DMARC holds a strong value to any entity that has an Internet presence, especially with email. This is because DMARC will prevent unauthorized usage of the organization’s email domain. It will also provide reports that will inform the organization as to what system (authorized and unauthorized) are sending using the organization’s email domain. It is important that DMARC be setup properly and with reporting enabled.
One law enforcement agency (LEA) saw the benefit just a few months after implementation, especially being at policy level ‘reject’ – the highest level. Over 500 DMARC failure reports (RUF) were generated and emailed to their DMARC RUF mailbox within a 24-hour period. Based on these reports, an attacker was using one of their user’s email addresses – sending emails from Colorado, Quebec and other IP addresses.
After further research and analysis by the LEA, it was determined that the spamming campaign was larger than initially determined. It was discovered that more than 43,000 “malicious” emails had been blocked due to the DMARC policy. The SPF domain used belonged to a parked domain created approximately 2 months prior. As the SPF and DKIM records didn’t match the email domain, the emails were blocked. The spamming campaign was further confirmed by a number of emails and phone calls from people saying they had received the email and/or assumed the LEA had been hacked.
The LEA was able to work with DMARCian and with the mail service provider (from which the majority of the messages were originating from) to confirm that it was indeed fraudulent. The mail provider located the account and suspended it whilst their client investigated and resolved the issue with their mail systems.
Even though the LEA is at DMARC policy level ‘reject’, many of the messages were able to get through due to lack of DMARC support at the recipient end. DMARC must have both the sender and recipient participate in order to be effective. The sender will create a DMARC policy, while the recipient enables DMARC verification. Had the receiving end done so, then all of these messages would have been blocked.
This story just shows how important it is to implement DMARC, not only at the highest enforcement level, but to also have the reporting capability of DMARC enabled in the policy. Without the DMARC policy, the LEA would not have known about the campaign until citizens and partners reached out to them. This potentially could have hurt their reputation and trust within the community. Instead they were able to say they were aware and were in the process of handling it.
For more information about the benefits of DMARC reporting, please visit: http://dmarc.globalcyberalliance.org/dmarc-reporting-key-benefits-takeaways/