←back to thread

Spammers are better at SPF, DKIM, and DMARC than everyone else

(toad.social)
429 points pabs3 | 3 comments | 25 Mar 25 08:14 UTC | HN request time: 0.003s | source
Show context
jeroenhd ◴[25 Mar 25 11:00 UTC] No.43469827[source]
For me, as someone with their own mail server, these technologies mostly serve to inform me that Russian IP addresses are still trying to send email in the name of my domain for some stupid reason.

It makes sense that people whose business is sending email know how to set up email correctly. I'm mostly surprised at how many legitimate sysadmins struggle with getting the basics correct. Surely those dozens of DMARC emails you get that your sendgrid email has been refused because of a bad SPF signature should set in motion some kind of plan to ask if maybe marketing is using them legitimately?

Automated signatures are of limited value but I rarely see rejections based on SPF and DKIM that are a mistake. Things are probably worse for big organizations but as a small email server, technical rejections are usually the right call. The only exception is mailing lists, but the dozens of people who still use those can usually figure out how to add an exception for them.

replies(6): >>43470005 #>>43470195 #>>43470668 #>>43471472 #>>43473790 #>>43482338 #
JumpCrisscross ◴[25 Mar 25 13:00 UTC] No.43470668[source]
> Russian IP addresses are still trying to send email in the name of my domain for some stupid reason

For what it's worth, I've started seeing cybersecurity insurers requiring riders and extra payments if you don't block Russian IPs.

replies(3): >>43471030 #>>43471308 #>>43477981 #
CableNinja ◴[25 Mar 25 13:30 UTC] No.43471030[source]
Ive got a server hosting a number of things, amd monitoring setup for a lot of stats. Got tired of seeing blips because various countries were beating on my server, not a DoS, but enough requests to notice, and sometimes generate an alert. I blocked 7 countries, in full, and the impact was fantastic. No more 2gb of logs generated every day by countries that have no business accessing my server.

Unless you own a global business, i see no reason to even allow other countries access. The potential for attacks is too great, especially from some very specific countries.

replies(4): >>43471056 #>>43471322 #>>43471670 #>>43473772 #
JumpCrisscross ◴[25 Mar 25 13:31 UTC] No.43471056[source]
> I blocked 7 countries

Russia, China, Nigeria, Romania, North Korea, Iran and Belarus [1]?

[1] https://www.ox.ac.uk/news/2024-04-10-world-first-cybercrime-...

replies(3): >>43471351 #>>43477230 #>>43479195 #
ziddoap ◴[25 Mar 25 13:54 UTC] No.43471351[source]
How/why did you pick these 7?

Using your link: Ukraine, USA, UK, Brazil, & India all rank higher than Iran and Belarus. US & Ukraine rank higher than Nigeria and Romania.

replies(2): >>43471467 #>>43472466 #
kasey_junk ◴[25 Mar 25 14:03 UTC] No.43471467[source]
Those countries likely have a higher chance of real traffic as well. If I’m doing business in Nigeria then obviously I can’t block it even if it ranks high on the threat level.
replies(1): >>43471581 #
1. ziddoap ◴[25 Mar 25 14:11 UTC] No.43471581[source]
Yes, obviously you don't block the countries you plan to do business with. I got that much.

It probably makes sense to leave the US out of the list, assuming the CableNinja is in North America.

The rest seems pretty arbitrarily chosen, though. JumpCrisscross gave no additional context to why they left out Ukraine, Brazil, India, UK, when picking countries from the list they linked. They have higher cybercrime index ranks.

Whether they have a higher chance of "real" traffic is highly dependent on the business in question.

I'm sure there is some amount of thought behind the choice, beyond just using the index, which is why I'm asking.

replies(1): >>43472105 #
2. aftbit ◴[25 Mar 25 14:54 UTC] No.43472105[source]
Let me throw out a guess: Ukraine is a wartime ally, Brazil is the seventh largest country in the world, India is the first, and the UK speaks English and has a lot of connections to USA.
replies(1): >>43472342 #
3. JumpCrisscross ◴[25 Mar 25 15:13 UTC] No.43472342[source]
They're each also popular IT outsourcing destinations who aren't sanctioned. You may not do business in Ukraine or Brazil, but chances are one of your customers or contractors do, and blocking those IPs isn't usually in the first or second swipe. (If you're blocking the UK and India, you're probably blocking all foreign IPs.)