Phishing evolves beyond DMARC

The phishing attack against Sendgrid is still going on. Most of the mail and the websites are being hosted on Linode. I’ve still not gotten to see what one of the sites looks like, as Linode is getting the sites down before I click on the links.

Everyone here is doing the Right Things(tm) in order to address the problem. Sendgrid has a p=reject message in their DMARC record, Linode seems to be reasonably competent at getting the phishing sites down quickly enough.

I did notice in today’s round of emails the phishers have evolved. Sometime between midnight GMT and 4pm GMT they stopped forging in the from address. Now they’re just forging random domains. Any protection SendGrid was getting from their DMARC record is now gone.

This is a prime example of why I roll my eyes whenever anyone tells me DMARC stops phishing. DMARC stops one very specific kind of phishing that is trivial to work around. Even if every company on the planet went p=reject there is absolutely nothing to stop the phishers from registering their own domains and publishing their own DMARC records.

I’m pretty sure that many of these emails are being blocked and filtered, but if even a few get through and are clicked on it can cause major pain for the victim companies.

Be careful out there.

Click to rate this post!
[Total: 0 Average: 0]

Check Also


Step by Step guide to fixing Gmail delivery

I regularly see folks asking how to fix their Gmail delivery. This is a perennial question (see my 2019 post and the discussions from various industry experts in the comments). Since that discussion I haven’t seen as much complaining about problems. There are steps that work to get delivery fixed at Gmail. Verify that your mail is actually going to bulk. I had one client…