Forensic Report Attachments

[xennn]

Can you add a option to parsedmarc for forensic reports without parsing the attachments? like pdf,doc (office files). The Elasticsearch Index grow very fast. 1 Day 300 MB. Nobody need the attachment for reporting :-)

[seanthegeek]

You will only get forensic reports when messages fail DMARC alignment. I'm guessing most/all of your email is failing DMARC right now? In that case, I'd recommend running parsedmarc without --save-forensic until you get most or all of your legitimate email DMARC aligned. Everything you need for that is in the aggregate data.

Very few mail recipients send forensic reports for privacy reasons, or they might only supply the headers. So I'm guessing you are sending your own? Having the original attachment is very useful, so you can get a malware sample if someone tries to phish you :)

[xennn]

Of course you are right with the Malware Sample. We have the most DMARC exams ok. However, our copiers have the problem. In the monitoring phase, this was of course great without attachments

[seanthegeek]

Ah, in that case, can you configure your copiers to send using a subdomain in the from address, such as copier.example.de?

That way, you could publish a DMARC record like _dmarc.copier.example.de IN TXT "v=DMARC1 p=none" without a ruf tag, so you wouldn't get forensic reports for your copiers at all. That would also allow you to have a different policy p value for your TLD, or any other subdomains.

[xennn]

Your suggestion sounds good. However, we have to change the sender for several hundred copiers. Most copiers only send internally. One consideration was a third mail relay. Dns switch entry and on the mailrelay no filter check.A few copiers have to send externally. But that certainly holds its limits.At the moment we dont use a subdomain policy.

[xennn]

If found this post: If it is listed as an internal domain, then it likely doesn't need to or isnt configured to sign it - (it doesn't need to either for the record), if it's not leaving you then you dont need to validate your domain, since it's internal (and you already have a trust for the IP(s) of the printers relaying)

The point of DKM/DMARC/SPF et all is to confirm the IP or domain sending the email, is actually allowed to and valid, internally your domain doesn't need to prove this, especially since it's not leaving you

i open a case by symantec how to configure this. i think we need to configure for internal domain the dkim signing for inbound. With spf we cant add houndrets of ip adresses.

For the Monitor mode the feature request is a good idea without the attachments. Would you install the function for me?

[seanthegeek]

The following option has been added in 4.3.4

 --strip-attachment-payloads
                        Remove attachment payloads from forensic report output