Hi Ángel, it's Edgar, -as is a suffix in Lithuanian language :)
> I have been looking at your email, but I am confused at how it was produced, and so which are the weird bits. You are right, it was produced like this: - first an attacker sent a test email from our platform ( [email protected] to [email protected]) - Then they "forwarded" it to [email protected] (we removed actual reporter's address for privacy) from 212.83.129.110 > Some interesting bits: > - Two Date: headers > - Two different Subject: headers > - Original Return-Path: <[email protected]> appears twice It also has 2 ARC-* header sets. I think it may have been forwarded "twice" to exploit some kind of bug in Gmail's ARC validation mechanism. > PS: yes universidadebrasil.edu.br has a bad SPF record: It's even worse than that, in this case Gmail does not check that the rDNS for IP 212.83.129.110 does not match! rDNS for this IP is nelson-montoya.painmitigate.com, which does not have A record. So in a nutshell, someone exploiting this vulnerability can hijack anyone's email reputation and send emails without regard for SPF, DKIM or rDNS mismatch. Is there someone from Google on this list, who can help? We rotated our DKIM keys, but have already taken a big hit in domain reputation. The issue was reported to Google via their Postmaster support form, but I'm not sure if they have taken or will take any action. ---------- Forwarded message ---------- From: "Ángel" <[email protected]> To: [email protected] Cc: Bcc: Date: Mon, 31 Jan 2022 01:43:15 +0100 Subject: Re: [mailop] Gmail does not validate DKIM for forwarded messages? On 2022-01-30 at 14:09 +0200, Edgaras | SENDER wrote: > Hello, > > We noticed in Google Postmaster Tools a lot of bad reputation IPs > which do not belong to us, and are actually forbidden from sending > emails on our behalf via SPF -all, yet Gmail thinks the messages > from these IPs were fully authenticated. > > After investigating some reports, it looks like a DKIM replay attack, > where Gmail does not validate the original DKIM signature (which > includes Message-ID:Reply-To:To: fields), and even ignores SPF > permerror, if the message contains ARC headers. > > Full headers below, any insights or suggestions would be appreciated: Hello Edgar(as)? I have been looking at your email, but I am confused at how it was produced, and so which are the weird bits. It purports to be a mail from [email protected] to [email protected], which then was "forwarded" (!) by 212.83.129.110 to [email protected] with a MAIL FROM:< [email protected]> and a EHLO of lingojam.com It makes sense that DKIM could be skipped if there is ARC, but then ARC should be checked! Some interesting bits: - Two Date: headers - Two different Subject: headers - Original Return-Path: <[email protected]> appears twice - A couple of headers have two consecutive dots where there should be one: "212.83.129..110", "mx.google..com", > Received-SPF: permerror (google.com: permanent error in processing > during lookup of [email protected]: > host.universidadebrasil.email not found) client-ip=212.83.129..110; > Authentication-Results: mx.google..com; Note: the first Subject header wasn't encoding those utf-8 characters? Best regards PS: yes universidadebrasil.edu.br has a bad SPF record: "v=spf1 include:spf.protection.outlook.com include:universidadebrasil.edu.br ip4:192.99.207.72 include:host.universidadebrasil.email ip4:45.33.9.144 include:mailgrid.com.br -all" but no txt on host.universidadebrasil.email [image: Sender] Edgar Vaitkevičius, founder / CEO [email protected]
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
