0

Good Morning All, I've been thrown into the deep end with a request from my director. I know little of DMARC and email spoofing in general, but I'm trying to somehow weed out WHY this spoof email "passed". It's coming from some "awoofmart@gmail.com" with the display name of one of our VPs. :(

I'm also concerned because the aggregate report did not include this email... I searched through Jan 31, Feb 1, and 2. Where did it go?

See below... I'm actually not 100% what is "Safe" to share from the email header, but the info below seemed safe enough to post (I x'd out the employees name and our domain). Please let me know if I revealed anything I shouldn't have (locking stable after horse has bolted, I know).

Any help would be appreciated!

Delivered-To: XXXXXX@XXXXXXs.com

Received: by 10.200.57.59 with SMTP id s56csp1949294qtb; Tue, 31 Jan 2017 06:53:50 -0800 (PST)

X-Received: by 10.55.72.210 with SMTP id v201mr26460280qka.145.1485874430676; Tue, 31 Jan 2017 06:53:50 -0800 (PST)

Return-Path:

Received: from mail-qt0-x242.google.com (mail-qt0-x242.google.com. [2607:f8b0:400d:c0d::242]) by mx.google.com with ESMTPS id g56si12092937qte.273.2017.01.31.06.53.50

for

(version=TLS1_2 cipher=XXXXX-XXX-XXXXX-XXX-XXXXX bits=128/128); Tue, 31 Jan 2017 06:53:50 -0800 (PST) Received-SPF: pass (google.com: domain of awoofmart@gmail.com designates 2607:f8b0:400d:c0d::242 as permitted sender) client-ip=2607:f8b0:400d:c0d::242; Authentication-Results: mx.google.com;

dkim=pass header.i=@gmail.com;

spf=pass (google.com: domain of awoofmart@gmail.com designates 2607:f8b0:400d:c0d::242 as permitted sender) smtp.mailfrom=awoofmart@gmail.com;

dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: by mail-qt0-x242.google.com with SMTP id s58so19260189qtc.2 for ; Tue, 31 Jan 2017 06:53:50 -0800 (PST)

RGuthrie
  • 1
  • 1

2 Answers2

3

While you consider this email as spoofed it is actually not, or at least not really spoofed. It comes from a valid gmail account which has no relation to your company. And the only "spoofing" which was done is that the owner of this account has set the name of your VP as its own name so that it shows up as sender.

Google does not know what the real name of the person setting up the account is. And Google does not know that your VP needs some special protection so that nobody should be able to use its name. And Google does not know that your VP would never setup a gmail account. So nothing is actually wrong with this mail from the perspective of Google and that's why it passed all the checks.

The only one which could consider this mail as suspicious would be your company because you have the name of your VP and you know that the name might be misused to trick users. That's why you should have your own mail filtering system and feed it with such information so that it can protect you with your knowledge.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thank you Steffen. That makes sense. Now my challenge is figuring out how to setup some sort of filtering system through our exchange provider. THANKS AGAIN :) – RGuthrie Feb 03 '17 at 23:29
1

In addition to what Steffen already mentioned in his answer, I'd like to note that spoofing the display name is common in phishing attempts. Many email clients show the sender of an email as Display Name <Email Address> By bloating the Display Name, in some cases the email address part falls off, for example like this:

John Johnssons, Vice President of Wing Tip Toys Inc. <awoofmart@gmail.com>

As for the missing DMARC reports. They are sent to the owners of the Header.From domain, in this case mailauth-reports@google.com, the address in the DMARC record for the gmail.com domain, telling them everything was great, because both SPF and DKIM produced a Pass result.

Reinto
  • 223
  • 1
  • 6