Anyone getting SPAM to their DMARC address?

Portal Home > Knowledgebase > Articles Database > Anyone getting SPAM to their DMARC address?

Posted by ImageLogic, 02-21-2017, 06:44 PM
Periodically our DMARC address is getting zip files from domains in China and Czechoslovakia. We're getting perhaps one a week. We have yet to get one from a US or EU address. without knowing a bit more about the source I hesitate to open these Chinese or Czechoslovakian zip files labeled "DMARC aggregate report" and naming a legitimate URL that we host. Other than WhoIS and reputable reputation trackers like SpamHaus, what's a good way to check out the sender before hauling the zip file by sneaker net over to a sacrificial machine and opening the Zip file? Aza D. Oberman February 2017
Posted by oldgrunt, 02-21-2017, 07:54 PM
Unless you send email to and from China, I don't see why you would get sent that.
Posted by steven99, 02-21-2017, 09:43 PM
The reports could indicate spoofing going on for the domain. Though they could just be a virus hiding in the zip file pretending to be the report. It is a nice feature of DMARC, but yet I would also be cautious on opening also. Do you have ruf tag also or just rua? Ruf would be a better report I think as it indicates only failures, where rua is all connections.
Posted by ImageLogic, 02-21-2017, 09:57 PM
It's the logical way that someone might get the _dmarc TXT value from an email as oldgrunt suggests, but I get the impression that DNS settings are pretty much out there for anyone to see. What makes me wary is that the first domain on a shared IP was cited. It's not out of the realm of possibility that an email went to China or Czechoslovakia. Ours is an in-house server for an engineering outfit. Both countries offer fairly sophisticated manufacturing services and purchase engineering services. That said, a quick greb of the mail logs doesn't show any notable activity pointed at what look like Chinese or Czechoslovakian addresses. I wonder if anyone on WHT has experience creating a fresh virtual machine from a restore point and then opening these suspect .gx and .zip files within the virtual machine. In theory at least, any malware released on unpacking should be confined within the virtual machine and deleted when the virtual machine is deleted. 'course that's theory. The real world might be a vastly different matter... Regards, Aza
Posted by ImageLogic, 02-21-2017, 10:10 PM
Good point! Doesn't "rua" ask for insight into the recipient's mail screening procedures, while "ruf" asks only to know where the mail failed during screening. Following that logic using 'rua=...' encourages a bit more feedback than I'm prepared to handle. I gotta go back and read up on handling DMARC responses. It sounds like it could ultimately generate a good bit of legitimate back flow traffic. Thanks for the thought, Aza
Posted by steven99, 02-22-2017, 01:03 PM
In theory, it would work. In real world and depending on the malware and the VM software used, it could escape the VM and get in to the hardware node. It all depends on the VM software and any vulnerabilities. As for rua, I don't think it contains mail filtering info, like what score spamassassin gave it. https://blog.returnpath.com/how-to-r...eports-part-1/ has a write up on it and the ruf in a second blog post. It would be nice if it did have that, but yet I could see spammers using that intel to make their spam even sneakier. So, yes ruf would be a better report as it only contains fails and is sent out immediately for every message failed. it also contains headers of the message(s) which (not sure) could contain the mail filtering info.