[英]How can phishing emails pass even if SPF and DKIM are set on the domain?
I am trying to understand how SPF and DKIM works (and fails). 我试图了解SPF和DKIM的工作原理(并且失败了)。
I have a domain, majlovesreg.one , that uses Mailgun and contains these TXT DNS records, v=spf1 include:mailgun.org -all
and v=DKIM1; k=rsa; p=**pubkey**
我有一个域majlovesreg.one ,它使用Mailgun并包含这些TXT DNS记录,
v=spf1 include:mailgun.org -all
和v=DKIM1; k=rsa; p=**pubkey**
v=DKIM1; k=rsa; p=**pubkey**
v=DKIM1; k=rsa; p=**pubkey**
. v=DKIM1; k=rsa; p=**pubkey**
。 Mailgun then routes the emails to my Gmail account. 然后,Mailgun将电子邮件路由到我的Gmail帐户。
One day I received in Gmail a phishing email supposedly from py@hms.harvard.edu
, and I was surprised to see that it was via the majlovesreg.one
domain. 有一天,我在Gmail中收到了一封来自
py@hms.harvard.edu
的网络钓鱼电子邮件,而令我惊讶的是它是通过 majlovesreg.one
域发送的。 Checking the original message shows that the email originated from WIN-ESHJO5UV0E0 (unknown [188.209.52.55]) by newsgw.dd24.net (Postfix)
. 检查原始消息,表明该电子邮件来自
WIN-ESHJO5UV0E0 (unknown [188.209.52.55]) by newsgw.dd24.net (Postfix)
来自WIN-ESHJO5UV0E0 (unknown [188.209.52.55]) by newsgw.dd24.net (Postfix)
。 Google's ARC-Authentication-Results
however shows that the email passed both SPF and DKIM checks. 但是,Google的
ARC-Authentication-Results
显示该电子邮件通过了SPF和DKIM检查。
Question: How could this email pass SPF? 问题:这封电子邮件如何通过SPF? How was it possible for it to pass DKIM as well?
它也如何通过DKIM?
For reference, here is the original email: 供参考,以下是原始电子邮件:
Delivered-To: #####@gmail.com
Received: by 2002:a2e:6550:0:0:0:0:0 with SMTP id z77csp1970412ljb;
Sat, 14 Sep 2019 06:12:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyy+BjN8TgEiJWD+O7IKWD/n0532Fxhp+f+75ffu4u0JU1esXRPEme/DcG7RaYnlDiaMUW8
X-Received: by 2002:a9d:3f26:: with SMTP id m35mr46049370otc.66.1568466733949;
Sat, 14 Sep 2019 06:12:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1568466733; cv=none;
d=google.com; s=arc-20160816;
b=KDIT95EakaPqwYj0OF6116ReXWrEwoqTDfWySmCU35uwaP1F09vv/zAsThE/ziMF9h
iXFoXiNdBH2kGE1iGufqDyK/zm7AUsDRTLdFi5lRG3r326P2HylYdU7K6tnzwIOv/v+E
meyuyWNVShq3nTKZEyiDBJg2pnoMrSOrNTghmnD2txnvvEmyLqiAE1MwHWI1AmedBTQ8
xR0XS2DSsEr066m+5Iu2Yb3bjJIQNu1/8tcL6g+dy9XgQXagj3gdmKQoZKfOgK4K8b/g
PUynWvl0on1vauSG72JfucvljjgdWuVSHAKDAepVm4EpdCEcdV41mv74Q/FQfrB1KAyh
ZfwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-transfer-encoding:subject:date:reply-to:to:from
:mime-version:message-id:dkim-signature;
bh=BsvrE3YWQDLvlA2k8W+wWmeOBtVwF3r0DTyYJGWVUkc=;
b=aLF5hABuvBtaw58MtyXDMyjkhZiCSlp/1Hn5Cv9pHDLTvFTlwVRSCBy1B3sjQEzdiy
LYRXcb5Ne/aii7bBxFSnkZRv5wt+csct6lGJ1BjEXL2rU3ZXF1CZQDMhS+Lge2jle8pO
6n2eZ/9bQlWnzIgO95NG/mD0+eMJt2j43eC8JRcMYIYB480xEOENTb5Tv8isqvOnV7P6
3cI3rctDup6kDv1jYXNkNuwSdk4f3BDfbMt5YQoJIeT3gdSI3jcC/0VCGzRb7yQ66uLL
gfjKKpUuLnwB9CvoOdRMr7uJViLmO9rBoKn7MuRzz2wo/e5L5I7pieJrslsSQYGO7EYG
Df2A==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@majlovesreg.one header.s=k1 header.b=IcrRZKl9;
spf=pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) smtp.mailfrom="bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one"
Return-Path: <bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one>
Received: from m42-1.mailgun.net (m42-1.mailgun.net. [69.72.42.1])
by mx.google.com with UTF8SMTPS id h16si3134596oie.262.2019.09.14.06.12.12
for <#####@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sat, 14 Sep 2019 06:12:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) client-ip=69.72.42.1;
Authentication-Results: mx.google.com;
dkim=pass header.i=@majlovesreg.one header.s=k1 header.b=IcrRZKl9;
spf=pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) smtp.mailfrom="bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one"
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=majlovesreg.one; q=dns/txt; s=k1; t=1568466733; h=Content-Transfer-Encoding: Content-Type: Subject: Date: Reply-To: To: From: MIME-Version: Message-Id; bh=BsvrE3YWQDLvlA2k8W+wWmeOBtVwF3r0DTyYJGWVUkc=; b=IcrRZKl90xBY0yfOeKwqDhszwGRipiYn+KphrsykgMkctgkr2oRQ++eHjHm49YdfeHDoq0vu 7NV0/kpVaYewb0NWBAxDu8cTC2lU1g/+HOA0d/uA+R4p4BBc24TazKfhU3p+BrtOBD6PfqIl qtjepy/cO+127GcSAg6uWxVXKUA=
X-Mailgun-Sending-Ip: 69.72.42.1
X-Mailgun-Incoming: Yes
Message-Id: <20190914131206.1.5A38D163B017E082@hms.harvard.edu>
X-Envelope-From: <py@hms.harvard.edu>
Received: from newsgw-02.dd24.net (newsgw-02.dd24.net [193.46.215.84]) by mxa.mailgun.org with ESMTP id 5d7ce726.7f54a6062110-smtp-in-n01; Sat, 14 Sep 2019 13:12:06 -0000 (UTC)
Received: from WIN-ESHJO5UV0E0 (unknown [188.209.52.55]) by newsgw.dd24.net (Postfix) with ESMTPA id 1C9095FE52 for <#####@majlovesreg.one>; Sat, 14 Sep 2019 13:11:49 +0000 (UTC)
MIME-Version: 1.0
From: Monika Majewska <py@hms.harvard.edu>
To: #####@majlovesreg.one
Reply-To: manager@azibulon-group.com
Date: 14 Sep 2019 06:12:04 -0700
Subject: New Order Inquiry
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
<P>Hello,</P>
<P>We have sent several emails to you, but no response</P>
<P>Please let me know if #####@majlovesreg.one is the correct email to place =
an order</P>
<P>I'm sorry for any inconvenience, if it's not your sales email, let me kn=
ow and i won't send any more email.</P>
<P>Hope to get your response this time.</P>
<P><SPAN style=3D'FONT-SIZE: 13px; FONT-FAMILY: "Helvetica Neue", "Segoe UI=
", Helvetica, Arial, "Lucida Grande", sans-serif; WHITE-SPACE: normal; WORD=
-SPACING: 0px; TEXT-TRANSFORM: none; FLOAT: none; FONT-WEIGHT: 700; COLOR: =
rgb(29,34,40); FONT-STYLE: normal; TEXT-ALIGN: left; ORPHANS: 2; WIDOWS: 2;=
DISPLAY: inline !important; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(=
255,255,255); TEXT-INDENT: 0px; font-variant-ligatures: normal; font-varian=
t-caps: normal; -webkit-text-stroke-width: 0px; text-decoration-style: init=
ial; text-decoration-color: initial'>Monika Majewska</SPAN></P>
<P>Sales Manager | Europe Region<BR>Azibulon Group<BR>Tel.: +49 901-9=
29-3401 - Ext.3<BR>Fax.: +49 901-929-3402</P>
Odd. 奇。 Perhaps the sender is also using mailgun, and while mailgun is legit for you as a sender, the fact that you have allowed them to send for you via SPF, and that they do DKIM signing for you suggests that mailgun may not separate those permissions from other users of mailgun.
也许发件人也在使用mailgun,虽然mailgun作为发件人对您来说是合法的,但事实是您已允许他们通过SPF为您发送邮件,并且他们为您执行了DKIM签名,这表明mailgun可能不会将这些权限与mailgun的其他用户。 I suggest asking mailgun support about it.
我建议向mailgun支持。 I'd also recommend changing your SPF default mechanism to
~all
and setting up a DMARC record with p=reject
so that you can enforce From header matches too - that would have prevented this case. 我也建议更改SPF默认机制
~all
和建立DMARC纪录p=reject
,这样就可以执行从头也很相配-这将阻止这种情况。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.