DMARC report tool released to gain insight into applications and hackers spoofing your domain

Today I am releasing the DMARC monitoring tool to the community. It has been in development over the pas few weeks and is now ready to be used. This Report tool will give you detailed insight into domains that are trying to spoof your owned domains, subdomains or even non existing brand names. As this can cause damage to your domain / company  in many ways it is interesting to implement DMARC reporting or better blocking policy’s. In my next blog series I will start explaining on how you get to DMARC reject policy from both a technical and a functional perspective.

DMARC – The truth is out there

With DMARC you can gain inside into detailed reports but there are no free tools to generate nice reports from the emails generated by DMARC. This script will provide exactly that functionality as it is a end to end solution publishing the new generated reports as HTML files. If you configure the script to push the HTML files directly to your webserver you get a instant report page on your intranet.

The script is available for download from the Microsoft TechNet gallery:
https://gallery.technet.microsoft.com/Harvest-DMARC-items-for-9c0d911a

Script sample output:


DMARC report functionality

The script has a lot of flexibility to run with different parameter but the main functionality is described below. To view the entire parameter set you can user the Get-help function of PowerShell or look at the synopsis of the script.

The script currently has the flowing capability’s / workflow:

  1. The script will use EWS managed API to connect to a Exchange or Office 365 hosted mailbox
  2. The script will download all DMARC attachments from the inbox or custom folder
  3. Each successfully downloaded item will then either be moved or deleted from the source mailbox.
  4. While the reports are now compressed on disk the tool will extract the XML from the zip files and delete the zip file
  5. The script will read all XML files and combine them into a newly generated usable csv database
  6. The script will reload all latest csv databases per month and generate 1 master database and start resolving hostnames on the IP`s
  7. From the new database file the script will generate 1 overall HTML report page and per month HTML  report sub pages.
  8. HTML reports will be tabbed separated in the report HTML files for easy overview per domain.
  9. Finally a IP to hostname table will be added for a additional  overview.

The script has been designed to run as a scheduled task in a daily routine so the current months data is always up-to-date. To further facilitate scheduled task runtime the script supports a secure password function to use a different account credential for the mailbox than the one the scheduled task runs.

Script start parameters

The script can be run using minimal parameter as long as open 7zip and EWS managed API are available. For open 7zip you can download it at the website or use the version included in the download. The following sample display minimal runtime parameters:

If more flexibility is needed due to custom folders or you want the processed mail items to be automatically deleted the optional parameters can be used:

 

Please leave me any comments or rate the script on TechNet if you like it. If you found any bugs or want to suggest additional features you can contact me via contact@tech-savvy.nl.

In my next blog post sessions I will start to show how to gain maximum benefit out of SPF, DKIM and DMARC for your reporting and how to run a project to implement DMARC as I know a lot of admins are struggling to implement it from a functional perspective or not all impact is known.

Happy reporting

Martijn van Geffen

Leave a Reply

Your email address will not be published. Required fields are marked *