On 15.05.25 10:39, Benoit Panizzon via mailop wrote:
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
Quote:
"DomainKeys Identified Mail (DKIM) is an email authentication method
designed to detect forged sender addresses in email (email spoofing), a
technique often used in phishing and email spam."
A couple of days ago, I observed an email which looked like:
evelope-sender: nore...@scamdomain.tld
Valid SPF Entry published for the sending IP in scamdomain.tld
From: "Support" <supp...@victimdomain.tld>
To: "Joe Victim" <j.vic...@victimdomain.tld>
I recommend using example.com, example.net, example.org and .example domains
instead of making up random domain names.
Subject: Please log in to to our fake login site!
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=scamdomain.tld;
s=default;h=From:Subject:.... etc...
default._domainkey.scamdomain.tld published a valid public key.
SPF => Valid!
DKIM => Valid!
How is DKIM supposed to prevent spoofing of the From: header if the
attacker is able to supply the DNS entry in which to look up the public
key used to sign the From: Header?
DMARC Policy?
DMARC requires positive SPF or DKIM result from the domain in From: header.
e.g. Google requires the same, no matter on DMARC setting.
In your example, the mail has positive SPF and DKIM results from scammmer's
domain, but neither from vistims domain, thus DMARC would not pass and
Google would reject the mail as unauthenticated.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
