search

dmarc-viewer / dmarc-viewer

Django based web-app to visually analyze DMARC aggregate reports
MIT License
52 stars 13 forks source link

Add new view #13

Open sirio81 opened 6 years ago

sirio81 commented 6 years ago

Hi, first of all I'm not a developer so I'm giving a non code specific suggestion. The main thing I wish to know from all the dmarc reports I receive, is a list of domain which fail. For each domain, I would like to have a list of ip/name of the servers sending in my behalf (and the number of mail it has sent). To know the region state of sending servers would be convenient.

spf/dkim fail

Consider the case where I manage a mailserver and I set the spf to allow receiving mail only from my mailserver (spf policy ~all). Before setting spf policy to -all I wish to know if there are other servers sending mail for that domain. With the above view I could quickly identify, for example, a webserver that is sending mail in behalf of my domain. In such case, I will update my spf record with it's ip and, once I'm sure there are no other legitimate servers left, I will set spf policy to -all.

Thank you.

lukpueh commented 6 years ago

Thanks for you comment. Your use case sounds very reasonable and you should be able to create such a view using the view editor:

Create View

  1. Go to the View Management tab and click on the Add View button.
  2. Give it fitting title and a description
  3. If you're only interested in a table you can unselect the world map and time line chart checkboxes
  4. Report type should be incoming (default)
  5. Choose either a fixed time range, i.e. reports from mm/dd/yyyy to mm/dd/yyyy, or a dynamic range, e.g. last 5 months. (Hint: to see the date of the first report in your database go to the Overview page)
  6. Click the Add Filter Set button and assign it a Label
  7. As you seem to be interested in mails that fail the DMARC SPF evaluation you should choose the fail option in the Aligned SPF Result(s) select box.
  8. Click on Save and show View

Analyze

The table will show you all the aggregated DMARC report records pertaining to your domains that failed DMARC SPF evaluation. Each table row shows the things you are interested in (sender server IP, message count, country code, ...). If you can't see all the information you need to click on the + sign in the left-most table cells, or, alternatively you can use a wider monitor or reduce the font size. Currently, the tool does not perform any extra aggregation. But you can sort by sender IP addresses to find out which servers send mail on your behalf.

You can also export the table to a handy csv document (see Export Table as CSV button) and then use a program like Excel or the like to perform further aggregation. To get your distinct sender IP addresses, a bash oneliner might also do the trick.

Let me know if you have further questions.