Statistics on spoofed mail

  • Article

The other day, I decided to investigate some potential efficacy rates of using DMARC.  Would using DMARC result in catching spoofed mail?  Are spoofers abusing certain brands en masse?

To check this, I decided to take a look at how much mail we were getting from Paypal, Amazon, Bank of America, and Facebook (four of the companies pushing for DMARC).  I can’t get the entire data set because it’s in logs and takes too long to collect, so instead I took statistics on 1 mail server over the week of April 2 to April 6, 2012.  Since our network mail is globally load balanced, email has as good a chance at going through this server as through any other server.

During this period of time, 1.9 million total messages passed through this mail server. 

  1. Facebook saw the most at 0.71% of all messages.
  2. Paypal was second most at 0.061%.
  3. Bank of America was third at 0.019%.
  4. Amazon was fourth at 0.007% which surprised me, as I figured it’d be higher.

These four services combine for less than 1% of all of our inbound mail on this one server which I thought was lower than it would be, although the fact that Facebook was so much higher than the others (by a factor of over 10x from #2) also surprised me.  We filter mail for enterprise, not for personal.  I guess if we filtered personal mail, Facebook would be much higher.

How much of this mail was authenticated with an SPF check?  Below are the results:

  1. Facebook – 83%
  2. Paypal – 82%
  3. Bank of America – 88%
  4. Amazon – 88%
  5. Network total – 41%

You can see from the above that most mail from these services is authenticated (read: senders with those domains in the SMTP Mail From), but there’s still a lot that isn’t.  If we were implementing DMARC, then all that mail that failed an SPF check would be sent back to those respective services.

Almost all of the mail that passes an SPF check is marked as non-spam (i.e., almost zero false positives). But what about the small proportion of mail that fails an SPF check?  Does that mean it’s maliciously spoofed?  Or is it coming from IP addresses that aren’t it the domain’s SPF record?

That’s where DMARC comes in – you can receive these SPF fails and check to see which one it is.  With any luck, you can figure out which it is and the lock down on your SPF record.

I’m not going to say what the spam/non-spam rates were on mail that failed SPF checks because I don’t know which ones were spoofed spam and which ones were legitimate mails (and I’m not going to advertise our potential false negative rate).  But I can say that the non-spam rate was greater than zero, meaning that a certain proportion of mail was failing SPF checks and subsequently marked as non-spam – for all of those services above.

In this respect, it could provide good value for the above brands to clamp down on who is sending mail as them, or take legal action on who is illegitimately spoofing them.