host reflectiv.net
reflectiv.net has address 75.2.60.5
reflectiv.net mail is handled by 10 mxb.mailgun.org.
reflectiv.net mail is handled by 10 mxa.mailgun.org.
Ummm....
Now, it is pretty obvious that this is sent via MailGun, which of course
needs to improve it's outbound filters, seeing way too much phishing
coming from them lately.. (copying SendGrid?)
Received: from reflectiv.net (os3-384-25366.vs.sakura.ne.jp
[133.167.109.120]) by db739d28cce8 with SMTP id <undefined>; Wed, 11 Jan
2023 00:26:59 GMT
(Note: It doesn't say it was ESMTP or anything about authenticated user
in this case, any script can forge the EHLO)
Okay, the only valid thing is probably the source that logged in is
using a launching point in Japan..
Implement 2FA on your mailgun account..
However, this is why hackers like using those services.. if a domain has
mailgun/sendgrid in their SPF, it is like a get out of jail free card.
While not everyone can afford a dedicated IP on those services, it can
make it simpler to protect.
On 2023-01-11 13:00, Cyril - ImprovMX via mailop wrote:
Hi everyone!
Today, I received a spam ("I got full access to your computer and
installed a trojan" kind of email). In general, I completely ignore
these, but today was different:
The sender and recipient were my own email! What's odd is that I did
configure SPF (granted, with a "~") but also a DMARC reject policy.
Looking at the email headers and also the output from GMail, both SPF
and DKIM were successful ("pass"), which means the sender, somehow, was
able to send an email using my account.
I would love your input on the issue, but here are my thoughts so far:
1. My account was compromised, and the password was leaked, allowing
that user to send an email with my account. This would make sense, but
the sending account was only used to be configured within GMail. As soon
as the password was generated, I pasted it on GMail and never saved it
elsewhere.
2. Theoretically, if I were to create an account on Mailgun, I would be
able to send an email from my account and have a valid SPF for any other
services that use Mailgun too (since their SPF would include Mailgun's
IPs), but it wouldn't explain the valid DKIM though. For this, Mailgun
should only allow my account to be able to send using my domain.
3. Did Mailgun have any database leak that I wasn't aware of?
Of course, as soon as I saw this email, I generated a new password for
my account, but I still wonder how this could have happened. I would
appreciate if you had any insights I've missed that would make sense.
Here are the headers from the email with my end email redacted:
https://pastebin.com/knqbTa8K <https://pastebin.com/knqbTa8K>
Thank you!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
