Dňa 11. januára 2023 21:00:50 UTC používateľ Cyril - ImprovMX via mailop
<mailop@mailop.org> napísal:
>Hi everyone!
>
>Today, I received a spam ("I got full access to your computer and installed
>a trojan" kind of email). In general, I completely ignore these, but today
>was different:
From time to time (once per 1-3 months) i (́my MTA) get 1000- 3000 SPAMs
of this type, usually all blocked by my filtering at various SMTP stage.
>The sender and recipient were my own email! What's odd is that I did
>configure SPF (granted, with a "~") but also a DMARC reject policy.
These waves has different senders, usually different in any one
message, from couple of domains, and some of them have my domain.
>Looking at the email headers and also the output from GMail, both SPF and
>DKIM were successful ("pass"), which means the sender, somehow, was able to
>send an email using my account.
SPF authorizes MAIL.From domain by IP, thus any domain hosted on
common provider will pass it.
DKIM authorizes particular domain by private key, thus any service
hosted by common (signing) MTA will be signed by right key.
In other words, nor SPF nor DKIM authorize particular account,
and IMO that is (mis)used to confuse recipients. If these domain
or addresses can be spoofed by this way on shared service
depends only on provider's rules.
>I would love your input on the issue, but here are my thoughts so far:
>1. My account was compromised, and the password was leaked, allowing that
>user to send an email with my account. This would make sense, but the
>sending account was only used to be configured within GMail. As soon as the
>password was generated, I pasted it on GMail and never saved it elsewhere.
Did you provided your credentials to mailgun???
>2. Theoretically, if I were to create an account on Mailgun, I would be
>able to send an email from my account and have a valid SPF for any other
>services that use Mailgun too (since their SPF would include Mailgun's
>IPs), but it wouldn't explain the valid DKIM though. For this, Mailgun
>should only allow my account to be able to send using my domain.
To mailgun can sign your doman's mail, it must have particular private
key. If anyone from mailgun can spoof your domain, message will
be signed by right key, thus DKIM signature will be valid.
You have to ask mailgun how this can happen.
>3. Did Mailgun have any database leak that I wasn't aware of?
As in 2)
>Here are the headers from the email with my end email redacted:
>https://pastebin.com/knqbTa8K
Once again ask mailgun, the first Receved: header shows message from
os3-384-25366.vs.sakura.ne.jp (IP 133.167.109.120) with "undefined" id,
ask them why that host can use your domain...
regards
--
Slavko
https://www.slavino.sk/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
