On 1/11/2023 3:29 PM, Todd Herr via mailop wrote:
This looks like a message that maybe might've been sent to a reflectiv.net <http://reflectiv.net> address (perhaps the one advertised on your website? contact at reflectiv.net <http://reflectiv.net>?) and then automatically forwarded by Mailgun (which hosts inbound mail for reflectiv.net <http://reflectiv.net>) to a Google account (since Mailgun probably doesn't do mailbox hosting).That's just purely a guess, based on 1. X-Mailgun-Incoming: Yesappearing in the headers, and the MX record for reflectiv.net <http://reflectiv.net>, and the message coming to Google with the following Return-Path:1. Return-Path: <bounce+3dbf11.71c471-{redacted}=gmail....@reflectiv.net> Does that sound plausible?On Wed, Jan 11, 2023 at 4:07 PM Cyril - ImprovMX via mailop <mailop@mailop.org> wrote:Hi everyone! Today, I received a spam ("I got full access to your computer and installed a trojan" kind of email). In general, I completely ignore these, but today was different: The sender and recipient were my own email! What's odd is that I did configure SPF (granted, with a "~") but also a DMARC reject policy. Looking at the email headers and also the output from GMail, both SPF and DKIM were successful ("pass"), which means the sender, somehow, was able to send an email using my account. I would love your input on the issue, but here are my thoughts so far: 1. My account was compromised, and the password was leaked, allowing that user to send an email with my account. This would make sense, but the sending account was only used to be configured within GMail. As soon as the password was generated, I pasted it on GMail and never saved it elsewhere. 2. Theoretically, if I were to create an account on Mailgun, I would be able to send an email from my account and have a valid SPF for any other services that use Mailgun too (since their SPF would include Mailgun's IPs), but it wouldn't explain the valid DKIM though. For this, Mailgun should only allow my account to be able to send using my domain. 3. Did Mailgun have any database leak that I wasn't aware of? Of course, as soon as I saw this email, I generated a new password for my account, but I still wonder how this could have happened. I would appreciate if you had any insights I've missed that would make sense. Here are the headers from the email with my end email redacted: https://pastebin.com/knqbTa8K Thank you! _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- *Todd Herr *| Technical Director, Standards and Ecosystem *e:*todd.h...@valimail.com *m:*703.220.4153This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system._______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
OpenPGP_0xE37A23C4D04F0409.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
