Some Email server run by Docomo and KDDI Japan seem to reject a ton of spam from a Brazilian botnet that uses us as a faked sender address…
This slowly started in April but has massively increased in volume this month.
Background
Emails claiming to be from us must be signed with a secret, cryptographic key that only we have. The corresponding public key can be found in our domain name entry. So every email server can check that an email it receives is actually from us. (This is called DKIM.)
In addition we also list the IP addresses of all email servers that are allowed to send email with us as a claimed sender. (This is called SPF.)
How do we know all this?
These are summary reports sent back to us from email servers that get our emails.
(This is a mechanism called DMARC.)
Red means it checked a signature and found it missing or invalid.
The reports do contain the IP-address and hostname of the email-server trying to send.
Most of them are dynamic IP addresses of DSL customers in Brazil
So it’s a fair bet that some botnet is trying to send spam with us as a faked sender.
