Re: [mailop] Recipe vs fake From: header?
On 18/02/2020 09:47, Andrew C Aitchison via mailop wrote: I thought DKIM was supposed to flag such messages; do these phishing emails satisfy DKIM ? DKIM checks that the message matches the DKIM signature - ie that it hasn't been modified since sending. That's it. So, for instance, your message has this DKIM signature DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aitchison.me.uk; s=mythic-beasts-k1; h=Subject:To:From:Date; bh=c8HNHZV6ldDX0jjiGqekUv0kzjSL24pv2r0BoCkgGgk=; b=bjif8/qAk7FQ1MftQ89Fdbp9ej SySu0EglcpImChNAvp0fwZBuiuMh4PKtVq4FG66kz7w7yag/eNk72Y7WmmTbecY0uE6gsEagdqBof eeY7je/ZWixIh8zXaW3UAOe3+ZoSWGczcH0UZ5o+F2SrSeZjkbKZ4AUie2DD/+wH3t6F9FV1JYEmD RreDzx37oyMn/UDoA9dVqXaA06iMigM2h2JVyOSCTx9Q0yl3z7zVS8diAR1ANOs3kxRR+ce3PfxBo dHwdGscn19aiWf1V55LGxCXHPCD9K6bH0KTfTr09uT2/7Kb2L2femWwy6nop0MzjicM74v3S9Oxve 00OyLyYg==; The recipient gets the DKIM public key at 'mythic-beasts-k1._domainkey.aitchison.me.uk' (calculated from the 's' and 'd' values in the DKIM-Signature line) and checks the message's signature matches that If the DKIM signature had a different 'd=..' value, then the public key could be retrieved from anywhere - it doesn't have to relate to the FROM header's domain at all. So, I could send a message with your email address in the From field, with the DKIM-Signature being DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=pscs.co.uk; s=some-gibberish; h=. and it would pass the DKIM check. DMARC requires the DKIM 'd' domain value (or the SPF Mail-From domain) to relate to the FROM message header. So, DMARC is what you need (along with DKIM and SPF, to give DMARC something to work with) -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Recipe vs fake From: header?
I thought DKIM was supposed to flag such messages; do these phishing emails satisfy DKIM ? On Tue, 18 Feb 2020, Benoit Panizzon via mailop wrote: Hi List Lately, our customers are getting an increased amount of phishing emails, or emails containing malware with legit looking From: headers from either banks, or even from our own customer support. SPF would block the From email addresses if also used as envelope sender. But the, from the customers perspective 'hidden' envelope sender is different and does match SPF. So we get complaints why we let such emails with faked From: header through our content filter. As we use MIMEDefang as filter, we can easily match From and envelope sender and do something with it, like increasing spam score. But: * A lots of ESP sending Newsletters, have different From and Envelope Sender to manage bounces. * Mailinglists use different From headers. * SRS So another thought was to append the String 'Possible fake sender' to the From: Header string. But also this would match an awful lot of legitimate newsletters and possibly break DKIM signatures. Has anyone come up with a clever recipe for this issue? Mit freundlichen Grüssen -Benoît Panizzon-___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Recipe vs fake From: header?
On 18/02/2020 09:03, Benoit Panizzon via mailop wrote: SPF would block the From email addresses if also used as envelope sender. But the, from the customers perspective 'hidden' envelope sender is different and does match SPF. Has anyone come up with a clever recipe for this issue? This is one thing that DMARC is intended to solve. DMARC checks the header 'From' address matches either the DKIM signature domain or the SPF domain. -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Recipe vs fake From: header?
Hi List Lately, our customers are getting an increased amount of phishing emails, or emails containing malware with legit looking From: headers from either banks, or even from our own customer support. SPF would block the From email addresses if also used as envelope sender. But the, from the customers perspective 'hidden' envelope sender is different and does match SPF. So we get complaints why we let such emails with faked From: header through our content filter. As we use MIMEDefang as filter, we can easily match From and envelope sender and do something with it, like increasing spam score. But: * A lots of ESP sending Newsletters, have different From and Envelope Sender to manage bounces. * Mailinglists use different From headers. * SRS So another thought was to append the String 'Possible fake sender' to the From: Header string. But also this would match an awful lot of legitimate newsletters and possibly break DKIM signatures. Has anyone come up with a clever recipe for this issue? Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
