Email

這封電子郵件如何通過 DMARC?

  • December 15, 2021

今天我們收到了一封欺騙性的電子郵件:它是“從我們這裡”發送給我們的。(假設我們擁有foo.com- 真實域已編輯。)

在此處輸入圖像描述

這令人不安,因為它顯示為“來自 foo.com”,但發件人絕對不是來自“foo.com”。

郵箱“hello@foo.com”是一個 Google 群組,設置為允許任何人“發布文章”(即網際網路上的人可以像普通郵箱一樣向其發送消息),但只有“foo.com”的成員可以查看那些“文章”(即收到的電子郵件)。

我們配置了 DMARC (p=reject)、DKIM 和 SPF。

我們的 DNS:

TXT foo.com                   "v=spf1 include:_spf.google.com include:helpscoutemail.com ~all"

TXT _dmarc.foo.com            "v=DMARC1; p=reject; rua=mailto:dmarc@foo.com;ruf=mailto:dmarc@foo.com; pct=100; aspf=r; adkim=r;"

TXT google._domainkey.foo.com "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B..."

消息的標題:

Delivered-To: john@foo.com
Received: by 2002:ad4:552d:0:0:0:0:0 with SMTP id ba13csp6199730qvb;
       Sun, 12 Dec 2021 09:14:44 -0800 (PST)
X-Received: by 2002:a05:6102:a46:: with SMTP id i6mr23802281vss.19.1639329284522;
       Sun, 12 Dec 2021 09:14:44 -0800 (PST)
ARC-Seal: i=3; a=rsa-sha256; t=1639329284; cv=pass;
       d=google.com; s=arc-20160816;
       b=WReYbvjEI4p+IYx6Y3fT/N5jiaEEA60C4t/3utW/afsQbsrWaMMeWv51lxVOb/HvIx
        oLaSaK6Hskbjeo9rUnYYIlZEnT9ME4Gf/1tfyVXC+YTRBsBEWHCKr064RzBS9X8LUr2C
        Mo++Fm16blzUIgR8wZoq54WwY7ZK6POjEOXWqUqvKsJOk6GyrAgxza2DrKJsOYCFBu2G
        wzH+gfyx7HwCSNzcd+u18ByLyzXLs1vPW7/T5ztP5v+02QHLTG2snvrrW8TwWpGtDLt3
        zU8oGksIcHluHiQwYS056Prsa7/4rHng9D9QNIP6AjlamZejEAlAZjlbajLt4xM17Ozn
        Xt8A==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
       h=list-unsubscribe:list-archive:list-help:list-post:list-id
        :mailing-list:precedence:reply-to:to:message-id:subject:date
        :mime-version:from:content-transfer-encoding:dkim-signature;
       bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
       b=qHESIMBiX+DsyurBJ3jkT1tBYiQGFfvjr57xoDFsgoF/KhZNtVfb1JjwT/klZN/Phu
        NoXTTYULEP9j64ynhf6ug1ACwgUqoFieD3fsMpBhO6PrnwjxxU/E8c8TH2eJNR5/SiQm
        9k9/PCH1Vr48EjXGwfBCDV18bkwCyZnYfBGHoskl3EM0WeTIoA3x8s8EGUc4+TSRXUhq
        +tA+2fbTJlofwk5z0Oga5fICZVcPeKPTWSltaXuuUOgpViq9JWbVkWx7+HonhJxzzMw0
        o7LcUhOXfQHutnKRs/Xpaa73AwDgT30QtEn0T1JBnl2Vl9RjH9+nhdWxHjQ0QLdEDPB3
        Xkdw==
ARC-Authentication-Results: i=3; mx.google.com;
      dkim=pass header.i=@foo-com.20210112.gappssmtp.com header.s=20210112 header.b=pcMriXR7;
      arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
      spf=pass (google.com: domain of hello+bncbd5zzup4wumbbbg43cgqmgqewk3xn7i@foo.com designates 209.85.220.69 as permitted sender) smtp.mailfrom=hello+bncBD5ZZUP4WUMBBBG43CGQMGQEWK3XN7I@foo.com;
      dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com
Return-Path: <hello+bncBD5ZZUP4WUMBBBG43CGQMGQEWK3XN7I@foo.com>
Received: from mail-sor-f69.google.com (mail-sor-f69.google.com. [209.85.220.69])
       by mx.google.com with SMTPS id v33sor3392168uad.28.2021.12.12.09.14.44
       for <john@foo.com>
       (Google Transport Security);
       Sun, 12 Dec 2021 09:14:44 -0800 (PST)
Received-SPF: pass (google.com: domain of hello+bncbd5zzup4wumbbbg43cgqmgqewk3xn7i@foo.com designates 209.85.220.69 as permitted sender) client-ip=209.85.220.69;
Authentication-Results: mx.google.com;
      dkim=pass header.i=@foo-com.20210112.gappssmtp.com header.s=20210112 header.b=pcMriXR7;
      arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
      spf=pass (google.com: domain of hello+bncbd5zzup4wumbbbg43cgqmgqewk3xn7i@foo.com designates 209.85.220.69 as permitted sender) smtp.mailfrom=hello+bncBD5ZZUP4WUMBBBG43CGQMGQEWK3XN7I@foo.com;
      dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com
ARC-Seal: i=2; a=rsa-sha256; t=1639329284; cv=pass;
       d=google.com; s=arc-20160816;
       b=A2s3aYE1vCQIscDH9RsEl6k0DGqxlZiSGi1iQgz57BP+AWIVt5X9b7nyraOJ8F6DPL
        tga5EsK1KrNHLURbQTBSO+pyg862afsmkhS/VFD3sBxSj6hhnc4oCpVJ3rPUWVxSE5IB
        z4NH0ujDotd4dBNBReOsLfetWC0BeyV6nvHfENuJM+PcpR2vO42O3zWARnvq0wtqZYPd
        eBbEJcfX5V6dGi7K9a5I4s+Hrz4V5VNQO8772L+lDQyRdthazJiKgKmB+jX+rztxflIM
        r9efmFXPwO8t3LVtqOzPFfQJqQiMJ9en62O4ZUwbdKxdLzx8Iw9BLVVm0SkDFpXIQTod
        lU2Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
       h=list-unsubscribe:list-archive:list-help:list-post:list-id
        :mailing-list:precedence:reply-to:to:message-id:subject:date
        :mime-version:from:content-transfer-encoding:dkim-signature;
       bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
       b=fXMcTPuKuu1Ahb/4kHcUPsbwEnwqaLpheL7AOFtyzp7FKfdBOErXZFdf1zCbmSX7S1
        Gi3D/zlXgcSAmHFUj1eOeuZwaUp3IWo2pkQiN5aMJ9oLlWaEbC/JLsthY8uh0zUSIuX/
        +Wdwjdpy1ZglE49PhkqGrFEr8ND1O/m8ETTHF1M9LhzWwR1c42MM3N17hUFMHcF4x6oz
        nq8M+JQy0V+Foz5AKXPRJGedCgpwGGBcRgoMW+xn/UaSgH1TgHiK82cL6Xy3ScisHeLo
        Wadb7qdxrMKrpn2H5ZvH0rq2VEvTNrLfrxKqO79a4WoohanhBf9Y/5eUckK2pm4nrHNC
        DWhg==
ARC-Authentication-Results: i=2; mx.google.com;
      dkim=pass header.i=@icloud.com header.s=1a1hai header.b=Jw3cDWAa;
      spf=pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) smtp.mailfrom=thespammer@icloud.com;
      dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
       d=foo-com.20210112.gappssmtp.com; s=20210112;
       h=content-transfer-encoding:from:mime-version:date:subject:message-id
        :to:x-original-sender:x-original-authentication-results:reply-to
        :precedence:mailing-list:list-id:list-post:list-help:list-archive
        :list-unsubscribe;
       bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
       b=pcMriXR70y9+xfVEs+8AoajJ0xymE3UTgGyG2NmKWWjdf05SzeYGX8w1GX3rVZ1hG+
        QGcKfhU2Ra9bmXS2sAz2g8iDtWvnoTj+TDFnMs9OWFWSLRLr/wqDqSKnQGrCUr2Y/k/f
        Q9j7R5eV2nwkYa1XIRAAJaanwMw/y5uDSv04a7bf4itRHQWv3sBD0YaK7KW9X3/UhUOc
        5sKMmmK44qVb3NMkOQdureAtqPhUthfkVfQJElPAAUh1LtMy7lyS1g1KqGcUzm1D2WaY
        wI6UkGWu9smajIb7O2SPVCCOPPCurlGWKD9eC6xdz9Av1qZZlMIyn+eNJDSik9JnG7/w
        aFiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
       d=1e100.net; s=20210112;
       h=x-gm-message-state:content-transfer-encoding:from:mime-version:date
        :subject:message-id:to:x-original-sender
        :x-original-authentication-results:reply-to:precedence:mailing-list
        :list-id:x-spam-checked-in-group:list-post:list-help:list-archive
        :list-unsubscribe;
       bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
       b=AwA9C6EysiLXrTEGUbzx+5vqODTMTskz7zHz2xe1quctysAvVhk58jn1xx322hfhh1
        yqXDXN/aE2MZwMrS++nikbt7lAJZfoNdpV8rKMgc0lb98yXjnd4n3tidH68eVp0cTVE2
        IYeKviGklV95rwOCQXuooqAKzN9/UJwGtH3C/NYZQnZQrGcFuIe5L5f5taRW/lby9IBN
        5u+rTEBn1UaNjDAVX13MbSpN6hjMGNmr1GaFiFSmnBeMBIH0pOzT3+UIR16Sza5unglm
        vkGD5OxPZGdH+fujwjjqrwjvmZSA1k9AhEvujR8B4FpgxGCreExueBMJcmWatPeSpmBO
        fjEA==
X-Gm-Message-State: AOAM531eWx5fz9pqU8qZS4uNtUeKxraKEAR9y1v6gcqUG3XiMb0qBByI FhppMXUtlC8OQUQYY5dXRcAfUe4+
X-Google-Smtp-Source: ABdhPJxynnRydm4JBkMLYoGgqV5RwhkwWcH4Z4w/ljLx6E0GPOqp9cSaCwpFSv4oC456afPUA5CYQA==
X-Received: by 2002:ab0:c10:: with SMTP id a16mr37954454uak.51.1639329284212;
       Sun, 12 Dec 2021 09:14:44 -0800 (PST)
X-BeenThere: hello@foo.com
Received: by 2002:a05:6102:2454:: with SMTP id g20ls4382592vss.4.gmail; Sun, 12 Dec 2021 09:14:43 -0800 (PST)
X-Received: by 2002:a05:6102:508c:: with SMTP id bl12mr23055020vsb.73.1639329283746;
       Sun, 12 Dec 2021 09:14:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1639329283; cv=none;
       d=google.com; s=arc-20160816;
       b=0ToKjpZRQyjPknycN2z3IfIE1Iv7fkhCJbCVUn129k6GVlQVRq7t1xSCqEXMUpWfbb
        vdYNomuAczbfJOR/0o4gBaiPYM4l2L8A8BgUcx2LW26PPeMg1OKO6xexmcO0Qu79Vp+4
        23N3Alz3gRrG44HSkGQ13CwkukROblWgUMZ72U4nO30y0w38NZk4y1aPTPhV+TuFDWsY
        RLSYc3eLKdExhzkmnEgtyDKI/kHLZ++mgu4aFbK6SB4b8uB6v4onz7ONR+/BTGVwcnIs
        pOC6Xv6GwfBXu839bAhi94H83xV7QD5NFWuh0gMm445CzVz09zeesh89Qxcm/U/fKKI0
        6jbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
       h=to:message-id:subject:date:mime-version:from
        :content-transfer-encoding:dkim-signature;
       bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
       b=VMzdwjpJVsJyaKxFawsaBAj83gW8hSdi5iOxGMCrQaQ39h5lkhZAM/cc4rtc3RbAt3
        ZmpKTQ0Pdgb+MgpaIOT6X5szReSt7ZVMNsjsKOe2tkfhaC94azGx4H1MdopSdDnPqZoB
        wvlUU3H16eWofWXcgKNj236adKuN0x3rzeTAKCCjNjwNfOOg5H5Y//pTOtqHc+A3XQjP
        HsGhTohABGTAy68aVCBeHeh/2R5NRy+KuI7ipqkcwO6uPpnue4mMP7B6JtGjDOaiDJXs
        7wZ/G3p4fuJPCSeQWuPD6YzK+0dg3cw5GpNQHLib70Q6g41Ws70727llGEc0Ef89B+o/
        z8BQ==
ARC-Authentication-Results: i=1; mx.google.com;
      dkim=pass header.i=@icloud.com header.s=1a1hai header.b=Jw3cDWAa;
      spf=pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) smtp.mailfrom=thespammer@icloud.com;
      dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
Received: from st43p00im-zteg10073501.me.com (st43p00im-zteg10073501.me.com. [17.58.63.180])
       by mx.google.com with ESMTPS id x11si6141232vss.670.2021.12.12.09.14.43
       for <hello@foo.com>
       (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
       Sun, 12 Dec 2021 09:14:43 -0800 (PST)
Received-SPF: pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) client-ip=17.58.63.180;
Received: from smtpclient.apple (49.sub-174-209-97.myvzw.com [174.209.97.49]) by st43p00im-zteg10073501.me.com (Postfix) with ESMTPSA id 49D5FAE07BE for <hello@foo.com>; Sun, 12 Dec 2021 17:14:42 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: "'The Spammer' via Hello" <hello@foo.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 12 Dec 2021 12:14:40 -0500
Subject: Helping what I already have!
Message-Id: <3CBA8D0D-9028-4F28-90B7-397243A8D5A8@icloud.com>
To: hello@foo.com
X-Mailer: iPhone Mail (19B74)
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.1.170-22c6f66c430a71ce266a39bfe25bc2903e8d5c8f:6.0.425,18.0.790,17.11.62.513.0000000 definitions=2021-12-12_06:2021-12-08_01,2021-12-12_06,2021-12-02_01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 malwarescore=0 clxscore=1011 spamscore=0 adultscore=0 bulkscore=0 suspectscore=0 mlxlogscore=485 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2112120106
X-Original-Sender: Thespammer@icloud.com
X-Original-Authentication-Results: mx.google.com;
      dkim=pass header.i=@icloud.com header.s=1a1hai header.b=Jw3cDWAa;
      spf=pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) smtp.mailfrom=thespammer@icloud.com;
      dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
X-Original-From: The Spammer <thespammer@icloud.com>
Reply-To: The Spammer <thespammer@icloud.com>
Precedence: list
Mailing-list: list hello@foo.com; contact hello+owners@foo.com
List-ID: <hello.foo.com>
X-Spam-Checked-In-Group: hello@foo.com
X-Google-Group-Id: 138202709934
List-Post: <https://groups.google.com/a/foo.com/group/hello/post>, &lt;mailto:hello@foo.com&gt;
List-Help: <https://support.google.com/a/foo.com/bin/topic.py?topic=25838>, &lt;mailto:hello+help@foo.com&gt;
List-Archive: <https://groups.google.com/a/foo.com/group/hello/>
List-Unsubscribe: &lt;mailto:googlegroups-manage+138202709934+unsubscribe@googlegroups.com&gt;, <https://groups.google.com/a/foo.com/group/hello/subscribe>



Sent from my iPhone

為什麼允許通過此電子郵件?

是 icloud.com(發件人的 SMTP 伺服器)不遵守 DMARC,所以接受電子郵件,然後轉發到 gmail,而 gmail 假設 icloud.com 進行了初始 DMARC 檢查,所以不打擾?(對不起,我在這方面很綠。)。

我不會聲稱自己是這方面的專家,但標題的IETF頁面X-Original-From似乎暗示這是向 Google Apps 郵件列表發送電子郵件時的預期行為。

Google Apps 目前將“別名”實現為 Google 群組(這已經存在很多年了,在此之前有單獨的別名和群組)。因此,重定向到內部使用者或外部 CRM 工具 (salesforce) 的 support@twitter.com 地址將收到組重寫消息。由於重寫,這些消息不會通過 DKIM,因此如果它們來自 DMARC p=REJECT/QUARANTINE 域,例如 yahoo.com,則 from 標頭將被重寫為組名 (support@twitter.com) x-original-from 將是原始發件人。

您是否檢查過Google DMARC 頁面以查看故障排除步驟是否對您有幫助?

鑑於垃圾郵件發送者是從 iCloud 地址發送的,您是否可以根據該X-Original-From標頭更新策略以阻止?

編輯:重新閱讀這個問題,我認為它沒有被欺騙 - 我認為 Google Apps 重寫“發件人”地址是有意/預設行為。您是否測試過從非域電子郵件地址(例如一次性 hotmail 帳戶或類似帳戶)向郵箱發送電子郵件?你有同樣的行為嗎?

引用自:https://serverfault.com/questions/1086114