Geeky things to do with DMARC

May 25th edition.

Between 2013-05-24 17:00:00 and 2013-05-25 16:59:59, somebody at the United States Army base in Fort Huachuca, Arizona (home of the “U.S. Army Intelligence Center and the U.S. Army Network Enterprise Technology Command (NETCOM)/9th Army Signal Command”) attempted to forge an email to a Yahoo email address purporting to be from my domain cadillac.net.

I discovered this while testing the report analysis tools in Mail::DMARC, my nearly complete implementation of DMARC. DMARC is a nifty bit of tech where mail server operators (in this case, Yahoo!) report message delivery information to domain owners (in this case, me). In this case, Yahoo received the non-conforming message attempt from IP 141.116.211.97, which resolves to host-141-116-211-97.ptr.hqda.pentagon.mil. GeoIP locates the IP at:

US, AZ, Fort Huachuca, 85613, 31.527300, -110.360703, 789, 520.

Because the message didn’t conform to my published DMARC policy, Yahoo rejected it and reported information about the attempt to me. To rule out the possibility of this being a legit message being forwarded, I checked my logs and found zero messages being sent from that domain during the time period. I’d be quite curious to hear an explanation for this attempt.