On Sun, Jan 30, 2022 at 4:21 AM Edgaras | SENDER via mailop < mailop@mailop.org> wrote:
> Hello, > > We noticed in Google Postmaster Tools a lot of bad reputation IPs which do > not belong to us, and are actually forbidden from sending emails on our > behalf via SPF -all, yet Gmail thinks the messages from these IPs were > fully authenticated. > > After investigating some reports, it looks like a DKIM replay attack, > where Gmail does not validate the original DKIM signature (which includes > Message-ID:Reply-To:To: fields), and even ignores SPF permerror, if the > message contains ARC headers. > > Full headers below, any insights or suggestions would be appreciated: > > > Delivered-To: incident-repor...@gmail.com > Received: by 2002:ab0:340c:0:0:0:0:0 with SMTP id z12csp1291860uap; > Fri, 28 Jan 2022 15:34:21 -0800 (PST) > X-Google-Smtp-Source: > ABdhPJxGsLcEEUpdbgGs3QgR03Rr9huo0nZHyOFLB9HDsbANUeb9dkNH/PpuXMfWArmb2WtJtVZk > X-Received: by 2002:a17:902:cec8:: with SMTP id > d8mr10494650plg.98.1643412861553; > Fri, 28 Jan 2022 15:34:21 -0800 (PST) > ARC-Seal: i=2; a=rsa-sha256; t=1643412861; cv=pass; > d=google.com; s=arc-20160816; > > b=VU0Qf7i3UDk9cIk0HEQEv2hW46LmdHN1Z9UysluJsh4o1O1v5t12RrICEe8YlzFcZZ > > UziO53/5IMPjyEVGqLIEyLq0v0Dz5B4gtR94biUHiyIVYEEbn+20dr6ONrGE/IKsYBWD > > 2pBDc/D+Ppe4rBBhwQOckw9xK9f/l+RS1sbRU1AY2sW2hqJZzjSZUe0scWUGvbwB4RZl > > IS+F5z/T/ZLZ9s1v4JXmOoEnKu5b9oZ3XhJgc5EVYuAWJRFOrqIA7bRS8ISDJ+J/eYtJ > > fI9gWI5UkkM6qIgY/wFngV0FifP2Yauo/ts7su9FzFmxgHJdCLioQiFy4E6EEv8qN78c > YrAA== > ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; > s=arc-20160816; > h=date:date:content-transfer-encoding:mime-version:to:reply-to:from > :subject:subject:message-id:dkim-signature:dkim-signature > :delivered-to; > bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; > > b=FdwHNKthXMrmoT3OevMII/o6PzRZR8UA6zIwTYBTTF2EA63hRW6yJVj7mQLBEyAQ6x > > WzjOhIf9zLeqzNYraveRpGQRcXUE/PqTaKDbzhTcqPfP9g82ea9dLhHgviwerKh1IhAp > > 3dri2wT2epRaIYnzEX2gMzmt8YiYjj3sHgvDDjg4Up4W1pYPmP4zx7N0UYxihu0B7eP6 > > 4igCLE8hfq1VPzWistU6uTe+HkSIupCpz8X1pQ41DcjLuwjfIsy18HXLH8yXqwyg37u5 > > +HX04rA5UlBMEOQnZhHneFGM7JrDU4Z7Yg6o/+uFkL7RfPE265N9CUS0YevgBX5D4IEY > VwuA== > ARC-Authentication-Results: i=2; mx.google.com; > dkim=temperror (no key for signature) header.i=@ > knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9; > dkim=pass header.i=@sendersrv.com header.s=smtp header.b=Ra7fdByf; > arc=pass (i=1 spf=pass spfdomain=sendersrv.com dkim=pass dkdomain= > sendersrv.com); > spf=permerror (google.com: permanent error in processing during > lookup of 921108683ccq405...@universidadebrasil.edu.br: > host.universidadebrasil.email not found) smtp.mailfrom= > 921108683ccq405...@universidadebrasil.edu.br > Return-Path: <921108683ccq405...@universidadebrasil.edu.br> > Received: from lingojam.com ([212.83.129.110]) > by mx.google.com with ESMTP id > j9si7146126plx.86.2022.01.28.15.34.21 > for <incident-repor...@gmail.com>; > Fri, 28 Jan 2022 15:34:21 -0800 (PST) > Received-SPF: permerror (google.com: permanent error in processing during > lookup of 921108683ccq405...@universidadebrasil.edu.br: > host.universidadebrasil.email not found) client-ip=212.83.129.110; > Authentication-Results: mx.google.com; > dkim=temperror (no key for signature) header.i=@ > knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9; > dkim=pass header.i=@sendersrv.com header.s=smtp header.b=Ra7fdByf; > arc=pass (i=1 spf=pass spfdomain=sendersrv.com dkim=pass dkdomain= > sendersrv.com); > spf=permerror (google.com: permanent error in processing during > lookup of 921108683ccq405...@universidadebrasil.edu.br: > host.universidadebrasil.email not found) smtp.mailfrom= > 921108683ccq405...@universidadebrasil.edu.br > I'm confused, this says the DKIM did pass. You can also see that the bodyhash (bh=) in the AMS and DKIM headers is all the same, so the body itself didn't change? Note that although ARC from gmail to gmail can be used to bypass a DKIM failure, that's not what's happening here. A replay attack is the most likely explanation, yes. Brandon > > Delivered-To: ysoul8...@gmail.com > Received: by 2002:a02:a14a:0:0:0:0:0 with SMTP id m10csp394823jah; > Fri, 28 Jan 2022 07:31:40 -0800 (PST) > X-Received: by 2002:a2e:2a04:: with SMTP id > q4mr6116831ljq.428.1643383900388; > Fri, 28 Jan 2022 07:31:40 -0800 (PST) > ARC-Seal: i=1; a=rsa-sha256; t=1643383900; cv=none; > d=google.com; s=arc-20160816; > > b=Lnn5XQ1j10ikEZENe8i0XPsyPhwpp7AAaEODfKuODEjNcgDxtfjOyVE4biwI1oWuel > > znv1YmtupI95DExnRKpyq20MVqQL9IhRrMxK/O5lrxz9u8tgwzFpq4fTh4urmZTy/dnW > > EWvT5WZWdK0+8k5+1WRtiCiLTj5cg6VIT+vrC+1ut/X2o9bMghmgqZETCQpMGSHvcWkB > > WN1iuiszzcHB+/v6LTtAwxJIi3UGrsmEj5IwfSOyIEljA+S2ZYKFGm/08s4ulS5nfRru > > gFLMH+hrsAi4YyJwSDhkNegHZYYUFmB24zA2CCwss+FJSlKSRtliiVnVP2TfWbUfxxA4 > QD9w== > ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; > s=arc-20160816; > h=date:content-transfer-encoding:mime-version:to:reply-to:from > :subject:message-id:dkim-signature:dkim-signature; > bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; > > b=nkQkfmL3Wm2z/Jl6yBa1TjePKO2rjBSUPrLlpKwWItDIjX5qEAHJIY2fjQ0rDPe20F > > OJuiHppDcLLSImVdVVW542bNQWr8bwBhI+dJJ9VFFJqvssH5Apu+f3KU1bq5hQg+GFhu > > /Xx1Pl+I63f5TTyzqOGxS74fv2ycytsumnRvrC3SSN2TN8FAoD9eCq64y2ufcvfogmr+ > > /qQiNBxLyiCL+lJd0pau8YpyeA+MP5iVcAjIulXD9JqBfZvUiNm7Lj5l8CxNLXKcPcPR > > dHFlMGQ1G/qMulV/2ag1OiQcT9NriqHsxgZ1N9cFnMAFdTz1470CRhx7rcRFsiI2auon > IG/Q== > ARC-Authentication-Results: i=1; mx.google.com; > dkim=temperror (no key for signature) header.i=@ > knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9; > dkim=pass header.i=@sendersrv.com header.s=smtp header.b=Ra7fdByf; > spf=pass (google.com: domain of bounces-test770...@sendersrv.com > designates 185.3.229.126 as permitted sender) smtp.mailfrom= > bounces-test770...@sendersrv.com > Return-Path: <bounces-test770...@sendersrv.com> > Received: from mail2.sendersrv.com (mail2.sendersrv.com. [185.3.229.126]) > by mx.google.com with ESMTPS id > x14si4818800lfu.581.2022.01.28.07.31.39 > for <ysoul8...@gmail.com> > (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); > Fri, 28 Jan 2022 07:31:39 -0800 (PST) > Received-SPF: pass (google.com: domain of bounces-test770...@sendersrv.com > designates 185.3.229.126 as permitted sender) client-ip=185.3.229.126; > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=sender; d= > knowledgemodish.org.uk; > h=Message-ID:Subject:From:Reply-To:To:MIME-Version:Content-Type: > Content-Transfer-Encoding:Date; i=i...@knowledgemodish.org.uk; > bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; > b=heNp+Lc9pjUvcl7261qiyZUMEyujFujFFM4JWbthE4qeaCwXcCD3ePFEU5I66Iy/eG/bks4nPCE1 > > tu2ijH5HuwYwBGC89rkxHXqBzSxb3taREXKm7DeIN7J/2/L2LQo6kd5opfdRABl3qQxeH6GXFmCt > fQ8Q/8pQw8Z7oKFyJTQ= > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=smtp; d= > sendersrv.com; > h=Message-ID:Subject:From:Reply-To:To:MIME-Version:Content-Type: > Content-Transfer-Encoding:Date; > bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; > b=Ra7fdByfHfiOJTQl1izbL8wR7bEBsR/q3tetReHIm798TzvIW4Qgvd4Ovbfrh/qcqzzy95yUocOc > > Y5zuge0sep0S6zsQjA/5COgoEjtx2W7RAlo59L7nlxtvyNd5zwZQ1QOX1YnnDZ5WaEnNyZboXHth > OXukNXbiai1NhnJv3s4= > Return-Path: <bounces-test770...@sendersrv.com> > Message-ID: <ad4ee4db20cd64959ddf0f9976c24...@app.sender.net> > Subject: 𝟸ɴᴅ ᴀᴛᴛᴇᴍᴘᴛ: ʏᴏᴜ ᴀʀᴇ ᴀ ᴡɪɴɴᴇʀ $𝟷𝟶𝟶 ᴄᴏsᴛᴄᴏ ғᴏʀ ʏᴏᴜ #16351 > Subject: [Test Email] Costco !! > From: Costco Stores <i...@knowledgemodish.org.uk> > Reply-To: i...@knowledgemodish.org.uk > To: ysoul8...@gmail.com > MIME-Version: 1.0 > Content-Type: text/html; charset=utf-8 > Content-Transfer-Encoding: quoted-printable > Date: Fri, 28 Jan 2022 18:34:18 -0500 (EST) > Date: Fri, 28 Jan 2022 17:31:39 +0200 > > ---------- Forwarded message --------- > From: Costco Stores <i...@knowledgemodish.org.uk> > Date: Fri, Jan 28, 2022 at 6:34 PM > Subject: 𝟸ɴᴅ ᴀᴛᴛᴇᴍᴘᴛ: ʏᴏᴜ ᴀʀᴇ ᴀ ᴡɪɴɴᴇʀ $𝟷𝟶𝟶 ᴄᴏsᴛᴄᴏ ғᴏʀ ʏᴏᴜ #16351 > To: <ysoul8...@gmail.com> > > > > [image: Sender] Edgar Vaitkevičius, founder / CEO > ed...@sender.net > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop