Sh4mefulDMARC Spoof Detection, Failed Authentications
About this Project
â–¶This report is a signal-oriented view into unauthenticated mail sources. It shows what failed and where (with limited metadata from the events); determining why requires operational context. Elements of the dataset and some of my machine-learning models will eventually make their way to GitHub.
The data here comes from DMARC analysis for domains I administer, drawn from a larger dataset comprising millions of authentication records and messages. These entries represent email attempts that failed both SPF and DKIM (often with additional alignment issues not shown here). In many cases, these failures indicate unauthorized use of the domain name and are commonly associated with spam, domain spoofing, phishing, or related abusive mail activity from these IP addresses.
There are, however, known exceptions. Some legitimate email security, spam detection, or phishing analysis services disrupt authentication as a byproduct of the processes required for message inspection, forwarding, or re-origination. I tend to track networks and IP addresses where legitimate activity disrupts email delivery or DMARC reporting. These are documented in the notes, and known disruptive services (confounders) are hidden by default. Much of this traffic is not hostile... but some is.
11,015
4,597
821
16,434
Failures
Showing 11-20 of 11,015 (failures, affecting 16,434 messages)| Date â–² | Source IP | Country | City | Network | Messages |
|---|---|---|---|---|---|
| 3/11/2024 | VN Vietnam | 1 | |||
| 3/11/2024 | US United States | Los Angeles | 1 | ||
| 3/11/2024 | TR Türkiye | Istanbul | 2 | ||
| 3/11/2024 | VN Vietnam | 1 | |||
| 3/11/2024 | NL The Netherlands | Amsterdam | 1 | ||
| 3/12/2024 | US United States | 1 | |||
| 3/12/2024 | US United States | 1 | |||
| 3/12/2024 | US United States | 1 | |||
| 3/12/2024 | US United States | 1 | |||
| 3/12/2024 | US United States | 1 |