On 25/10/2021 4:11 pm, Thomas Anderson wrote:
The IP it came from was outside my network.
I think it's just a spoofing email. I had not actually seen on, so
that raised my alarm, but I think it's ok. I need to go through and
make sure my SFP and DMARC are sound. I just checked my DKIM couple
days ago, so that's good.
Keep in mind that even with SPF, DKIM and DMARC in place there is still
the possibility of legitimate emails that your users have sent coming
back to you and being unable to authenticate them as such.
For example a user is a member of a mailing list that receiving a copy
of their post where the mailing list has altered the body or a header
which you've signed (the postfix mailing list takes pains not to damage
DKIM signatures but does use the longstanding convention of adding a
"Sender" header with the list address. If you were to sign an existing
"Sender" header or sign the non-existence of the "Sender" header then
the original DKIM signature would break even here. Other mailing lists
are much worse, breaking the body with a footer and/or tagging the
subject with the list name)
The converse is also true in some cases, that a message can appear as a
valid DKIM signed message from an authorized source while being
malicious. There are certain things to watch out for as covered in
https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html
which lets an unauthorized 3rd party take a previous email from a
particular sender and convince many DKIM validators that it's legitimate
on that basis while also adding their own payload which gets displayed
to the recipient.
Thanks for the replies.
On 10/25/21 4:59 AM, post...@ptld.com wrote:
My concern is that the email APPEARED to come from me! I was listed
as the sender.
Any email server can send any email claiming to come from anyone.
DKIM Signatures and SPF records working together with DMARC provides
a way to verify if a sending email server is authorized to send an
email on behalf of the address used. If your server is not using,
checking and validating DMARC then anyone can easily send you or send
someone else an email claiming to be from you. Doesn't mean they
compromised or got inside of your system or account. They just
slapped your name on the "outside of the envelope".
Was the connecting client server IP your servers IP? The IP of the
connecting client in the logs is who really sent the message, not the
arbitrary email address slapped in the Envelope-From, From header or
Sender header.
