On Thu, May 01, 2025 at 01:29:42AM +0200, Alex Shakhov | SH Consulting via mailop wrote:
> While it’s technically possible that someone gained access to the original > account, it’s highly unlikely they would have stopped at simply adding two > CNAME records and modifying the SPF for a less popular domain in the DNS - > removing the DMARC record entirely would have been a far easier and more > damaging move. I would suggest a cron job running every 15 minutes to grab the SPF record and raise an alert if it has been changed. Beware DNS caching, so use the authoritative DNS servers. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 https://www.phcomp.co.uk/ Parliament Hill Computers. Registration Information: https://www.phcomp.co.uk/Contact.html #include <std_disclaimer.h> _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
