Hi everyone!
Today, I received a spam ("I got full access to your computer and installed
a trojan" kind of email). In general, I completely ignore these, but today
was different:
The sender and recipient were my own email! What's odd is that I did
configure SPF (granted, with a "~") but also a DMARC reject policy.
Looking at the email headers and also the output from GMail, both SPF and
DKIM were successful ("pass"), which means the sender, somehow, was able to
send an email using my account.
I would love your input on the issue, but here are my thoughts so far:
1. My account was compromised, and the password was leaked, allowing that
user to send an email with my account. This would make sense, but the
sending account was only used to be configured within GMail. As soon as the
password was generated, I pasted it on GMail and never saved it elsewhere.
2. Theoretically, if I were to create an account on Mailgun, I would be
able to send an email from my account and have a valid SPF for any other
services that use Mailgun too (since their SPF would include Mailgun's
IPs), but it wouldn't explain the valid DKIM though. For this, Mailgun
should only allow my account to be able to send using my domain.
3. Did Mailgun have any database leak that I wasn't aware of?
Of course, as soon as I saw this email, I generated a new password for my
account, but I still wonder how this could have happened. I would
appreciate if you had any insights I've missed that would make sense.
Here are the headers from the email with my end email redacted:
https://pastebin.com/knqbTa8K
Thank you!
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
