domains Valimail Report: 3 Billion spoofed emails are sent Every day

[Lox]

Valimail, the global leader in zero-trust, identity-based anti-phishing solutions, today released its latest report, "Email Fraud Landscape: Spring 2021," finding that while the DMARC enforcement rate increases, 3 billion messages per day are still spoofing the sender's identity. Email continues to be an effective way to communicate and use has increased during a year of global pandemic, and hackers continue to use email as a primary attack vector, stressing that email security is not going away.

Now in its fifth year, this report analyzes trends in the adoption of Domain-based Message Authentication, Reporting and Conformance (DMARC), a vendor-neutral authentication protocol that allows email domain owners to protect their domain from unauthorized use, or "spoofing." Valimail examined consolidated data from millions of DMARC reports collected on behalf of customers during 2020. The data represents hundreds of billions of email messages originating from tens of thousands of domains, sent to recipients using a variety of mailbox providers worldwide.

read more (prnews)

 

[Namersen]

Recently I got wind of one of my domains for sale being used to spoof the sender identity in this 3 billion/day statistic.

I had SPF already configured on it for email forwarding, so I went ahead and set up DKIM and DMARC, and I've promptly started receiving detailed forensic reports of rejected spoofed messages, reports coming from compliant mailbox providers handling the destination address.

The whole setup is a bit tedious when you check all the boxes, for example at the domain where you receive reports you have to add a TXT DNS record for each domain that's being configured with DMARC and you want to receive reports on, then at each of these domains you'd have to set up TXT records for SPF, DKIM and DMARC.

Any recommendations and best practices to help curb this identity spoof phenomenon? I guess we're at the bottleneck of it, since most registered domain names are those just waiting for a sale, and they're sitting unused and unprotected to this kind of abuse.

Searching this forum I found that @Paul has blogged about some technical aspects many years ago (How To Avoid Domain Theft - Part 2: Phishing Emails), or more recently @twiki gave an example of one of the simplest measures anyone can take (in this thread)

to block anyone from sending email, add a TXT record with this content: "v=spf1 -all" , without the quotes​

I'm trying to see what different use cases are there, from simplest to most difficult to configure, they might be:

1. the vast majority of names for sale (maybe 99%?) never intended to handle email, nor issue reports of attempted spoofing, could be configured to block all sending.
2.a. domains configured to forward received emails from the mailbox of the forwarding provider, can also be configured to block all sending.
2.b. domains configured to forward received emails from the domain itself, for those the DNS provider (the registrar most of the time) adds a SPF record at least, to signal that sending is allowed from their IP.
3. domains configured for in-house sending of emails, these need SPF, DKIM signing keys and DMARC properly set up.
4. domains configured to handle email through an professional provider, to be set up according to their instructions.

In any case only DMARC can effectively stop a spoofed email to reach its intended destination, and this only if the provider for the destination address is configured to handle it.

 

[mr-x]

You don't have to have a MX record on a domain. Without a MX, any email validation that checks for a valid mx or uses a reputation service will cause the email to be rejected.

Use the SOA record to add a contact if you need one.

 

[Namersen]

You don't have to have a MX record on a domain. Without a MX, any email validation that checks for a valid mx or uses a reputation service will cause the email to be rejected.

I need MX for email forwarding, and as far as I understand, with a reputation service fail the spoofed email goes to the Spam folder, but with a DMARC fail it won't get to the destination address at all, and reputation services would see that the spoofing is handled at DNS level for that domain and give it a better score.

 

[ariya rathi]

finding that while the DMARC enforcement rate increases, 3 billion messages per day are still spoofing the sender's identity. Email continues to be an effective way to communicate and use has increased during a year of global pandemic, and hackers continue to use email as a primary attack vector, stressing that email security is not going away.