I'm following up on this old thread. I've realized that Mailgun's approach could be more secure when accepting an email (legit or not). I tried to reach out to the security team but never had a response, so I consider this is not considered seriously by them.
If you send an email hosted by Mailgun and that is redirected, Mailgun will add a DKIM header of the managed domain. The problem is that if I send an email setting the "From" as the email managed by Mailgun, the email will then have a valid DKIM signature, so DMARC won't fail. This allows me to send an email such as "c...@company.com" to " emplo...@company.com" with the subject "You are fired.", the email will look legit and cause serious troubles inside the company. Starting from this, any social engineering attack can be implemented with an email that will validate SPF/DKIM/DMARC. Since then, I moved my domain elsewhere. Le jeu. 12 janv. 2023 à 15:53, Nick Schafer via mailop <mailop@mailop.org> a écrit : > Hi all, I just wanted to chime in here. I can confirm that this was a > message sent to an email address @reflectiv.net which is hosted on > Mailgun. We provide a routing feature that allows you to match received > messages and then forward the email to another email address or > application. We do also provide an inbound spam filter and I see that it > isn't enabled for this domain. With inbound spam filtering enabled it may > help prevent messages like this one from being forwarded. > > Thanks, > > *Nick Schafer* | Sr. Manager of Deliverability & Compliance > n...@mailgun.com > This message and all attachments are for the exclusive use of the > recipients and are confidential. If you receive this message in error, > please destroy it and notify the sender immediately. > [image: mailgun] <https://www.mailgun.com/> [image: mailjet] > <https://www.mailjet.com/> [image: email on acid] > <https://www.emailonacid.com/> > > > ------------------------------ > *From:* mailop <mailop-boun...@mailop.org> on behalf of Michael Peddemors > via mailop <mailop@mailop.org> > *Sent:* Wednesday, January 11, 2023 7:37 PM > *To:* mailop@mailop.org <mailop@mailop.org> > *Subject:* Re: [mailop] Valid SPF/DKIM/DMARC *SPAM* coming from my domain > ?! > > host reflectiv.net > reflectiv.net has address 75.2.60.5 > reflectiv.net mail is handled by 10 mxb.mailgun.org. > reflectiv.net mail is handled by 10 mxa.mailgun.org. > > Ummm.... > > Now, it is pretty obvious that this is sent via MailGun, which of course > needs to improve it's outbound filters, seeing way too much phishing > coming from them lately.. (copying SendGrid?) > > Received: from reflectiv.net (os3-384-25366.vs.sakura.ne.jp > [133.167.109.120]) by db739d28cce8 with SMTP id <undefined>; Wed, 11 Jan > 2023 00:26:59 GMT > > (Note: It doesn't say it was ESMTP or anything about authenticated user > in this case, any script can forge the EHLO) > > Okay, the only valid thing is probably the source that logged in is > using a launching point in Japan.. > > Implement 2FA on your mailgun account.. > > However, this is why hackers like using those services.. if a domain has > mailgun/sendgrid in their SPF, it is like a get out of jail free card. > > While not everyone can afford a dedicated IP on those services, it can > make it simpler to protect. > > > > On 2023-01-11 13:00, Cyril - ImprovMX via mailop wrote: > > Hi everyone! > > > > Today, I received a spam ("I got full access to your computer and > > installed a trojan" kind of email). In general, I completely ignore > > these, but today was different: > > > > The sender and recipient were my own email! What's odd is that I did > > configure SPF (granted, with a "~") but also a DMARC reject policy. > > > > Looking at the email headers and also the output from GMail, both SPF > > and DKIM were successful ("pass"), which means the sender, somehow, was > > able to send an email using my account. > > > > I would love your input on the issue, but here are my thoughts so far: > > > > 1. My account was compromised, and the password was leaked, allowing > > that user to send an email with my account. This would make sense, but > > the sending account was only used to be configured within GMail. As soon > > as the password was generated, I pasted it on GMail and never saved it > > elsewhere. > > 2. Theoretically, if I were to create an account on Mailgun, I would be > > able to send an email from my account and have a valid SPF for any other > > services that use Mailgun too (since their SPF would include Mailgun's > > IPs), but it wouldn't explain the valid DKIM though. For this, Mailgun > > should only allow my account to be able to send using my domain. > > 3. Did Mailgun have any database leak that I wasn't aware of? > > > > Of course, as soon as I saw this email, I generated a new password for > > my account, but I still wonder how this could have happened. I would > > appreciate if you had any insights I've missed that would make sense. > > > > Here are the headers from the email with my end email redacted: > > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.com%2FknqbTa8K&data=05%7C01%7Cnick%40mailgun.com%7Cb5ab20c8d23140c8a0f308daf43e27b8%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C638090845078111836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=RFhFe7lr4B2Q9V4Ij8NNFaQFM582k2tfMikEEPmr3p8%3D&reserved=0 > < > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.com%2FknqbTa8K&data=05%7C01%7Cnick%40mailgun.com%7Cb5ab20c8d23140c8a0f308daf43e27b8%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C638090845078111836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=RFhFe7lr4B2Q9V4Ij8NNFaQFM582k2tfMikEEPmr3p8%3D&reserved=0 > > > > > > Thank you! > > > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org > > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist.mailop.org%2Flistinfo%2Fmailop&data=05%7C01%7Cnick%40mailgun.com%7Cb5ab20c8d23140c8a0f308daf43e27b8%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C638090845078111836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=5eGm8Ed8gmPnN3t9H7UNeQQiFJQ5EZEXdygmeEVr5JQ%3D&reserved=0 > > > -- > "Catch the Magic of Linux..." > ------------------------------------------------------------------------ > Michael Peddemors, President/CEO LinuxMagic Inc. > Visit us at > https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linuxmagic.com%2F&data=05%7C01%7Cnick%40mailgun.com%7Cb5ab20c8d23140c8a0f308daf43e27b8%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C638090845078111836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=eMAZDszYHbG3JChM52QlFwSHEl9h9WVdXerqIsRoMZo%3D&reserved=0 > @linuxmagic > A Wizard IT Company - For More Info > https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wizard.ca%2F&data=05%7C01%7Cnick%40mailgun.com%7Cb5ab20c8d23140c8a0f308daf43e27b8%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C638090845078111836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=BAVnu%2BjgojVvke0VQe0odJsODyYV6T4OfGFcINR2MNs%3D&reserved=0 > "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. > ------------------------------------------------------------------------ > 604-682-0300 Beautiful British Columbia, Canada > > This email and any electronic data contained are confidential and intended > solely for the use of the individual or entity to which they are addressed. > Please note that any views or opinions presented in this email are solely > those of the author and are not intended to represent those of the company. > > _______________________________________________ > mailop mailing list > mailop@mailop.org > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist.mailop.org%2Flistinfo%2Fmailop&data=05%7C01%7Cnick%40mailgun.com%7Cb5ab20c8d23140c8a0f308daf43e27b8%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C638090845078111836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=5eGm8Ed8gmPnN3t9H7UNeQQiFJQ5EZEXdygmeEVr5JQ%3D&reserved=0 > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
