spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kris Deugau <kdeu...@vianet.ca>
Subject Re: Forgery with SPF/DKIM/DMARC
Date Fri, 16 Nov 2018 15:39:47 GMT
RW wrote:
> On Fri, 16 Nov 2018 08:44:52 -0500
> Robert Fitzpatrick wrote:
> 
>> We're having an issue with spam coming from the same company even
>> though SPF and DKIM is setup with DMARC to reject. Take this
>> forwarded email for instances....

[ fake invoice email ]

SPF and DKIM rarely return "fail" on these because the envelope sender 
either doesn't publish either, or publishes them and they match.  SPF in 
particular would usually have nothing to do with the "obvious" From: 
address that most people would look at.

> This is a pretty confusing question because it has nothing to do with
> DMARC, SPF, or DKIM, and "same company" reads like "consistent
> spammer".
> 
> I think what you're getting at is the use of a local address in the
> author display name:
> 
>> From: User <User@company.com> <arte.final1@creativegroup.com.ec>
>> To: other.user@company.com
> 
> Did you actually mean that precise form, which looks invalid,

This certainly sounds like a series of fake invoice mails I've been 
getting a trickle of reports for, and if so, then yes, that is literally 
exactly what's in the original.

I dug through my reporting account's history and found one that came 
directly to my own account:

Delivered-To: kdeugau@vianet.ca
Return-Path: <cayala@corpmaqplast.com>
Received: from mail.vianet.ca [209.91.128.17]
	by pod.pem-lan with POP3 (fetchmail-6.3.26)
	for <kdeugau@localhost> (single-drop); Tue, 06 Nov 2018 09:05:12 -0500 
(EST)
Received: from rla3.dizinc.com (rla3.dizinc.com [72.29.77.172]) by
  mx1.vianet.ca (Postfix) with ESMTPS id 83FE2E24D6 for <kdeugau@vianet.ca>;
  Tue,  6 Nov 2018 09:03:08 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
  d=corpmaqplast.com; s=default; 
h=Content-Type:MIME-Version:Subject:Message-ID
  :To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
 
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
  List-Subscribe:List-Post:List-Owner:List-Archive;
  bh=+EAmfCv8FqMxiASYoMWTcRGrgS++5JXOIOM7h8kgXyw=; 
b=n/4UOgM/LfvfnVl8gzWrv7uU/P
 
6GL1HJgU4KMmU/hsZR6sG5y/ijG09RLmuMK1OAoYULC8P4BewtmtfsDElVGXHU9P3EG6poaMliWeM
 
RRxcaV8/DMUiFOa2O8Y1Q9F4OXpI8t19pAchCaR+OFs34+Npjwad/wkX/+E82uWs57gs0VJMH76z9
 
UVynTFc+hRbwEFGdYPi+Gnc+fpvtbO7RN0pqcNOjLQWdEr2RcO2yg1hCPUs6z8HJ7gNYT1Wx7DQEj
 
y6adnz0tG+sLmqsYYC/67cJYdgHuEfUvUIlCCRVgV38BXGJiDoRSsz6txHAaCYa7bXHZ892FN9EbC
  CIVnco0Q==;
Received: from [187.217.80.180] (port=3340 helo=10.1.34.37) by
  rla3.dizinc.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) 
(Exim
  4.91) (envelope-from <cayala@corpmaqplast.com>) id 1gK1wg-00073v-8J for
  kdeugau@vianet.ca; Tue, 06 Nov 2018 08:03:07 -0600
Date: Tue, 06 Nov 2018 14:03:06 +0000
From: John D. Smith <johnsmith@richland.edu> <cayala@corpmaqplast.com>
To: kdeugau@vianet.ca
Message-ID: <35706717752563516902.8F4660866AA84645@vianet.ca>
Subject: John D. Smith Factures 0611-KDG47168618-939

In this instance SPF and DKIM passed, so whatever policies richland.edu 
might publish they're irrelevant and not checked.

This particular subseries also has an attached Word document, which is 
now getting flagged by ClamAV, but IIRC there have been a few that were 
either "just" phishing, or linked to malware instead of attaching it to 
the message.

Looking at a couple of other examples, there are also some in the form:

From: =?UTF-8?B?[encoded stuff]= <crackedorspoofed@example.com>

where [encoded stuff] decodes to:

Some User <spoof.victim@example.org>

-kgd

Mime
View raw message