stackoom
  简体   繁体   中英

How can phishing emails pass even if SPF and DKIM are set on the domain?

 原文  2019-09-16 03:20:05       email/ gmail/ mailgun/ spf/ dkim

Question

I am trying to understand how SPF and DKIM works (and fails).

I have a domain, majlovesreg.one , that uses Mailgun and contains these TXT DNS records, v=spf1 include:mailgun.org -all and v=DKIM1; k=rsa; p=**pubkey** v=DKIM1; k=rsa; p=**pubkey** v=DKIM1; k=rsa; p=**pubkey** . Mailgun then routes the emails to my Gmail account.

One day I received in Gmail a phishing email supposedly from py@hms.harvard.edu , and I was surprised to see that it was via the majlovesreg.one domain. Checking the original message shows that the email originated from WIN-ESHJO5UV0E0 (unknown [188.209.52.55]) by newsgw.dd24.net (Postfix) . Google's ARC-Authentication-Results however shows that the email passed both SPF and DKIM checks.

Question: How could this email pass SPF? How was it possible for it to pass DKIM as well?

For reference, here is the original email: 

Delivered-To: #####@gmail.com
Received: by 2002:a2e:6550:0:0:0:0:0 with SMTP id z77csp1970412ljb;
        Sat, 14 Sep 2019 06:12:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyy+BjN8TgEiJWD+O7IKWD/n0532Fxhp+f+75ffu4u0JU1esXRPEme/DcG7RaYnlDiaMUW8
X-Received: by 2002:a9d:3f26:: with SMTP id m35mr46049370otc.66.1568466733949;
        Sat, 14 Sep 2019 06:12:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1568466733; cv=none;
        d=google.com; s=arc-20160816;
        b=KDIT95EakaPqwYj0OF6116ReXWrEwoqTDfWySmCU35uwaP1F09vv/zAsThE/ziMF9h
         iXFoXiNdBH2kGE1iGufqDyK/zm7AUsDRTLdFi5lRG3r326P2HylYdU7K6tnzwIOv/v+E
         meyuyWNVShq3nTKZEyiDBJg2pnoMrSOrNTghmnD2txnvvEmyLqiAE1MwHWI1AmedBTQ8
         xR0XS2DSsEr066m+5Iu2Yb3bjJIQNu1/8tcL6g+dy9XgQXagj3gdmKQoZKfOgK4K8b/g
         PUynWvl0on1vauSG72JfucvljjgdWuVSHAKDAepVm4EpdCEcdV41mv74Q/FQfrB1KAyh
         ZfwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:subject:date:reply-to:to:from
         :mime-version:message-id:dkim-signature;
        bh=BsvrE3YWQDLvlA2k8W+wWmeOBtVwF3r0DTyYJGWVUkc=;
        b=aLF5hABuvBtaw58MtyXDMyjkhZiCSlp/1Hn5Cv9pHDLTvFTlwVRSCBy1B3sjQEzdiy
         LYRXcb5Ne/aii7bBxFSnkZRv5wt+csct6lGJ1BjEXL2rU3ZXF1CZQDMhS+Lge2jle8pO
         6n2eZ/9bQlWnzIgO95NG/mD0+eMJt2j43eC8JRcMYIYB480xEOENTb5Tv8isqvOnV7P6
         3cI3rctDup6kDv1jYXNkNuwSdk4f3BDfbMt5YQoJIeT3gdSI3jcC/0VCGzRb7yQ66uLL
         gfjKKpUuLnwB9CvoOdRMr7uJViLmO9rBoKn7MuRzz2wo/e5L5I7pieJrslsSQYGO7EYG
         Df2A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@majlovesreg.one header.s=k1 header.b=IcrRZKl9;
       spf=pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) smtp.mailfrom="bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one"
Return-Path: <bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one>
Received: from m42-1.mailgun.net (m42-1.mailgun.net. [69.72.42.1])
        by mx.google.com with UTF8SMTPS id h16si3134596oie.262.2019.09.14.06.12.12
        for <#####@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 14 Sep 2019 06:12:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) client-ip=69.72.42.1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@majlovesreg.one header.s=k1 header.b=IcrRZKl9;
       spf=pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) smtp.mailfrom="bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one"
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=majlovesreg.one; q=dns/txt; s=k1; t=1568466733; h=Content-Transfer-Encoding: Content-Type: Subject: Date: Reply-To: To: From: MIME-Version: Message-Id; bh=BsvrE3YWQDLvlA2k8W+wWmeOBtVwF3r0DTyYJGWVUkc=; b=IcrRZKl90xBY0yfOeKwqDhszwGRipiYn+KphrsykgMkctgkr2oRQ++eHjHm49YdfeHDoq0vu 7NV0/kpVaYewb0NWBAxDu8cTC2lU1g/+HOA0d/uA+R4p4BBc24TazKfhU3p+BrtOBD6PfqIl qtjepy/cO+127GcSAg6uWxVXKUA=
X-Mailgun-Sending-Ip: 69.72.42.1
X-Mailgun-Incoming: Yes
Message-Id: <20190914131206.1.5A38D163B017E082@hms.harvard.edu>
X-Envelope-From: <py@hms.harvard.edu>
Received: from newsgw-02.dd24.net (newsgw-02.dd24.net [193.46.215.84]) by mxa.mailgun.org with ESMTP id 5d7ce726.7f54a6062110-smtp-in-n01; Sat, 14 Sep 2019 13:12:06 -0000 (UTC)
Received: from WIN-ESHJO5UV0E0 (unknown [188.209.52.55]) by newsgw.dd24.net (Postfix) with ESMTPA id 1C9095FE52 for <#####@majlovesreg.one>; Sat, 14 Sep 2019 13:11:49 +0000 (UTC)
MIME-Version: 1.0
From: Monika Majewska <py@hms.harvard.edu>
To: #####@majlovesreg.one
Reply-To: manager@azibulon-group.com
Date: 14 Sep 2019 06:12:04 -0700
Subject: New Order Inquiry
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

<P>Hello,</P>
<P>We have sent several emails to you, but no response</P>
<P>Please let me know if #####@majlovesreg.one is the correct email to place =
an order</P>
<P>I'm sorry for any inconvenience, if it's not your sales email, let me kn=
ow and i won't send any more email.</P>
<P>Hope to get your response this time.</P>
<P><SPAN style=3D'FONT-SIZE: 13px; FONT-FAMILY: "Helvetica Neue", "Segoe UI=
", Helvetica, Arial, "Lucida Grande", sans-serif; WHITE-SPACE: normal; WORD=
-SPACING: 0px; TEXT-TRANSFORM: none; FLOAT: none; FONT-WEIGHT: 700; COLOR: =
rgb(29,34,40); FONT-STYLE: normal; TEXT-ALIGN: left; ORPHANS: 2; WIDOWS: 2;=
 DISPLAY: inline !important; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(=
255,255,255); TEXT-INDENT: 0px; font-variant-ligatures: normal; font-varian=
t-caps: normal; -webkit-text-stroke-width: 0px; text-decoration-style: init=
ial; text-decoration-color: initial'>Monika Majewska</SPAN></P>
<P>Sales Manager | Europe Region<BR>Azibulon Group<BR>Tel.:&nbsp; +49 901-9=
29-3401 - Ext.3<BR>Fax.: +49 901-929-3402</P>

1 answers

solution1
 0  2019-09-16 06:46:16

Odd. Perhaps the sender is also using mailgun, and while mailgun is legit for you as a sender, the fact that you have allowed them to send for you via SPF, and that they do DKIM signing for you suggests that mailgun may not separate those permissions from other users of mailgun. I suggest asking mailgun support about it. I'd also recommend changing your SPF default mechanism to ~all and setting up a DMARC record with p=reject so that you can enforce From header matches too - that would have prevented this case.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Can anyone on the same shared hosting send emails using my domain with a PASS on both SPF and DKIM? PHPMailer, DKIM, and SPF set - Emails still arriving in Junk (PHP) How to set DKIM and SPF in Exchanbge mail server SPF + DKIM pass and DMARC fails SPF and DKIM is set, but record is not found Gmail shows "via" even if the domain is authenticated with Mailchimp and has valid SPF and DKIM records Send emails and avoid spam folder (C# WPF / DKIM & SPF) how to set Mandrill with DKIM and SPF in order to receive the activation link via mail Is DKIM and SPF sufficient to avoid inbound email spoofing from a certain domain? How can I fix the problem with Gmail? Gmail marked email with passed SPF, DKIM and DMARC as spam
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM