Re: [mailop] Gmail does not validate DKIM for forwarded messages?
This is indeed a replay attack. It's quite widespread and appears to be focused on taking advantage of domain reputation on the DKIM d= domain for various email platforms. The end recipients appear to be exclusively Gmail, as far as I've seen, and are delivered using BCC, leaving the To header intact. I recommend including the Date and Subject fields twice in your DKIM signature h= string, and possibly other key fields; that will break the original signature if a second such header is later added. https://tools.wordtothewise.com/rfc/6376#section-8.15 e.g., instead of h=Message-ID:Subject:From:Reply-To:To:MIME-Version:Content-Type: Content-Transfer-Encoding:Date; use h=Message-ID:Subject:Subject:From:Reply-To:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Date:Date; On Sun, Jan 30, 2022 at 4:48 PM Ángel via mailop wrote: > On 2022-01-30 at 14:09 +0200, Edgaras | SENDER wrote: > > Hello, > > > > We noticed in Google Postmaster Tools a lot of bad reputation IPs > > which do not belong to us, and are actually forbidden from sending > > emails on our behalf via SPF -all, yet Gmail thinks the messages > > from these IPs were fully authenticated. > > > > After investigating some reports, it looks like a DKIM replay attack, > > where Gmail does not validate the original DKIM signature (which > > includes Message-ID:Reply-To:To: fields), and even ignores SPF > > permerror, if the message contains ARC headers. > > > > Full headers below, any insights or suggestions would be appreciated: > > > Hello Edgar(as)? > > I have been looking at your email, but I am confused at how it was > produced, and so which are the weird bits. > > It purports to be a mail from bounces-test770...@sendersrv.com to > ysoul8...@gmail.com, which then was "forwarded" (!) by 212.83.129.110 > to incident-repor...@gmail.com with a MAIL FROM:< > 921108683ccq405...@universidadebrasil.edu.br> and a EHLO of > lingojam.com > > > It makes sense that DKIM could be skipped if there is ARC, but then ARC > should be checked! > > Some interesting bits: > - Two Date: headers > - Two different Subject: headers > - Original Return-Path: appears twice > > - A couple of headers have two consecutive dots where there should be > one: "212.83.129..110", "mx.google..com", > > > Received-SPF: permerror (google.com: permanent error in processing > > during lookup of 921108683ccq405...@universidadebrasil.edu.br: > > host.universidadebrasil.email not found) client-ip=212.83.129..110; > > Authentication-Results: mx.google..com; > > Note: the first Subject header wasn't encoding those utf-8 characters? > > > > Best regards > > > PS: yes universidadebrasil.edu.br has a bad SPF record: > "v=spf1 include:spf.protection.outlook.com > include:universidadebrasil.edu.br ip4:192.99.207.72 > include:host.universidadebrasil.email ip4:45.33.9.144 > include:mailgrid.com.br -all" but no txt on > host.universidadebrasil.email > > > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Gmail does not validate DKIM for forwarded messages?
On 2022-01-30 at 14:09 +0200, Edgaras | SENDER wrote: > Hello, > > We noticed in Google Postmaster Tools a lot of bad reputation IPs > which do not belong to us, and are actually forbidden from sending > emails on our behalf via SPF -all, yet Gmail thinks the messages > from these IPs were fully authenticated. > > After investigating some reports, it looks like a DKIM replay attack, > where Gmail does not validate the original DKIM signature (which > includes Message-ID:Reply-To:To: fields), and even ignores SPF > permerror, if the message contains ARC headers. > > Full headers below, any insights or suggestions would be appreciated: Hello Edgar(as)? I have been looking at your email, but I am confused at how it was produced, and so which are the weird bits. It purports to be a mail from bounces-test770...@sendersrv.com to ysoul8...@gmail.com, which then was "forwarded" (!) by 212.83.129.110 to incident-repor...@gmail.com with a MAIL FROM:< 921108683ccq405...@universidadebrasil.edu.br> and a EHLO of lingojam.com It makes sense that DKIM could be skipped if there is ARC, but then ARC should be checked! Some interesting bits: - Two Date: headers - Two different Subject: headers - Original Return-Path: appears twice - A couple of headers have two consecutive dots where there should be one: "212.83.129..110", "mx.google..com", > Received-SPF: permerror (google.com: permanent error in processing > during lookup of 921108683ccq405...@universidadebrasil.edu.br: > host.universidadebrasil.email not found) client-ip=212.83.129..110; > Authentication-Results: mx.google..com; Note: the first Subject header wasn't encoding those utf-8 characters? Best regards PS: yes universidadebrasil.edu.br has a bad SPF record: "v=spf1 include:spf.protection.outlook.com include:universidadebrasil.edu.br ip4:192.99.207.72 include:host.universidadebrasil.email ip4:45.33.9.144 include:mailgrid.com.br -all" but no txt on host.universidadebrasil.email ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone from Vade
The person I knew at Vade seems to have left, but the process described here should still work: https://www.spamresource.com/2020/06/what-is-vade-threat-list-how-do-i.html Cheers, Al Iverson On Sun, Jan 30, 2022 at 9:23 AM Ken Robinson via mailop wrote: > My IP address has somehow gotten on the Vade Blocklist. It is not on any > other blocklist as far as I can tell. > > How do I get it off the Vade list? > > My IP address is 172.110.191.18 > > Thanks, > Ken Robinson > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > -- *Al Iverson /* Deliverability blogging at www.spamresource.com Subscribe to the weekly newsletter at wombatmail.com/sr.cgi DNS Tools at xnnd.com / (312) 725-0130 / Chicago (Central Time) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] MagicMail / MIPSpace Listing
Any time you see a /24 in any reputation service, it probably isn't you, it's your provider.. looking through that range there are some questionable host names, and some brazilian marketers, etc.. Which is why you should insist you get 'rwhois' listing from your hosting providers, so it clearly shows that you are the operator. ..makes it easier to get your IP delisted, even when you have 'questionable' neighbours, no matter which reputation service. You say you can't find any way to delist? I see it appears they have a functioning contact form. And the URL that Joe posted .. And a reminder with MAAWG coming up, good time to post some of their great resources.. https://www.m3aawg.org/sites/default/files/m3aawg-blocklist-help-bp-2018-02.pdf On 2022-01-29 5:24 p.m., joemailop--- via mailop wrote: A server manage is also listed on All and Poor lists. I did a search around that IP space, including stuff that never sends emails, like VPN concentrators, routers, and unused IP and they're listed too inside the same /24. I wouldn't be surprised if they block /24s. Removal URL that I found is https://www.mipspace.com/removal.php Joe On 1/29/2022 at 4:45 PM, "John Gateley via mailop" wrote: I just checked my server (very small) and it has the same result as yours. Both of them are on the MIPSpace-All and MIPSpace-Poor list. I can't find any way to delist. These are not pure spam, they are focused on (possibly solicited) commercial email. Since my server is just my wife and I, and we send no bulk mail at all, it is a puzzle why I am on their list. John On 1/29/22 3:41 PM, Scott Mutter via mailop wrote: Anybody from MagicMail or MIPSpace able to give any insight as to why 205.251.153.98 is listed? 550-Your message was rejected by this user and was not delivered. 550-Reason: This system uses BMS to check your IP address reputation, and was rejected by the user. IP=[205.251.153.98]. 550-Protection provided by: MagicMail version 5.0 550-For more information, please visit the URL: 550-http://www.linuxmagic.com/power_of_ip_reputation.html 550-or contact your ISP or mail server operator. 550 4572d27e-814b-11ec-be05-005056a29aa8 Would love to have more information about this listing. This is not a client facing mail server. It's used for our company's mail systems only. So I can pretty much vouch that it's not sending out any spam. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Anyone from Vade
My IP address has somehow gotten on the Vade Blocklist. It is not on any other blocklist as far as I can tell. How do I get it off the Vade list? My IP address is 172.110.191.18 Thanks, Ken Robinson ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Gmail does not validate DKIM for forwarded messages?
Hello, We noticed in Google Postmaster Tools a lot of bad reputation IPs which do not belong to us, and are actually forbidden from sending emails on our behalf via SPF -all, yet Gmail thinks the messages from these IPs were fully authenticated. After investigating some reports, it looks like a DKIM replay attack, where Gmail does not validate the original DKIM signature (which includes Message-ID:Reply-To:To: fields), and even ignores SPF permerror, if the message contains ARC headers. Full headers below, any insights or suggestions would be appreciated: Delivered-To: incident-repor...@gmail.com Received: by 2002:ab0:340c:0:0:0:0:0 with SMTP id z12csp1291860uap; Fri, 28 Jan 2022 15:34:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJxGsLcEEUpdbgGs3QgR03Rr9huo0nZHyOFLB9HDsbANUeb9dkNH/PpuXMfWArmb2WtJtVZk X-Received: by 2002:a17:902:cec8:: with SMTP id d8mr10494650plg.98.1643412861553; Fri, 28 Jan 2022 15:34:21 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1643412861; cv=pass; d=google.com; s=arc-20160816; b=VU0Qf7i3UDk9cIk0HEQEv2hW46LmdHN1Z9UysluJsh4o1O1v5t12RrICEe8YlzFcZZ UziO53/5IMPjyEVGqLIEyLq0v0Dz5B4gtR94biUHiyIVYEEbn+20dr6ONrGE/IKsYBWD 2pBDc/D+Ppe4rBBhwQOckw9xK9f/l+RS1sbRU1AY2sW2hqJZzjSZUe0scWUGvbwB4RZl IS+F5z/T/ZLZ9s1v4JXmOoEnKu5b9oZ3XhJgc5EVYuAWJRFOrqIA7bRS8ISDJ+J/eYtJ fI9gWI5UkkM6qIgY/wFngV0FifP2Yauo/ts7su9FzFmxgHJdCLioQiFy4E6EEv8qN78c YrAA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=date:date:content-transfer-encoding:mime-version:to:reply-to:from :subject:subject:message-id:dkim-signature:dkim-signature :delivered-to; bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; b=FdwHNKthXMrmoT3OevMII/o6PzRZR8UA6zIwTYBTTF2EA63hRW6yJVj7mQLBEyAQ6x WzjOhIf9zLeqzNYraveRpGQRcXUE/PqTaKDbzhTcqPfP9g82ea9dLhHgviwerKh1IhAp 3dri2wT2epRaIYnzEX2gMzmt8YiYjj3sHgvDDjg4Up4W1pYPmP4zx7N0UYxihu0B7eP6 4igCLE8hfq1VPzWistU6uTe+HkSIupCpz8X1pQ41DcjLuwjfIsy18HXLH8yXqwyg37u5 +HX04rA5UlBMEOQnZhHneFGM7JrDU4Z7Yg6o/+uFkL7RfPE265N9CUS0YevgBX5D4IEY VwuA== ARC-Authentication-Results: i=2; mx.google.com; dkim=temperror (no key for signature) header.i=@ knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9; dkim=pass header.i=@sendersrv.com header.s=smtp header.b=Ra7fdByf; arc=pass (i=1 spf=pass spfdomain=sendersrv.com dkim=pass dkdomain= sendersrv.com); spf=permerror (google.com: permanent error in processing during lookup of 921108683ccq405...@universidadebrasil.edu.br: host.universidadebrasil.email not found) smtp.mailfrom= 921108683ccq405...@universidadebrasil.edu.br Return-Path: <921108683ccq405...@universidadebrasil.edu.br> Received: from lingojam.com ([212.83.129.110]) by mx.google.com with ESMTP id j9si7146126plx.86.2022.01.28.15.34.21 for ; Fri, 28 Jan 2022 15:34:21 -0800 (PST) Received-SPF: permerror (google.com: permanent error in processing during lookup of 921108683ccq405...@universidadebrasil.edu.br: host.universidadebrasil.email not found) client-ip=212.83.129.110; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@ knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9; dkim=pass header.i=@sendersrv.com header.s=smtp header.b=Ra7fdByf; arc=pass (i=1 spf=pass spfdomain=sendersrv.com dkim=pass dkdomain= sendersrv.com); spf=permerror (google.com: permanent error in processing during lookup of 921108683ccq405...@universidadebrasil.edu.br: host.universidadebrasil.email not found) smtp.mailfrom= 921108683ccq405...@universidadebrasil.edu.br Delivered-To: ysoul8...@gmail.com Received: by 2002:a02:a14a:0:0:0:0:0 with SMTP id m10csp394823jah; Fri, 28 Jan 2022 07:31:40 -0800 (PST) X-Received: by 2002:a2e:2a04:: with SMTP id q4mr6116831ljq.428.1643383900388; Fri, 28 Jan 2022 07:31:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643383900; cv=none; d=google.com; s=arc-20160816; b=Lnn5XQ1j10ikEZENe8i0XPsyPhwpp7AAaEODfKuODEjNcgDxtfjOyVE4biwI1oWuel znv1YmtupI95DExnRKpyq20MVqQL9IhRrMxK/O5lrxz9u8tgwzFpq4fTh4urmZTy/dnW EWvT5WZWdK0+8k5+1WRtiCiLTj5cg6VIT+vrC+1ut/X2o9bMghmgqZETCQpMGSHvcWkB WN1iuiszzcHB+/v6LTtAwxJIi3UGrsmEj5IwfSOyIEljA+S2ZYKFGm/08s4ulS5nfRru gFLMH+hrsAi4YyJwSDhkNegHZYYUFmB24zA2CCwss+FJSlKSRtliiVnVP2TfWbUfxxA4 QD9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=date:content-transfer-encoding:mime-version:to:reply-to:from :subject:message-id:dkim-signature:dkim-signature; bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; b=nkQkfmL3Wm2z/Jl6yBa1TjePKO2rjBSUPrLlpKwWItDIjX5qEAHJIY2fjQ0rDPe20F OJuiHppDcLLSImVdVVW542bNQWr8bwBhI+dJJ9VFFJqvssH5Apu+f3KU1bq5hQg+GFhu /Xx1Pl+I63f5TTyzqOGxS74fv2ycytsumnRvrC3SSN2TN8FAoD9eCq64y2ufcvfogmr+ /qQiNBxLyiCL+lJd0pau8YpyeA+MP5iVcAjIulXD9JqBfZvUiNm7Lj5l8CxNLXKcPcPR dHFlMGQ1G/qMulV/2ag1OiQcT9NriqHsxgZ1N9cF
