Ping uma porta específica

Question

Lawrence Wagerfield

Asked: 2021-12-13 11:30:56 +0800 CST2021-12-13 11:30:56 +0800 CST 2021-12-13 11:30:56 +0800 CST

Como este e-mail está passando pelo DMARC?

772

Hoje recebemos um e-mail falso: nos foi enviado "por nós". (Assuma que nós possuímos foo.com-- domínio real editado.)

Isso é perturbador, pois aparece como "de foo.com", mas o remetente definitivamente não é de "foo.com".

A caixa de correio "[email protected]" é um Grupo do Google, configurado para permitir que qualquer pessoa "publique postagens" (ou seja, para que as pessoas na Internet possam enviar mensagens, como uma caixa de correio normal), mas apenas membros de "foo.com" podem ver esses "posts" (ou seja, os e-mails recebidos).

Temos DMARC (p=rejeitar), DKIM e SPF configurados.

Nosso DNS:

TXT foo.com                   "v=spf1 include:_spf.google.com include:helpscoutemail.com ~all"

TXT _dmarc.foo.com            "v=DMARC1; p=reject; rua=mailto:[email protected];ruf=mailto:[email protected]; pct=100; aspf=r; adkim=r;"

TXT google._domainkey.foo.com "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B..."

Os cabeçalhos da mensagem:

Delivered-To: [email protected]
Received: by 2002:ad4:552d:0:0:0:0:0 with SMTP id ba13csp6199730qvb;
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
X-Received: by 2002:a05:6102:a46:: with SMTP id i6mr23802281vss.19.1639329284522;
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
ARC-Seal: i=3; a=rsa-sha256; t=1639329284; cv=pass;
        d=google.com; s=arc-20160816;
        b=WReYbvjEI4p+IYx6Y3fT/N5jiaEEA60C4t/3utW/afsQbsrWaMMeWv51lxVOb/HvIx
         oLaSaK6Hskbjeo9rUnYYIlZEnT9ME4Gf/1tfyVXC+YTRBsBEWHCKr064RzBS9X8LUr2C
         Mo++Fm16blzUIgR8wZoq54WwY7ZK6POjEOXWqUqvKsJOk6GyrAgxza2DrKJsOYCFBu2G
         wzH+gfyx7HwCSNzcd+u18ByLyzXLs1vPW7/T5ztP5v+02QHLTG2snvrrW8TwWpGtDLt3
         zU8oGksIcHluHiQwYS056Prsa7/4rHng9D9QNIP6AjlamZejEAlAZjlbajLt4xM17Ozn
         Xt8A==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-archive:list-help:list-post:list-id
         :mailing-list:precedence:reply-to:to:message-id:subject:date
         :mime-version:from:content-transfer-encoding:dkim-signature;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=qHESIMBiX+DsyurBJ3jkT1tBYiQGFfvjr57xoDFsgoF/KhZNtVfb1JjwT/klZN/Phu
         NoXTTYULEP9j64ynhf6ug1ACwgUqoFieD3fsMpBhO6PrnwjxxU/E8c8TH2eJNR5/SiQm
         9k9/PCH1Vr48EjXGwfBCDV18bkwCyZnYfBGHoskl3EM0WeTIoA3x8s8EGUc4+TSRXUhq
         +tA+2fbTJlofwk5z0Oga5fICZVcPeKPTWSltaXuuUOgpViq9JWbVkWx7+HonhJxzzMw0
         o7LcUhOXfQHutnKRs/Xpaa73AwDgT30QtEn0T1JBnl2Vl9RjH9+nhdWxHjQ0QLdEDPB3
         Xkdw==
ARC-Authentication-Results: i=3; mx.google.com;
       dkim=pass [email protected] header.s=20210112 header.b=pcMriXR7;
       arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
       spf=pass (google.com: domain of [email protected] designates 209.85.220.69 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com
Return-Path: <[email protected]>
Received: from mail-sor-f69.google.com (mail-sor-f69.google.com. [209.85.220.69])
        by mx.google.com with SMTPS id v33sor3392168uad.28.2021.12.12.09.14.44
        for <[email protected]>
        (Google Transport Security);
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 209.85.220.69 as permitted sender) client-ip=209.85.220.69;
Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=20210112 header.b=pcMriXR7;
       arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
       spf=pass (google.com: domain of [email protected] designates 209.85.220.69 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com
ARC-Seal: i=2; a=rsa-sha256; t=1639329284; cv=pass;
        d=google.com; s=arc-20160816;
        b=A2s3aYE1vCQIscDH9RsEl6k0DGqxlZiSGi1iQgz57BP+AWIVt5X9b7nyraOJ8F6DPL
         tga5EsK1KrNHLURbQTBSO+pyg862afsmkhS/VFD3sBxSj6hhnc4oCpVJ3rPUWVxSE5IB
         z4NH0ujDotd4dBNBReOsLfetWC0BeyV6nvHfENuJM+PcpR2vO42O3zWARnvq0wtqZYPd
         eBbEJcfX5V6dGi7K9a5I4s+Hrz4V5VNQO8772L+lDQyRdthazJiKgKmB+jX+rztxflIM
         r9efmFXPwO8t3LVtqOzPFfQJqQiMJ9en62O4ZUwbdKxdLzx8Iw9BLVVm0SkDFpXIQTod
         lU2Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-archive:list-help:list-post:list-id
         :mailing-list:precedence:reply-to:to:message-id:subject:date
         :mime-version:from:content-transfer-encoding:dkim-signature;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=fXMcTPuKuu1Ahb/4kHcUPsbwEnwqaLpheL7AOFtyzp7FKfdBOErXZFdf1zCbmSX7S1
         Gi3D/zlXgcSAmHFUj1eOeuZwaUp3IWo2pkQiN5aMJ9oLlWaEbC/JLsthY8uh0zUSIuX/
         +Wdwjdpy1ZglE49PhkqGrFEr8ND1O/m8ETTHF1M9LhzWwR1c42MM3N17hUFMHcF4x6oz
         nq8M+JQy0V+Foz5AKXPRJGedCgpwGGBcRgoMW+xn/UaSgH1TgHiK82cL6Xy3ScisHeLo
         Wadb7qdxrMKrpn2H5ZvH0rq2VEvTNrLfrxKqO79a4WoohanhBf9Y/5eUckK2pm4nrHNC
         DWhg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass [email protected] header.s=1a1hai header.b=Jw3cDWAa;
       spf=pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=foo-com.20210112.gappssmtp.com; s=20210112;
        h=content-transfer-encoding:from:mime-version:date:subject:message-id
         :to:x-original-sender:x-original-authentication-results:reply-to
         :precedence:mailing-list:list-id:list-post:list-help:list-archive
         :list-unsubscribe;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=pcMriXR70y9+xfVEs+8AoajJ0xymE3UTgGyG2NmKWWjdf05SzeYGX8w1GX3rVZ1hG+
         QGcKfhU2Ra9bmXS2sAz2g8iDtWvnoTj+TDFnMs9OWFWSLRLr/wqDqSKnQGrCUr2Y/k/f
         Q9j7R5eV2nwkYa1XIRAAJaanwMw/y5uDSv04a7bf4itRHQWv3sBD0YaK7KW9X3/UhUOc
         5sKMmmK44qVb3NMkOQdureAtqPhUthfkVfQJElPAAUh1LtMy7lyS1g1KqGcUzm1D2WaY
         wI6UkGWu9smajIb7O2SPVCCOPPCurlGWKD9eC6xdz9Av1qZZlMIyn+eNJDSik9JnG7/w
         aFiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:content-transfer-encoding:from:mime-version:date
         :subject:message-id:to:x-original-sender
         :x-original-authentication-results:reply-to:precedence:mailing-list
         :list-id:x-spam-checked-in-group:list-post:list-help:list-archive
         :list-unsubscribe;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=AwA9C6EysiLXrTEGUbzx+5vqODTMTskz7zHz2xe1quctysAvVhk58jn1xx322hfhh1
         yqXDXN/aE2MZwMrS++nikbt7lAJZfoNdpV8rKMgc0lb98yXjnd4n3tidH68eVp0cTVE2
         IYeKviGklV95rwOCQXuooqAKzN9/UJwGtH3C/NYZQnZQrGcFuIe5L5f5taRW/lby9IBN
         5u+rTEBn1UaNjDAVX13MbSpN6hjMGNmr1GaFiFSmnBeMBIH0pOzT3+UIR16Sza5unglm
         vkGD5OxPZGdH+fujwjjqrwjvmZSA1k9AhEvujR8B4FpgxGCreExueBMJcmWatPeSpmBO
         fjEA==
X-Gm-Message-State: AOAM531eWx5fz9pqU8qZS4uNtUeKxraKEAR9y1v6gcqUG3XiMb0qBByI FhppMXUtlC8OQUQYY5dXRcAfUe4+
X-Google-Smtp-Source: ABdhPJxynnRydm4JBkMLYoGgqV5RwhkwWcH4Z4w/ljLx6E0GPOqp9cSaCwpFSv4oC456afPUA5CYQA==
X-Received: by 2002:ab0:c10:: with SMTP id a16mr37954454uak.51.1639329284212;
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
X-BeenThere: [email protected]
Received: by 2002:a05:6102:2454:: with SMTP id g20ls4382592vss.4.gmail; Sun, 12 Dec 2021 09:14:43 -0800 (PST)
X-Received: by 2002:a05:6102:508c:: with SMTP id bl12mr23055020vsb.73.1639329283746;
        Sun, 12 Dec 2021 09:14:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1639329283; cv=none;
        d=google.com; s=arc-20160816;
        b=0ToKjpZRQyjPknycN2z3IfIE1Iv7fkhCJbCVUn129k6GVlQVRq7t1xSCqEXMUpWfbb
         vdYNomuAczbfJOR/0o4gBaiPYM4l2L8A8BgUcx2LW26PPeMg1OKO6xexmcO0Qu79Vp+4
         23N3Alz3gRrG44HSkGQ13CwkukROblWgUMZ72U4nO30y0w38NZk4y1aPTPhV+TuFDWsY
         RLSYc3eLKdExhzkmnEgtyDKI/kHLZ++mgu4aFbK6SB4b8uB6v4onz7ONR+/BTGVwcnIs
         pOC6Xv6GwfBXu839bAhi94H83xV7QD5NFWuh0gMm445CzVz09zeesh89Qxcm/U/fKKI0
         6jbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=to:message-id:subject:date:mime-version:from
         :content-transfer-encoding:dkim-signature;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=VMzdwjpJVsJyaKxFawsaBAj83gW8hSdi5iOxGMCrQaQ39h5lkhZAM/cc4rtc3RbAt3
         ZmpKTQ0Pdgb+MgpaIOT6X5szReSt7ZVMNsjsKOe2tkfhaC94azGx4H1MdopSdDnPqZoB
         wvlUU3H16eWofWXcgKNj236adKuN0x3rzeTAKCCjNjwNfOOg5H5Y//pTOtqHc+A3XQjP
         HsGhTohABGTAy68aVCBeHeh/2R5NRy+KuI7ipqkcwO6uPpnue4mMP7B6JtGjDOaiDJXs
         7wZ/G3p4fuJPCSeQWuPD6YzK+0dg3cw5GpNQHLib70Q6g41Ws70727llGEc0Ef89B+o/
         z8BQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=1a1hai header.b=Jw3cDWAa;
       spf=pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
Received: from st43p00im-zteg10073501.me.com (st43p00im-zteg10073501.me.com. [17.58.63.180])
        by mx.google.com with ESMTPS id x11si6141232vss.670.2021.12.12.09.14.43
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 12 Dec 2021 09:14:43 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) client-ip=17.58.63.180;
Received: from smtpclient.apple (49.sub-174-209-97.myvzw.com [174.209.97.49]) by st43p00im-zteg10073501.me.com (Postfix) with ESMTPSA id 49D5FAE07BE for <[email protected]>; Sun, 12 Dec 2021 17:14:42 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: "'The Spammer' via Hello" <[email protected]>
Mime-Version: 1.0 (1.0)
Date: Sun, 12 Dec 2021 12:14:40 -0500
Subject: Helping what I already have!
Message-Id: <[email protected]>
To: [email protected]
X-Mailer: iPhone Mail (19B74)
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.1.170-22c6f66c430a71ce266a39bfe25bc2903e8d5c8f:6.0.425,18.0.790,17.11.62.513.0000000 definitions=2021-12-12_06:2021-12-08_01,2021-12-12_06,2021-12-02_01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 malwarescore=0 clxscore=1011 spamscore=0 adultscore=0 bulkscore=0 suspectscore=0 mlxlogscore=485 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2112120106
X-Original-Sender: [email protected]
X-Original-Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=1a1hai header.b=Jw3cDWAa;
       spf=pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
X-Original-From: The Spammer <[email protected]>
Reply-To: The Spammer <[email protected]>
Precedence: list
Mailing-list: list [email protected]; contact [email protected]
List-ID: <hello.foo.com>
X-Spam-Checked-In-Group: [email protected]
X-Google-Group-Id: 138202709934
List-Post: <https://groups.google.com/a/foo.com/group/hello/post>, <mailto:[email protected]>
List-Help: <https://support.google.com/a/foo.com/bin/topic.py?topic=25838>, <mailto:[email protected]>
List-Archive: <https://groups.google.com/a/foo.com/group/hello/>
List-Unsubscribe: <mailto:[email protected]>, <https://groups.google.com/a/foo.com/group/hello/subscribe>



Sent from my iPhone

Por que este e-mail está sendo permitido?

É que o icloud.com (o servidor SMTP do remetente) não respeita o DMARC, então aceita o e-mail e encaminha para o gmail, e o gmail assume que o icloud.com fez as verificações iniciais do DMARC, então não se incomoda? (Desculpe, eu sou muito verde nesta área.).

1 respostas

Voted

shearn89 · Answer 1 · 2021-12-16T01:45:35+08:00

Não pretendo ser um especialista nisso, mas as páginas do IETF para o X-Original-Fromcabeçalho parecem sugerir que esse é o comportamento esperado ao enviar um e-mail para uma lista de e-mails do Google Apps.

Atualmente, o Google Apps implementa "aliases" como Grupos do Google (isso é verdade há vários anos, antes disso havia aliases e grupos separados). Por causa disso, um endereço [email protected] que redireciona para usuários internos ou uma ferramenta de CRM externa (salesforce) receberia uma mensagem reescrita do grupo. Essas mensagens não passarão pelo DKIM devido à regravação e, portanto, se forem de um domínio DMARC p=REJECT/QUARANTINE, como yahoo.com, o cabeçalho from será reescrito para ser o nome do grupo ([email protected]) e o x-original-from será o remetente original.

Você verificou as páginas do Google DMARC para ver se as etapas de solução de problemas ajudam você?

Dado que o spammer está enviando de um endereço do iCloud, você pode atualizar a política para bloquear com base nesse X-Original-Fromcabeçalho?

EDIT: relendo a pergunta, não acho que esteja sendo falsificada - acho que a reescrita do endereço 'de' do Google Apps é um comportamento pretendido/padrão. Você testou o envio de um e-mail para a caixa de correio de um endereço de e-mail que não seja do domínio (por exemplo, conta descartável do hotmail ou similar)? Você tem o mesmo comportamento?

Como este e-mail está passando pelo DMARC?

Você pode passar usuário/passar para autenticação básica HTTP em parâmetros de URL?