Hector Santos wrote:
MH Michael Hammer (5304) wrote:
Remember, it's not static, it's dynamic. What was a non-phished domain
yesterday could be a phished domain today or tomorrow. DKIM isn't a
magic bullet, it's one more tool in the toolbox. I've found that in
combination with SPF it works very nicely on double fail and none/fail
as far as catching badness with very little impact on legitimate mail.
What sort of phishing are we talking about? Identities or the context?
This is what I see in today's log or malicious spoofing and phishing
of our three main domains (all rejected).
From: Rolex.com <hector(_at_)santronics(_dot_)com>
From: announcements(_at_)santronics(_dot_)com
From: sales(_at_)santronics(_dot_)com
From: Rolex.com <hsantos(_at_)santronics(_dot_)com>
From: Rolex.com <usiqbzcx(_at_)santronics(_dot_)com>
From: Rolex.com <hector(_at_)santronics(_dot_)com>
From: Rolex.com <johnsmithsvt(_at_)santronics(_dot_)com>
From: Rolex.com <andrea(_dot_)santos(_at_)santronics(_dot_)com>
From: Rolex.com <juarez(_at_)winserver(_dot_)com>
From: Rolex.com <powersgilhphy(_at_)winserver(_dot_)com>
From: andy(_dot_)armstrong(_at_)winserver(_dot_)com
From: Rolex.com <andrew(_dot_)allen(_at_)winserver(_dot_)com>
From: Rolex.com <hector(_at_)winserver(_dot_)com>
From: Rolex.com <huddlestonlutmp(_at_)winserver(_dot_)com>
From: floydjjtml(_at_)winserver(_dot_)com
From: Rolex.com <hurstfwrfxyd(_at_)winserver(_dot_)com>
From: floydjjtml(_at_)winserver(_dot_)com
From: samuel(_dot_)mangrum(_at_)winserver(_dot_)com
From: ildefonso(_at_)winserver(_dot_)com
From: Rolex.com <michael(_dot_)a(_dot_)lee(_at_)winserver(_dot_)com>
From: Rolex.com <samuel(_dot_)mangrum(_at_)winserver(_dot_)com>
From: Rolex.com <guawaldemarwaldemar(_at_)winserver(_dot_)com>
From: Rolex.com <matt(_dot_)rinehart(_at_)winserver(_dot_)com>
From: Rolex.com <hurstfwrfxyd(_at_)winserver(_dot_)com>
From: codeproject(_at_)winserver(_dot_)com
From: Rolex.com <ht(_at_)winserver(_dot_)com>
From: Rolex.com <ht(_at_)winserver(_dot_)com>
From: Rolex.com <john(_dot_)klapp(_at_)winserver(_dot_)com>
From: Rolex.com <joshua(_dot_)saunders(_at_)winserver(_dot_)com>
From: xml-dev(_at_)winserver(_dot_)com
From: chris(_dot_)shuemaker(_at_)winserver(_dot_)com
From: aaron(_dot_)de(_dot_)bruyn(_at_)winserver(_dot_)com
From: Rolex.com <hurstfwrfxyd(_at_)winserver(_dot_)com>
From: Rolex.com <jeremiah(_dot_)ragsdale(_at_)winserver(_dot_)com>
From: Rolex.com <hsantos(_at_)isdg(_dot_)net>
Note the common sender using "rolex.com" user id part and I noticed
the ones that don't have this, all of them where also from the
rolex.com spammer. So this just boils down to one spammer today doing
this.
None of them were DKIM signed, but they would of been rejected as
non-signed if the logic was enabled to reject on a failed ADSP.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html