I mean, you did originally send the spam message from one of your IPs. This is certainly an amplification attack from that fact, sure. I'm not sure that it's any different from previous replay attacks in that sense.
If you take the "normal" way this would work, is that a spam message would go through a mailing list (presumably one that didn't break the dkim signature), then you would want most of the blame for the spam to go to the original sender, and not the mailing list. And presumably the reputation decline is due to us catching most of those messages as spam. Superficially, it looks like our system correctly handled this from a spam labeling perspective, and the collateral damage was mostly contained. I think it's a fairly complicated question about how to handle reputation in these instances, the reputation of your domain has been dinged due to its usage in spam. This more often happens in advertised domain reputations. In terms of correctly determining spam/not spam for our customers, the reputation is correct. The system does not rely on only a single reputation, however. In this case, there is also the SPF & IP reputations, which should be unaffected by the relay campaign. Theoretically, the system should be able to mostly compensate for messages coming from your system, which means the consequences would mostly accrue to forwarded messages. It's hard to guarantee that in an emergent system, of course. I do think this is useful to understand for ARC in regards to such a system, that "SPF" or "IP" reputation should be different from ARC-SPF or ARC-IP reputation. In terms of applicability to DMARC, however, the message is no less "legitimately authenticated", but that was already true because of the DKIM passing. And, of course, ARC (or DMARC) doesn't indicate spamminess directly, merely the source. And the source was your service, originally. Brandon On Tue, Feb 1, 2022 at 2:15 AM Edgaras | SENDER <[email protected]> wrote: > > You can also see that the bodyhash (bh=) in the AMS and DKIM headers is > all the same, so the body itself didn't change? > No, the email body did not change. > > > Note that although ARC from gmail to gmail can be used to bypass a DKIM > failure, that's not what's happening here. > Yes, here it looks like if Gmail sees ARC (Gmail to Gmail) headers, it > trusts them completely: > - it ignores SPF permerror: > spf=permerror (google.com: permanent error in processing during lookup of > [email protected]: > host.universidadebrasil.email not found) smtp.mailfrom= > [email protected] > Return-Path: <[email protected]> > Received: from lingojam.com ([212.83.129.110]) > - ignores DNS/rDNS mismatch: rDNS for IP 212.83.129.110: > nelson-montoya.painmitigate.com, no A record. > - somehow thinks that the initial sending domain (sendersrv.com) should > be blamed, even though none of the intermediate IP addresses fall into > original domain's SPF, which contains -all > - and delivers spam to the inbox, no less. > > > A replay attack is the most likely explanation, yes. > It's a replay attack, but more sophisticated and dangerous due to use of > Gmail-Gmail ARC headers technique. > > We have since rotated our DKIM keys, added oversigning of From:To:Subject > headers 2 times, but I'm not sure that will be enough. > Could you or someone at Google take a closer look at this? We would be > happy to provide any data you need. > > > Best, > [image: Sender] Edgar Vaitkevičius, founder / CEO > [email protected] > > > > > On Tue, Feb 1, 2022 at 2:52 AM Brandon Long <[email protected]> wrote: > >> >> >> On Sun, Jan 30, 2022 at 4:21 AM Edgaras | SENDER via mailop < >> [email protected]> wrote: >> >>> Hello, >>> >>> We noticed in Google Postmaster Tools a lot of bad reputation IPs which >>> do not belong to us, and are actually forbidden from sending emails on our >>> behalf via SPF -all, yet Gmail thinks the messages from these IPs were >>> fully authenticated. >>> >>> After investigating some reports, it looks like a DKIM replay attack, >>> where Gmail does not validate the original DKIM signature (which includes >>> Message-ID:Reply-To:To: fields), and even ignores SPF permerror, if the >>> message contains ARC headers. >>> >>> Full headers below, any insights or suggestions would be appreciated: >>> >>> >>> Delivered-To: [email protected] >>> Received: by 2002:ab0:340c:0:0:0:0:0 with SMTP id z12csp1291860uap; >>> Fri, 28 Jan 2022 15:34:21 -0800 (PST) >>> X-Google-Smtp-Source: >>> ABdhPJxGsLcEEUpdbgGs3QgR03Rr9huo0nZHyOFLB9HDsbANUeb9dkNH/PpuXMfWArmb2WtJtVZk >>> X-Received: by 2002:a17:902:cec8:: with SMTP id >>> d8mr10494650plg.98.1643412861553; >>> Fri, 28 Jan 2022 15:34:21 -0800 (PST) >>> ARC-Seal: i=2; a=rsa-sha256; t=1643412861; cv=pass; >>> d=google.com; s=arc-20160816; >>> >>> b=VU0Qf7i3UDk9cIk0HEQEv2hW46LmdHN1Z9UysluJsh4o1O1v5t12RrICEe8YlzFcZZ >>> >>> UziO53/5IMPjyEVGqLIEyLq0v0Dz5B4gtR94biUHiyIVYEEbn+20dr6ONrGE/IKsYBWD >>> >>> 2pBDc/D+Ppe4rBBhwQOckw9xK9f/l+RS1sbRU1AY2sW2hqJZzjSZUe0scWUGvbwB4RZl >>> >>> IS+F5z/T/ZLZ9s1v4JXmOoEnKu5b9oZ3XhJgc5EVYuAWJRFOrqIA7bRS8ISDJ+J/eYtJ >>> >>> fI9gWI5UkkM6qIgY/wFngV0FifP2Yauo/ts7su9FzFmxgHJdCLioQiFy4E6EEv8qN78c >>> YrAA== >>> ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d= >>> google.com; s=arc-20160816; >>> >>> h=date:date:content-transfer-encoding:mime-version:to:reply-to:from >>> :subject:subject:message-id:dkim-signature:dkim-signature >>> :delivered-to; >>> bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; >>> >>> b=FdwHNKthXMrmoT3OevMII/o6PzRZR8UA6zIwTYBTTF2EA63hRW6yJVj7mQLBEyAQ6x >>> >>> WzjOhIf9zLeqzNYraveRpGQRcXUE/PqTaKDbzhTcqPfP9g82ea9dLhHgviwerKh1IhAp >>> >>> 3dri2wT2epRaIYnzEX2gMzmt8YiYjj3sHgvDDjg4Up4W1pYPmP4zx7N0UYxihu0B7eP6 >>> >>> 4igCLE8hfq1VPzWistU6uTe+HkSIupCpz8X1pQ41DcjLuwjfIsy18HXLH8yXqwyg37u5 >>> >>> +HX04rA5UlBMEOQnZhHneFGM7JrDU4Z7Yg6o/+uFkL7RfPE265N9CUS0YevgBX5D4IEY >>> VwuA== >>> ARC-Authentication-Results: i=2; mx.google.com; >>> dkim=temperror (no key for signature) header.i=@ >>> knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9; >>> dkim=pass [email protected] header.s=smtp >>> header.b=Ra7fdByf; >>> arc=pass (i=1 spf=pass spfdomain=sendersrv.com dkim=pass >>> dkdomain=sendersrv.com); >>> spf=permerror (google.com: permanent error in processing during >>> lookup of [email protected]: >>> host.universidadebrasil.email not found) smtp.mailfrom= >>> [email protected] >>> Return-Path: <[email protected]> >>> Received: from lingojam.com ([212.83.129.110]) >>> by mx.google.com with ESMTP id >>> j9si7146126plx.86.2022.01.28.15.34.21 >>> for <[email protected]>; >>> Fri, 28 Jan 2022 15:34:21 -0800 (PST) >>> Received-SPF: permerror (google.com: permanent error in processing >>> during lookup of [email protected]: >>> host.universidadebrasil.email not found) client-ip=212.83.129.110; >>> Authentication-Results: mx.google.com; >>> dkim=temperror (no key for signature) header.i=@ >>> knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9; >>> dkim=pass [email protected] header.s=smtp >>> header.b=Ra7fdByf; >>> arc=pass (i=1 spf=pass spfdomain=sendersrv.com dkim=pass >>> dkdomain=sendersrv.com); >>> spf=permerror (google.com: permanent error in processing during >>> lookup of [email protected]: >>> host.universidadebrasil.email not found) smtp.mailfrom= >>> [email protected] >>> >> >> I'm confused, this says the DKIM did pass. >> >> You can also see that the bodyhash (bh=) in the AMS and DKIM headers is >> all the same, so the body itself didn't change? >> >> Note that although ARC from gmail to gmail can be used to bypass a DKIM >> failure, that's not what's happening here. >> >> A replay attack is the most likely explanation, yes. >> >> Brandon >> >> >> >>> >>> Delivered-To: [email protected] >>> Received: by 2002:a02:a14a:0:0:0:0:0 with SMTP id m10csp394823jah; >>> Fri, 28 Jan 2022 07:31:40 -0800 (PST) >>> X-Received: by 2002:a2e:2a04:: with SMTP id >>> q4mr6116831ljq.428.1643383900388; >>> Fri, 28 Jan 2022 07:31:40 -0800 (PST) >>> ARC-Seal: i=1; a=rsa-sha256; t=1643383900; cv=none; >>> d=google.com; s=arc-20160816; >>> >>> b=Lnn5XQ1j10ikEZENe8i0XPsyPhwpp7AAaEODfKuODEjNcgDxtfjOyVE4biwI1oWuel >>> >>> znv1YmtupI95DExnRKpyq20MVqQL9IhRrMxK/O5lrxz9u8tgwzFpq4fTh4urmZTy/dnW >>> >>> EWvT5WZWdK0+8k5+1WRtiCiLTj5cg6VIT+vrC+1ut/X2o9bMghmgqZETCQpMGSHvcWkB >>> >>> WN1iuiszzcHB+/v6LTtAwxJIi3UGrsmEj5IwfSOyIEljA+S2ZYKFGm/08s4ulS5nfRru >>> >>> gFLMH+hrsAi4YyJwSDhkNegHZYYUFmB24zA2CCwss+FJSlKSRtliiVnVP2TfWbUfxxA4 >>> QD9w== >>> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= >>> google.com; s=arc-20160816; >>> h=date:content-transfer-encoding:mime-version:to:reply-to:from >>> :subject:message-id:dkim-signature:dkim-signature; >>> bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; >>> >>> b=nkQkfmL3Wm2z/Jl6yBa1TjePKO2rjBSUPrLlpKwWItDIjX5qEAHJIY2fjQ0rDPe20F >>> >>> OJuiHppDcLLSImVdVVW542bNQWr8bwBhI+dJJ9VFFJqvssH5Apu+f3KU1bq5hQg+GFhu >>> >>> /Xx1Pl+I63f5TTyzqOGxS74fv2ycytsumnRvrC3SSN2TN8FAoD9eCq64y2ufcvfogmr+ >>> >>> /qQiNBxLyiCL+lJd0pau8YpyeA+MP5iVcAjIulXD9JqBfZvUiNm7Lj5l8CxNLXKcPcPR >>> >>> dHFlMGQ1G/qMulV/2ag1OiQcT9NriqHsxgZ1N9cFnMAFdTz1470CRhx7rcRFsiI2auon >>> IG/Q== >>> ARC-Authentication-Results: i=1; mx.google.com; >>> dkim=temperror (no key for signature) header.i=@ >>> knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9; >>> dkim=pass [email protected] header.s=smtp >>> header.b=Ra7fdByf; >>> spf=pass (google.com: domain of [email protected] >>> designates 185.3.229.126 as permitted sender) smtp.mailfrom= >>> [email protected] >>> Return-Path: <[email protected]> >>> Received: from mail2.sendersrv.com (mail2.sendersrv.com. >>> [185.3.229.126]) >>> by mx.google.com with ESMTPS id >>> x14si4818800lfu.581.2022.01.28.07.31.39 >>> for <[email protected]> >>> (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 >>> bits=256/256); >>> Fri, 28 Jan 2022 07:31:39 -0800 (PST) >>> Received-SPF: pass (google.com: domain of >>> [email protected] designates 185.3.229.126 as permitted >>> sender) client-ip=185.3.229.126; >>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=sender; d= >>> knowledgemodish.org.uk; >>> h=Message-ID:Subject:From:Reply-To:To:MIME-Version:Content-Type: >>> Content-Transfer-Encoding:Date; [email protected]; >>> bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; >>> b=heNp+Lc9pjUvcl7261qiyZUMEyujFujFFM4JWbthE4qeaCwXcCD3ePFEU5I66Iy/eG/bks4nPCE1 >>> >>> >>> tu2ijH5HuwYwBGC89rkxHXqBzSxb3taREXKm7DeIN7J/2/L2LQo6kd5opfdRABl3qQxeH6GXFmCt >>> fQ8Q/8pQw8Z7oKFyJTQ= >>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=smtp; d= >>> sendersrv.com; >>> h=Message-ID:Subject:From:Reply-To:To:MIME-Version:Content-Type: >>> Content-Transfer-Encoding:Date; >>> bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=; >>> b=Ra7fdByfHfiOJTQl1izbL8wR7bEBsR/q3tetReHIm798TzvIW4Qgvd4Ovbfrh/qcqzzy95yUocOc >>> >>> >>> Y5zuge0sep0S6zsQjA/5COgoEjtx2W7RAlo59L7nlxtvyNd5zwZQ1QOX1YnnDZ5WaEnNyZboXHth >>> OXukNXbiai1NhnJv3s4= >>> Return-Path: <[email protected]> >>> Message-ID: <[email protected]> >>> Subject: 𝟸ɴᴅ ᴀᴛᴛᴇᴍᴘᴛ: ʏᴏᴜ ᴀʀᴇ ᴀ ᴡɪɴɴᴇʀ $𝟷𝟶𝟶 ᴄᴏsᴛᴄᴏ ғᴏʀ ʏᴏᴜ #16351 >>> Subject: [Test Email] Costco !! >>> From: Costco Stores <[email protected]> >>> Reply-To: [email protected] >>> To: [email protected] >>> MIME-Version: 1.0 >>> Content-Type: text/html; charset=utf-8 >>> Content-Transfer-Encoding: quoted-printable >>> Date: Fri, 28 Jan 2022 18:34:18 -0500 (EST) >>> Date: Fri, 28 Jan 2022 17:31:39 +0200 >>> >>> ---------- Forwarded message --------- >>> From: Costco Stores <[email protected]> >>> Date: Fri, Jan 28, 2022 at 6:34 PM >>> Subject: 𝟸ɴᴅ ᴀᴛᴛᴇᴍᴘᴛ: ʏᴏᴜ ᴀʀᴇ ᴀ ᴡɪɴɴᴇʀ $𝟷𝟶𝟶 ᴄᴏsᴛᴄᴏ ғᴏʀ ʏᴏᴜ #16351 >>> To: <[email protected]> >>> >>> >>> >>> [image: Sender] Edgar Vaitkevičius, founder / CEO >>> [email protected] >>> >>> >>> _______________________________________________ >>> mailop mailing list >>> [email protected] >>> https://list.mailop.org/listinfo/mailop >>> >>
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
