這封電子郵件如何通過 DMARC?
今天我們收到了一封欺騙性的電子郵件:它是“從我們這裡”發送給我們的。(假設我們擁有
foo.com
- 真實域已編輯。)這令人不安,因為它顯示為“來自 foo.com”,但發件人絕對不是來自“foo.com”。
郵箱“hello@foo.com”是一個 Google 群組,設置為允許任何人“發布文章”(即網際網路上的人可以像普通郵箱一樣向其發送消息),但只有“foo.com”的成員可以查看那些“文章”(即收到的電子郵件)。
我們配置了 DMARC (p=reject)、DKIM 和 SPF。
我們的 DNS:
TXT foo.com "v=spf1 include:_spf.google.com include:helpscoutemail.com ~all" TXT _dmarc.foo.com "v=DMARC1; p=reject; rua=mailto:dmarc@foo.com;ruf=mailto:dmarc@foo.com; pct=100; aspf=r; adkim=r;" TXT google._domainkey.foo.com "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B..."
消息的標題:
Delivered-To: john@foo.com Received: by 2002:ad4:552d:0:0:0:0:0 with SMTP id ba13csp6199730qvb; Sun, 12 Dec 2021 09:14:44 -0800 (PST) X-Received: by 2002:a05:6102:a46:: with SMTP id i6mr23802281vss.19.1639329284522; Sun, 12 Dec 2021 09:14:44 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1639329284; cv=pass; d=google.com; s=arc-20160816; b=WReYbvjEI4p+IYx6Y3fT/N5jiaEEA60C4t/3utW/afsQbsrWaMMeWv51lxVOb/HvIx oLaSaK6Hskbjeo9rUnYYIlZEnT9ME4Gf/1tfyVXC+YTRBsBEWHCKr064RzBS9X8LUr2C Mo++Fm16blzUIgR8wZoq54WwY7ZK6POjEOXWqUqvKsJOk6GyrAgxza2DrKJsOYCFBu2G wzH+gfyx7HwCSNzcd+u18ByLyzXLs1vPW7/T5ztP5v+02QHLTG2snvrrW8TwWpGtDLt3 zU8oGksIcHluHiQwYS056Prsa7/4rHng9D9QNIP6AjlamZejEAlAZjlbajLt4xM17Ozn Xt8A== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-archive:list-help:list-post:list-id :mailing-list:precedence:reply-to:to:message-id:subject:date :mime-version:from:content-transfer-encoding:dkim-signature; bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=; b=qHESIMBiX+DsyurBJ3jkT1tBYiQGFfvjr57xoDFsgoF/KhZNtVfb1JjwT/klZN/Phu NoXTTYULEP9j64ynhf6ug1ACwgUqoFieD3fsMpBhO6PrnwjxxU/E8c8TH2eJNR5/SiQm 9k9/PCH1Vr48EjXGwfBCDV18bkwCyZnYfBGHoskl3EM0WeTIoA3x8s8EGUc4+TSRXUhq +tA+2fbTJlofwk5z0Oga5fICZVcPeKPTWSltaXuuUOgpViq9JWbVkWx7+HonhJxzzMw0 o7LcUhOXfQHutnKRs/Xpaa73AwDgT30QtEn0T1JBnl2Vl9RjH9+nhdWxHjQ0QLdEDPB3 Xkdw== ARC-Authentication-Results: i=3; mx.google.com; dkim=pass header.i=@foo-com.20210112.gappssmtp.com header.s=20210112 header.b=pcMriXR7; arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com); spf=pass (google.com: domain of hello+bncbd5zzup4wumbbbg43cgqmgqewk3xn7i@foo.com designates 209.85.220.69 as permitted sender) smtp.mailfrom=hello+bncBD5ZZUP4WUMBBBG43CGQMGQEWK3XN7I@foo.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com Return-Path: <hello+bncBD5ZZUP4WUMBBBG43CGQMGQEWK3XN7I@foo.com> Received: from mail-sor-f69.google.com (mail-sor-f69.google.com. [209.85.220.69]) by mx.google.com with SMTPS id v33sor3392168uad.28.2021.12.12.09.14.44 for <john@foo.com> (Google Transport Security); Sun, 12 Dec 2021 09:14:44 -0800 (PST) Received-SPF: pass (google.com: domain of hello+bncbd5zzup4wumbbbg43cgqmgqewk3xn7i@foo.com designates 209.85.220.69 as permitted sender) client-ip=209.85.220.69; Authentication-Results: mx.google.com; dkim=pass header.i=@foo-com.20210112.gappssmtp.com header.s=20210112 header.b=pcMriXR7; arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com); spf=pass (google.com: domain of hello+bncbd5zzup4wumbbbg43cgqmgqewk3xn7i@foo.com designates 209.85.220.69 as permitted sender) smtp.mailfrom=hello+bncBD5ZZUP4WUMBBBG43CGQMGQEWK3XN7I@foo.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com ARC-Seal: i=2; a=rsa-sha256; t=1639329284; cv=pass; d=google.com; s=arc-20160816; b=A2s3aYE1vCQIscDH9RsEl6k0DGqxlZiSGi1iQgz57BP+AWIVt5X9b7nyraOJ8F6DPL tga5EsK1KrNHLURbQTBSO+pyg862afsmkhS/VFD3sBxSj6hhnc4oCpVJ3rPUWVxSE5IB z4NH0ujDotd4dBNBReOsLfetWC0BeyV6nvHfENuJM+PcpR2vO42O3zWARnvq0wtqZYPd eBbEJcfX5V6dGi7K9a5I4s+Hrz4V5VNQO8772L+lDQyRdthazJiKgKmB+jX+rztxflIM r9efmFXPwO8t3LVtqOzPFfQJqQiMJ9en62O4ZUwbdKxdLzx8Iw9BLVVm0SkDFpXIQTod lU2Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-archive:list-help:list-post:list-id :mailing-list:precedence:reply-to:to:message-id:subject:date :mime-version:from:content-transfer-encoding:dkim-signature; bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=; b=fXMcTPuKuu1Ahb/4kHcUPsbwEnwqaLpheL7AOFtyzp7FKfdBOErXZFdf1zCbmSX7S1 Gi3D/zlXgcSAmHFUj1eOeuZwaUp3IWo2pkQiN5aMJ9oLlWaEbC/JLsthY8uh0zUSIuX/ +Wdwjdpy1ZglE49PhkqGrFEr8ND1O/m8ETTHF1M9LhzWwR1c42MM3N17hUFMHcF4x6oz nq8M+JQy0V+Foz5AKXPRJGedCgpwGGBcRgoMW+xn/UaSgH1TgHiK82cL6Xy3ScisHeLo Wadb7qdxrMKrpn2H5ZvH0rq2VEvTNrLfrxKqO79a4WoohanhBf9Y/5eUckK2pm4nrHNC DWhg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@icloud.com header.s=1a1hai header.b=Jw3cDWAa; spf=pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) smtp.mailfrom=thespammer@icloud.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foo-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:from:mime-version:date:subject:message-id :to:x-original-sender:x-original-authentication-results:reply-to :precedence:mailing-list:list-id:list-post:list-help:list-archive :list-unsubscribe; bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=; b=pcMriXR70y9+xfVEs+8AoajJ0xymE3UTgGyG2NmKWWjdf05SzeYGX8w1GX3rVZ1hG+ QGcKfhU2Ra9bmXS2sAz2g8iDtWvnoTj+TDFnMs9OWFWSLRLr/wqDqSKnQGrCUr2Y/k/f Q9j7R5eV2nwkYa1XIRAAJaanwMw/y5uDSv04a7bf4itRHQWv3sBD0YaK7KW9X3/UhUOc 5sKMmmK44qVb3NMkOQdureAtqPhUthfkVfQJElPAAUh1LtMy7lyS1g1KqGcUzm1D2WaY wI6UkGWu9smajIb7O2SPVCCOPPCurlGWKD9eC6xdz9Av1qZZlMIyn+eNJDSik9JnG7/w aFiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version:date :subject:message-id:to:x-original-sender :x-original-authentication-results:reply-to:precedence:mailing-list :list-id:x-spam-checked-in-group:list-post:list-help:list-archive :list-unsubscribe; bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=; b=AwA9C6EysiLXrTEGUbzx+5vqODTMTskz7zHz2xe1quctysAvVhk58jn1xx322hfhh1 yqXDXN/aE2MZwMrS++nikbt7lAJZfoNdpV8rKMgc0lb98yXjnd4n3tidH68eVp0cTVE2 IYeKviGklV95rwOCQXuooqAKzN9/UJwGtH3C/NYZQnZQrGcFuIe5L5f5taRW/lby9IBN 5u+rTEBn1UaNjDAVX13MbSpN6hjMGNmr1GaFiFSmnBeMBIH0pOzT3+UIR16Sza5unglm vkGD5OxPZGdH+fujwjjqrwjvmZSA1k9AhEvujR8B4FpgxGCreExueBMJcmWatPeSpmBO fjEA== X-Gm-Message-State: AOAM531eWx5fz9pqU8qZS4uNtUeKxraKEAR9y1v6gcqUG3XiMb0qBByI FhppMXUtlC8OQUQYY5dXRcAfUe4+ X-Google-Smtp-Source: ABdhPJxynnRydm4JBkMLYoGgqV5RwhkwWcH4Z4w/ljLx6E0GPOqp9cSaCwpFSv4oC456afPUA5CYQA== X-Received: by 2002:ab0:c10:: with SMTP id a16mr37954454uak.51.1639329284212; Sun, 12 Dec 2021 09:14:44 -0800 (PST) X-BeenThere: hello@foo.com Received: by 2002:a05:6102:2454:: with SMTP id g20ls4382592vss.4.gmail; Sun, 12 Dec 2021 09:14:43 -0800 (PST) X-Received: by 2002:a05:6102:508c:: with SMTP id bl12mr23055020vsb.73.1639329283746; Sun, 12 Dec 2021 09:14:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639329283; cv=none; d=google.com; s=arc-20160816; b=0ToKjpZRQyjPknycN2z3IfIE1Iv7fkhCJbCVUn129k6GVlQVRq7t1xSCqEXMUpWfbb vdYNomuAczbfJOR/0o4gBaiPYM4l2L8A8BgUcx2LW26PPeMg1OKO6xexmcO0Qu79Vp+4 23N3Alz3gRrG44HSkGQ13CwkukROblWgUMZ72U4nO30y0w38NZk4y1aPTPhV+TuFDWsY RLSYc3eLKdExhzkmnEgtyDKI/kHLZ++mgu4aFbK6SB4b8uB6v4onz7ONR+/BTGVwcnIs pOC6Xv6GwfBXu839bAhi94H83xV7QD5NFWuh0gMm445CzVz09zeesh89Qxcm/U/fKKI0 6jbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=to:message-id:subject:date:mime-version:from :content-transfer-encoding:dkim-signature; bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=; b=VMzdwjpJVsJyaKxFawsaBAj83gW8hSdi5iOxGMCrQaQ39h5lkhZAM/cc4rtc3RbAt3 ZmpKTQ0Pdgb+MgpaIOT6X5szReSt7ZVMNsjsKOe2tkfhaC94azGx4H1MdopSdDnPqZoB wvlUU3H16eWofWXcgKNj236adKuN0x3rzeTAKCCjNjwNfOOg5H5Y//pTOtqHc+A3XQjP HsGhTohABGTAy68aVCBeHeh/2R5NRy+KuI7ipqkcwO6uPpnue4mMP7B6JtGjDOaiDJXs 7wZ/G3p4fuJPCSeQWuPD6YzK+0dg3cw5GpNQHLib70Q6g41Ws70727llGEc0Ef89B+o/ z8BQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@icloud.com header.s=1a1hai header.b=Jw3cDWAa; spf=pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) smtp.mailfrom=thespammer@icloud.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com Received: from st43p00im-zteg10073501.me.com (st43p00im-zteg10073501.me.com. [17.58.63.180]) by mx.google.com with ESMTPS id x11si6141232vss.670.2021.12.12.09.14.43 for <hello@foo.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Dec 2021 09:14:43 -0800 (PST) Received-SPF: pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) client-ip=17.58.63.180; Received: from smtpclient.apple (49.sub-174-209-97.myvzw.com [174.209.97.49]) by st43p00im-zteg10073501.me.com (Postfix) with ESMTPSA id 49D5FAE07BE for <hello@foo.com>; Sun, 12 Dec 2021 17:14:42 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: "'The Spammer' via Hello" <hello@foo.com> Mime-Version: 1.0 (1.0) Date: Sun, 12 Dec 2021 12:14:40 -0500 Subject: Helping what I already have! Message-Id: <3CBA8D0D-9028-4F28-90B7-397243A8D5A8@icloud.com> To: hello@foo.com X-Mailer: iPhone Mail (19B74) X-Proofpoint-Virus-Version: vendor=fsecure engine=1.1.170-22c6f66c430a71ce266a39bfe25bc2903e8d5c8f:6.0.425,18.0.790,17.11.62.513.0000000 definitions=2021-12-12_06:2021-12-08_01,2021-12-12_06,2021-12-02_01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 malwarescore=0 clxscore=1011 spamscore=0 adultscore=0 bulkscore=0 suspectscore=0 mlxlogscore=485 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2112120106 X-Original-Sender: Thespammer@icloud.com X-Original-Authentication-Results: mx.google.com; dkim=pass header.i=@icloud.com header.s=1a1hai header.b=Jw3cDWAa; spf=pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) smtp.mailfrom=thespammer@icloud.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com X-Original-From: The Spammer <thespammer@icloud.com> Reply-To: The Spammer <thespammer@icloud.com> Precedence: list Mailing-list: list hello@foo.com; contact hello+owners@foo.com List-ID: <hello.foo.com> X-Spam-Checked-In-Group: hello@foo.com X-Google-Group-Id: 138202709934 List-Post: <https://groups.google.com/a/foo.com/group/hello/post>, <mailto:hello@foo.com> List-Help: <https://support.google.com/a/foo.com/bin/topic.py?topic=25838>, <mailto:hello+help@foo.com> List-Archive: <https://groups.google.com/a/foo.com/group/hello/> List-Unsubscribe: <mailto:googlegroups-manage+138202709934+unsubscribe@googlegroups.com>, <https://groups.google.com/a/foo.com/group/hello/subscribe> Sent from my iPhone
為什麼允許通過此電子郵件?
是 icloud.com(發件人的 SMTP 伺服器)不遵守 DMARC,所以接受電子郵件,然後轉發到 gmail,而 gmail 假設 icloud.com 進行了初始 DMARC 檢查,所以不打擾?(對不起,我在這方面很綠。)。
我不會聲稱自己是這方面的專家,但標題的IETF頁面
X-Original-From
似乎暗示這是向 Google Apps 郵件列表發送電子郵件時的預期行為。Google Apps 目前將“別名”實現為 Google 群組(這已經存在很多年了,在此之前有單獨的別名和群組)。因此,重定向到內部使用者或外部 CRM 工具 (salesforce) 的 support@twitter.com 地址將收到組重寫消息。由於重寫,這些消息不會通過 DKIM,因此如果它們來自 DMARC p=REJECT/QUARANTINE 域,例如 yahoo.com,則 from 標頭將被重寫為組名 (support@twitter.com) x-original-from 將是原始發件人。
您是否檢查過Google DMARC 頁面以查看故障排除步驟是否對您有幫助?
鑑於垃圾郵件發送者是從 iCloud 地址發送的,您是否可以根據該
X-Original-From
標頭更新策略以阻止?編輯:重新閱讀這個問題,我認為它沒有被欺騙 - 我認為 Google Apps 重寫“發件人”地址是有意/預設行為。您是否測試過從非域電子郵件地址(例如一次性 hotmail 帳戶或類似帳戶)向郵箱發送電子郵件?你有同樣的行為嗎?