> You can also see that the bodyhash (bh=) in the AMS and DKIM headers is all the same, so the body itself didn't change? No, the email body did not change.
> Note that although ARC from gmail to gmail can be used to bypass a DKIM failure, that's not what's happening here. Yes, here it looks like if Gmail sees ARC (Gmail to Gmail) headers, it trusts them completely: - it ignores SPF permerror: spf=permerror (google.com: permanent error in processing during lookup of [email protected]: host.universidadebrasil.email not found) [email protected] Return-Path: <[email protected]> Received: from lingojam.com ([212.83.129.110]) - ignores DNS/rDNS mismatch: rDNS for IP 212.83.129.110: nelson-montoya.painmitigate.com, no A record. - somehow thinks that the initial sending domain (sendersrv.com) should be blamed, even though none of the intermediate IP addresses fall into original domain's SPF, which contains -all - and delivers spam to the inbox, no less. > A replay attack is the most likely explanation, yes. It's a replay attack, but more sophisticated and dangerous due to use of Gmail-Gmail ARC headers technique. We have since rotated our DKIM keys, added oversigning of From:To:Subject headers 2 times, but I'm not sure that will be enough. Could you or someone at Google take a closer look at this? We would be happy to provide any data you need. Best, [image: Sender] Edgar Vaitkevičius, founder / CEO [email protected] On Tue, Feb 1, 2022 at 2:52 AM Brandon Long <[email protected]> wrote: > > > On Sun, Jan 30, 2022 at 4:21 AM Edgaras | SENDER via mailop < > [email protected]> wrote: > >> Hello, >> >> We noticed in Google Postmaster Tools a lot of bad reputation IPs which >> do not belong to us, and are actually forbidden from sending emails on our >> behalf via SPF -all, yet Gmail thinks the messages from these IPs were >> fully authenticated. >> >> After investigating some reports, it looks like a DKIM replay attack, >> where Gmail does not validate the original DKIM signature (which includes >> Message-ID:Reply-To:To: fields), and even ignores SPF permerror, if the >> message contains ARC headers. >> >> Full headers below, any insights or suggestions would be appreciated: >> >> >> Delivered-To: [email protected] >> Received: by 2002:ab0:340c:0:0:0:0:0 with SMTP id z12csp1291860uap; >> Fri, 28 Jan 2022 15:34:21 -0800 (PST) >> X-Google-Smtp-Source: >> ABdhPJxGsLcEEUpdbgGs3QgR03Rr9huo0nZHyOFLB9HDsbANUeb9dkNH/PpuXMfWArmb2WtJtVZk >> X-Received: by 2002:a17:902:cec8:: with SMTP id >> d8mr10494650plg.98.1643412861553; >> Fri, 28 Jan 2022 15:34:21 -0800 (PST) >> ARC-Seal: i=2; a=rsa-sha256; t=1643412861; cv=pass; >> d=google.com; s=arc-20160816; >> >> b=VU0Qf7i3UDk9cIk0HEQEv2hW46LmdHN1Z9UysluJsh4o1O1v5t12RrICEe8YlzFcZZ >> >> UziO53/5IMPjyEVGqLIEyLq0v0Dz5B4gtR94biUHiyIVYEEbn+20dr6ONrGE/IKsYBWD >> >> 2pBDc/D+Ppe4rBBhwQOckw9xK9f/l+RS1sbRU1AY2sW2hqJZzjSZUe0scWUGvbwB4RZl >> >> IS+F5z/T/ZLZ9s1v4JXmOoEnKu5b9oZ3XhJgc5EVYuAWJRFOrqIA7bRS8ISDJ+J/eYtJ >> >> fI9gWI5UkkM6qIgY/wFngV0FifP2Yauo/ts7su9FzFmxgHJdCLioQiFy4E6EEv8qN78c >> YrAA== >> ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; >> s=arc-20160816; >> >> h=date:date:content-transfer-encoding:mime-version:to:reply-to:from >> :subject:subject:message-id:dkim-signature:dkim-signature >> :delivered-to; >> bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; >> >> b=FdwHNKthXMrmoT3OevMII/o6PzRZR8UA6zIwTYBTTF2EA63hRW6yJVj7mQLBEyAQ6x >> >> WzjOhIf9zLeqzNYraveRpGQRcXUE/PqTaKDbzhTcqPfP9g82ea9dLhHgviwerKh1IhAp >> >> 3dri2wT2epRaIYnzEX2gMzmt8YiYjj3sHgvDDjg4Up4W1pYPmP4zx7N0UYxihu0B7eP6 >> >> 4igCLE8hfq1VPzWistU6uTe+HkSIupCpz8X1pQ41DcjLuwjfIsy18HXLH8yXqwyg37u5 >> >> +HX04rA5UlBMEOQnZhHneFGM7JrDU4Z7Yg6o/+uFkL7RfPE265N9CUS0YevgBX5D4IEY >> VwuA== >> ARC-Authentication-Results: i=2; mx.google.com; >> dkim=temperror (no key for signature) header.i=@ >> knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9; >> dkim=pass [email protected] header.s=smtp header.b=Ra7fdByf; >> arc=pass (i=1 spf=pass spfdomain=sendersrv.com dkim=pass dkdomain= >> sendersrv.com); >> spf=permerror (google.com: permanent error in processing during >> lookup of [email protected]: >> host.universidadebrasil.email not found) smtp.mailfrom= >> [email protected] >> Return-Path: <[email protected]> >> Received: from lingojam.com ([212.83.129.110]) >> by mx.google.com with ESMTP id >> j9si7146126plx.86.2022.01.28.15.34.21 >> for <[email protected]>; >> Fri, 28 Jan 2022 15:34:21 -0800 (PST) >> Received-SPF: permerror (google.com: permanent error in processing >> during lookup of [email protected]: >> host.universidadebrasil.email not found) client-ip=212.83.129.110; >> Authentication-Results: mx.google.com; >> dkim=temperror (no key for signature) header.i=@ >> knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9; >> dkim=pass [email protected] header.s=smtp header.b=Ra7fdByf; >> arc=pass (i=1 spf=pass spfdomain=sendersrv.com dkim=pass dkdomain= >> sendersrv.com); >> spf=permerror (google.com: permanent error in processing during >> lookup of [email protected]: >> host.universidadebrasil.email not found) smtp.mailfrom= >> [email protected] >> > > I'm confused, this says the DKIM did pass. > > You can also see that the bodyhash (bh=) in the AMS and DKIM headers is > all the same, so the body itself didn't change? > > Note that although ARC from gmail to gmail can be used to bypass a DKIM > failure, that's not what's happening here. > > A replay attack is the most likely explanation, yes. > > Brandon > > > >> >> Delivered-To: [email protected] >> Received: by 2002:a02:a14a:0:0:0:0:0 with SMTP id m10csp394823jah; >> Fri, 28 Jan 2022 07:31:40 -0800 (PST) >> X-Received: by 2002:a2e:2a04:: with SMTP id >> q4mr6116831ljq.428.1643383900388; >> Fri, 28 Jan 2022 07:31:40 -0800 (PST) >> ARC-Seal: i=1; a=rsa-sha256; t=1643383900; cv=none; >> d=google.com; s=arc-20160816; >> >> b=Lnn5XQ1j10ikEZENe8i0XPsyPhwpp7AAaEODfKuODEjNcgDxtfjOyVE4biwI1oWuel >> >> znv1YmtupI95DExnRKpyq20MVqQL9IhRrMxK/O5lrxz9u8tgwzFpq4fTh4urmZTy/dnW >> >> EWvT5WZWdK0+8k5+1WRtiCiLTj5cg6VIT+vrC+1ut/X2o9bMghmgqZETCQpMGSHvcWkB >> >> WN1iuiszzcHB+/v6LTtAwxJIi3UGrsmEj5IwfSOyIEljA+S2ZYKFGm/08s4ulS5nfRru >> >> gFLMH+hrsAi4YyJwSDhkNegHZYYUFmB24zA2CCwss+FJSlKSRtliiVnVP2TfWbUfxxA4 >> QD9w== >> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; >> s=arc-20160816; >> h=date:content-transfer-encoding:mime-version:to:reply-to:from >> :subject:message-id:dkim-signature:dkim-signature; >> bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; >> >> b=nkQkfmL3Wm2z/Jl6yBa1TjePKO2rjBSUPrLlpKwWItDIjX5qEAHJIY2fjQ0rDPe20F >> >> OJuiHppDcLLSImVdVVW542bNQWr8bwBhI+dJJ9VFFJqvssH5Apu+f3KU1bq5hQg+GFhu >> >> /Xx1Pl+I63f5TTyzqOGxS74fv2ycytsumnRvrC3SSN2TN8FAoD9eCq64y2ufcvfogmr+ >> >> /qQiNBxLyiCL+lJd0pau8YpyeA+MP5iVcAjIulXD9JqBfZvUiNm7Lj5l8CxNLXKcPcPR >> >> dHFlMGQ1G/qMulV/2ag1OiQcT9NriqHsxgZ1N9cFnMAFdTz1470CRhx7rcRFsiI2auon >> IG/Q== >> ARC-Authentication-Results: i=1; mx.google.com; >> dkim=temperror (no key for signature) header.i=@ >> knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9; >> dkim=pass [email protected] header.s=smtp header.b=Ra7fdByf; >> spf=pass (google.com: domain of [email protected] >> designates 185.3.229.126 as permitted sender) smtp.mailfrom= >> [email protected] >> Return-Path: <[email protected]> >> Received: from mail2.sendersrv.com (mail2.sendersrv.com. [185.3.229.126]) >> by mx.google.com with ESMTPS id >> x14si4818800lfu.581.2022.01.28.07.31.39 >> for <[email protected]> >> (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 >> bits=256/256); >> Fri, 28 Jan 2022 07:31:39 -0800 (PST) >> Received-SPF: pass (google.com: domain of >> [email protected] designates 185.3.229.126 as permitted >> sender) client-ip=185.3.229.126; >> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=sender; d= >> knowledgemodish.org.uk; >> h=Message-ID:Subject:From:Reply-To:To:MIME-Version:Content-Type: >> Content-Transfer-Encoding:Date; [email protected]; >> bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; >> b=heNp+Lc9pjUvcl7261qiyZUMEyujFujFFM4JWbthE4qeaCwXcCD3ePFEU5I66Iy/eG/bks4nPCE1 >> >> tu2ijH5HuwYwBGC89rkxHXqBzSxb3taREXKm7DeIN7J/2/L2LQo6kd5opfdRABl3qQxeH6GXFmCt >> fQ8Q/8pQw8Z7oKFyJTQ= >> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=smtp; d= >> sendersrv.com; >> h=Message-ID:Subject:From:Reply-To:To:MIME-Version:Content-Type: >> Content-Transfer-Encoding:Date; >> bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; >> b=Ra7fdByfHfiOJTQl1izbL8wR7bEBsR/q3tetReHIm798TzvIW4Qgvd4Ovbfrh/qcqzzy95yUocOc >> >> Y5zuge0sep0S6zsQjA/5COgoEjtx2W7RAlo59L7nlxtvyNd5zwZQ1QOX1YnnDZ5WaEnNyZboXHth >> OXukNXbiai1NhnJv3s4= >> Return-Path: <[email protected]> >> Message-ID: <[email protected]> >> Subject: 𝟸ɴᴅ ᴀᴛᴛᴇᴍᴘᴛ: ʏᴏᴜ ᴀʀᴇ ᴀ ᴡɪɴɴᴇʀ $𝟷𝟶𝟶 ᴄᴏsᴛᴄᴏ ғᴏʀ ʏᴏᴜ #16351 >> Subject: [Test Email] Costco !! >> From: Costco Stores <[email protected]> >> Reply-To: [email protected] >> To: [email protected] >> MIME-Version: 1.0 >> Content-Type: text/html; charset=utf-8 >> Content-Transfer-Encoding: quoted-printable >> Date: Fri, 28 Jan 2022 18:34:18 -0500 (EST) >> Date: Fri, 28 Jan 2022 17:31:39 +0200 >> >> ---------- Forwarded message --------- >> From: Costco Stores <[email protected]> >> Date: Fri, Jan 28, 2022 at 6:34 PM >> Subject: 𝟸ɴᴅ ᴀᴛᴛᴇᴍᴘᴛ: ʏᴏᴜ ᴀʀᴇ ᴀ ᴡɪɴɴᴇʀ $𝟷𝟶𝟶 ᴄᴏsᴛᴄᴏ ғᴏʀ ʏᴏᴜ #16351 >> To: <[email protected]> >> >> >> >> [image: Sender] Edgar Vaitkevičius, founder / CEO >> [email protected] >> >> >> _______________________________________________ >> mailop mailing list >> [email protected] >> https://list.mailop.org/listinfo/mailop >> >
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
