Thank you everyone for your follow up. Your suggestion, Jarland, is very interesting. I also find it odd to have the sakura.ne.jp server appear out of nowhere! If it were to be a hack of my account, it would be Mailgun->Gmail, that's all. (well, I hope so)
... and, you put me on the right track! I found the reason, but I think I need to contact Mailgun first as it seems to be a very bad security issue... I'll keep you posted, but I know how they did it. I'll definitely keep you posted as soon as I have news from Mailgun. Le mer. 11 janv. 2023 à 22:52, Mark Alley via mailop <[email protected]> a écrit : > Looking at it again, I agree with Todd and Jarland's hypothesis; > Forwarding sounds more plausible than an API submission via compromised > credentials in this case. I think that hit the nail on the head. This also > correlates to one of Mailgun's product offerings > <https://www.mailgun.com/blog/product/intelligent-email-forwarding-with-mailgun/> > for forwarding which fits the bill. > On 1/11/2023 3:29 PM, Todd Herr via mailop wrote: > > This looks like a message that maybe might've been sent to a reflectiv.net > address (perhaps the one advertised on your website? contact at > reflectiv.net?) and then automatically forwarded by Mailgun (which hosts > inbound mail for reflectiv.net) to a Google account (since Mailgun > probably doesn't do mailbox hosting). > > That's just purely a guess, based on > > > 1. X-Mailgun-Incoming: Yes > > appearing in the headers, and the MX record for reflectiv.net, and the > message coming to Google with the following Return-Path: > > 1. Return-Path: <bounce+3dbf11.71c471-{redacted}= > [email protected]> > > Does that sound plausible? > > On Wed, Jan 11, 2023 at 4:07 PM Cyril - ImprovMX via mailop < > [email protected]> wrote: > >> Hi everyone! >> >> Today, I received a spam ("I got full access to your computer and >> installed a trojan" kind of email). In general, I completely ignore these, >> but today was different: >> >> The sender and recipient were my own email! What's odd is that I did >> configure SPF (granted, with a "~") but also a DMARC reject policy. >> >> Looking at the email headers and also the output from GMail, both SPF and >> DKIM were successful ("pass"), which means the sender, somehow, was able to >> send an email using my account. >> >> I would love your input on the issue, but here are my thoughts so far: >> >> 1. My account was compromised, and the password was leaked, allowing that >> user to send an email with my account. This would make sense, but the >> sending account was only used to be configured within GMail. As soon as the >> password was generated, I pasted it on GMail and never saved it elsewhere. >> 2. Theoretically, if I were to create an account on Mailgun, I would be >> able to send an email from my account and have a valid SPF for any other >> services that use Mailgun too (since their SPF would include Mailgun's >> IPs), but it wouldn't explain the valid DKIM though. For this, Mailgun >> should only allow my account to be able to send using my domain. >> 3. Did Mailgun have any database leak that I wasn't aware of? >> >> Of course, as soon as I saw this email, I generated a new password for my >> account, but I still wonder how this could have happened. I would >> appreciate if you had any insights I've missed that would make sense. >> >> Here are the headers from the email with my end email redacted: >> https://pastebin.com/knqbTa8K >> >> Thank you! >> _______________________________________________ >> mailop mailing list >> [email protected] >> https://list.mailop.org/listinfo/mailop >> > > > -- > *Todd Herr * | Technical Director, Standards and Ecosystem > *e:* [email protected] > *m:* 703.220.4153 > > This email and all data transmitted with it contains confidential and/or > proprietary information intended solely for the use of individual(s) > authorized to receive it. If you are not an intended and authorized > recipient you are hereby notified of any use, disclosure, copying or > distribution of the information included in this transmission is prohibited > and may be unlawful. Please immediately notify the sender by replying to > this email and then delete it from your system. > > _______________________________________________ > mailop mailing [email protected]https://list.mailop.org/listinfo/mailop > > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
