Is there some kind of forwarding address or something that would end up
going through your mailgun account? The reason I ask is this header
right here:
Received: from reflectiv.net (os3-384-25366.vs.sakura.ne.jp
[133.167.109.120]) by db739d28cce8 with SMTP id <undefined>; Wed, 11 Jan
2023 00:26:59 GMT
Not something I'd expect to see if it were submitted over an API or
something, though I'm not familiar enough with mailgun to say for sure.
That said, this IP 133.167.109.120 is all over my logs today spoofing my
customer's emails to send them emails. It's nothing I'm not used to
seeing, pretty standard behavior on my side at least for these bitcoin
scammers. They're not usually very personalized beyond what they can
quickly script, they're very low effort and very much a "spray and pray"
technique.
On 2023-01-11 15:00, Cyril - ImprovMX via mailop wrote:
Hi everyone!
Today, I received a spam ("I got full access to your computer and
installed a trojan" kind of email). In general, I completely ignore
these, but today was different:
The sender and recipient were my own email! What's odd is that I did
configure SPF (granted, with a "~") but also a DMARC reject policy.
Looking at the email headers and also the output from GMail, both SPF
and DKIM were successful ("pass"), which means the sender, somehow,
was able to send an email using my account.
I would love your input on the issue, but here are my thoughts so far:
1. My account was compromised, and the password was leaked, allowing
that user to send an email with my account. This would make sense, but
the sending account was only used to be configured within GMail. As
soon as the password was generated, I pasted it on GMail and never
saved it elsewhere.
2. Theoretically, if I were to create an account on Mailgun, I would
be able to send an email from my account and have a valid SPF for any
other services that use Mailgun too (since their SPF would include
Mailgun's IPs), but it wouldn't explain the valid DKIM though. For
this, Mailgun should only allow my account to be able to send using my
domain.
3. Did Mailgun have any database leak that I wasn't aware of?
Of course, as soon as I saw this email, I generated a new password for
my account, but I still wonder how this could have happened. I would
appreciate if you had any insights I've missed that would make sense.
Here are the headers from the email with my end email redacted:
https://pastebin.com/knqbTa8K
Thank you!
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
