On Wed, Jan 11, 2023 at 10:00:50PM +0100, Cyril - ImprovMX via mailop wrote:
> Hi everyone!
>
> Today, I received a spam ("I got full access to your computer and installed
> a trojan" kind of email). In general, I completely ignore these, but today
> was different:
>
> The sender and recipient were my own email! What's odd is that I did
> configure SPF (granted, with a "~") but also a DMARC reject policy.
>
> Looking at the email headers and also the output from GMail, both SPF and
> DKIM were successful ("pass"), which means the sender, somehow, was able to
> send an email using my account.
The IPv6 addresses seem to be the 6to4 range, which serves only to obfuscate
here.
Do you recognize any of the addresses in the received: headers before that, as
in, would those normally be involved in the delivery path from the devices you
actually use?
But more to the point, I would not trust Received: headers that claim to have
been
added by infrastructure not under my own control of under the controle of some
party I trust.
> I would love your input on the issue, but here are my thoughts so far:
>
> 1. My account was compromised, and the password was leaked, allowing that
> user to send an email with my account. This would make sense, but the
> sending account was only used to be configured within GMail. As soon as the
> password was generated, I pasted it on GMail and never saved it elsewhere.
> 2. Theoretically, if I were to create an account on Mailgun, I would be
> able to send an email from my account and have a valid SPF for any other
> services that use Mailgun too (since their SPF would include Mailgun's
> IPs), but it wouldn't explain the valid DKIM though. For this, Mailgun
> should only allow my account to be able to send using my domain.
> 3. Did Mailgun have any database leak that I wasn't aware of?
>
> Of course, as soon as I saw this email, I generated a new password for my
> account, but I still wonder how this could have happened. I would
> appreciate if you had any insights I've missed that would make sense.
Generating a new, strong (long) password likely won't hurt, but it may not
have been necessary. It is more likely that the miscreants injected the
message somewhere that does not lend much weight to things like SPF, but
Anyway, I have done a bit of study on those messages, my last (intended
to be the last ever on the topic) is up at
https://medium.com/coinmonks/the-despicable-no-good-blackmail-campaign-targeting-imaginary-friends-9a75952096a4,
alternatively
https://bsdly.blogspot.com/2022/12/the-despicable-no-good-blackmail.html
or even trackerless other than my webserver log at
https://www.nxdomain.no/~peter/despicable_no_good_blackmail.html
- all with links to the archive of such messages collected and an earlier
piece with some more detail on earlier campaigns.
All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
