3

I have just received a DMARC forensic report from Hotmail/Microsoft. My SPF policy seems to have successfully blocked the offending email. I have also blocked the offending IP using IPTables (just in case they try another way).

Is there anything else I should/can do ? What are some common ways that a pro-active admin can use/respond to this information ?

user6122771
  • 133
  • 3
  • 4
    There is nothing you HAVE to do, the reports are only for your information. You CAN do whatever you want with it. – Gerald Schneider Jul 12 '17 at 06:17
  • Well yeh,I could print it out 20 times and make a paper airplanes :) - but I would much rather learn what others commonly do with this information (apart from reading it). – user6122771 Jul 13 '17 at 00:57

1 Answers1

2

First off, your SPF policy alone will not necessarily block the offending email. Do you also have your DMARC policy at p=reject? That's the most important part.

In terms of other actions, the key thing for you to do is analyze the offending email in the feedback report (FBR) to verify if there is any kind of phishing campaign against your domain/brand and, if so, you should have the URL in the FBR from Microsoft that you will want to have taken down.

Beyond that, there is no typical action taken. The primary threat intelligence from FBRs is just the URL and contents (if targeted) of the message in question.

If the email captured in the FBR was just generic pharma spam or similar, it was almost certainly sent by an infected home computer and the IP is unlikely to reappear in any targeted manner.

cmeid
  • 386
  • 1
  • 3
  • Yes, my DMARC policy is set to reject 100% and the report says "DMARC Results: Reject". The report only contained a copy of the headers, but the email was from noreplay@ (didn't even spell "noreply" properly) and addressed to kevinsingh@loanapproval.com. BTW the offending IP is on at least 7 RBL blacklists. – user6122771 Jul 14 '17 at 00:30
  • OK - then it was most likely just garden-variety pharma spam. You'll see that on most any registered domain and it's not generally concerning. Was there a subject included in the headers? – cmeid Jul 14 '17 at 06:50
  • Yes it was "Missed voice message - 5:50PM" and in addition to the from address it said "Whats AppNotifier" – user6122771 Jul 15 '17 at 06:32