On 2022-01-30 at 14:09 +0200, Edgaras | SENDER wrote: > Hello, > > We noticed in Google Postmaster Tools a lot of bad reputation IPs > which do not belong to us, and are actually forbidden from sending > emails on our behalf via SPF -all, yet Gmail thinks the messages > from these IPs were fully authenticated. > > After investigating some reports, it looks like a DKIM replay attack, > where Gmail does not validate the original DKIM signature (which > includes Message-ID:Reply-To:To: fields), and even ignores SPF > permerror, if the message contains ARC headers. > > Full headers below, any insights or suggestions would be appreciated:
Hello Edgar(as)? I have been looking at your email, but I am confused at how it was produced, and so which are the weird bits. It purports to be a mail from bounces-test770...@sendersrv.com to ysoul8...@gmail.com, which then was "forwarded" (!) by 212.83.129.110 to incident-repor...@gmail.com with a MAIL FROM:< 921108683ccq405...@universidadebrasil.edu.br> and a EHLO of lingojam.com It makes sense that DKIM could be skipped if there is ARC, but then ARC should be checked! Some interesting bits: - Two Date: headers - Two different Subject: headers - Original Return-Path: <bounces-test770...@sendersrv.com> appears twice - A couple of headers have two consecutive dots where there should be one: "212.83.129..110", "mx.google..com", > Received-SPF: permerror (google.com: permanent error in processing > during lookup of 921108683ccq405...@universidadebrasil.edu.br: > host.universidadebrasil.email not found) client-ip=212.83.129..110; > Authentication-Results: mx.google..com; Note: the first Subject header wasn't encoding those utf-8 characters? Best regards PS: yes universidadebrasil.edu.br has a bad SPF record: "v=spf1 include:spf.protection.outlook.com include:universidadebrasil.edu.br ip4:192.99.207.72 include:host.universidadebrasil.email ip4:45.33.9.144 include:mailgrid.com.br -all" but no txt on host.universidadebrasil.email _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
