Sh4meful DMARC Spoof Detection
DMARC Spoof Detection, Failed Authentications
About this Project
â–¼This report is a signal-oriented view into unauthenticated mail sources. It shows what failed and where (and a bit of metadata from the events in question); determining why they failed requires operational context. Elements of the dataset and some of my machine-learning models will eventually make their way to github.
The data here is from DMARC analysis for domains I administer, drawn from a larger dataset (comprising millions of authentication records and messages). These entries are from email attempts that failed both SPF and DKIM (and there are often alignment issues - hidden here). In many cases, these failures indicate unauthorized use of the domain name, and are commonly associated with spoofing, phishing, or other abusive mail activity.
There are, however, known exceptions. Some legitimate email security, spam, or phishing analysis services disrupts authentication, byproduct the processes required for message inspection, forwarding, or re-origination. I have tendency to track networks and IP addresses where legitimate use disrupts email delivery (or DMARC reporting). This is tracked here in notes and known disruptive services (confounders) are hidden by default. Much of this is not hostile activity, but some is..
32,911
6,703
783
39,922
Failures
Showing 61-70 of 32,911 (failures, affecting 39,922 messages)| Date â–² | Source IP | Country | City | Network | Messages |
|---|---|---|---|---|---|
| 3/12/2024 | US United States | 22 | |||
| 3/12/2024 | US United States | 8 | |||
| 3/12/2024 | US United States | 15 | |||
| 3/12/2024 | US United States | 6 | |||
| 3/12/2024 | US United States | 7 | |||
| 3/12/2024 | US United States | Los Angeles | 2 | ||
| 3/12/2024 | LT Lithuania | 2 | |||
| 3/12/2024 | ES Spain | Madrid | 1 | ||
| 3/12/2024 | VN Vietnam | 1 | |||
| 3/12/2024 | VN Vietnam | 1 |