(1): >>43481165 #
22. JumpCrisscross ◴[26 Mar 25 11:50 UTC] No.43481165{3}[source]
They’re a small economy with lots of hostile traffic, so while in the EU and not sanctioned like the rest of the bunch, I’ve commonly seen them on the chopping block.