Today I got a scam e-mail which I decided to disect. I quickly found that it was sent from a GMail address (From
, Reply-To
, Return-Path
) but that the mail itself came from Yahoo.
- HELO from Yahoo
- Received from IP maps both forward and reverse
- Mail has valid DKIM signature for yahoo.com
- Mail soft-fails GMail SPF because a Yahoo-owned IP is not part of it
I've piped the mail through opendkim-testmsg, which tells me the message is fine.
I'm really confused by all of this. Of course anyone can technically sign any email using DKIM for their own domain, even if it doesn't match any of the domains used in the mail. But why would Yahoo do this? And why doesn't OpenDKIM indicate that there's something phishy about this mail, even though the Return-Path domain and the DKIM domain don't match?
By popular request, some e-mail headers. Please note that this e-mail has been through a corporate mail washing service, Exchange and I stripped a lot of identifying data. The DKIM signature for the header portion still matches, though. I've omitted the body, but it also validates.
Received-SPF: softfail (MYMX: transitioning domain of gmail.com does not designate 87.248.110.97 as permitted sender) client-ip=87.248.110.97; envelope-from=helenslomonn@gmail.com; helo=sonic302-34.consmr.mail.ir2.yahoo.com;
Received: from sonic302-34.consmr.mail.ir2.yahoo.com ([87.248.110.97])
by MYMX with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
(envelope-from <helenslomonn@gmail.com>)
for MYNAME@MYDOMAIN; Wed, 28 Feb 2018 05:03:02 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1519822976; bh=35/Syp7oOntp7GfGR2tdK316KBE4uAxZC5lOM//DYjg=; h=Date:From:Reply-To:Subject:References:From:Subject; b=KvnuAmNY1sujXiLsVnNqOJzF3MFxu/jY93zu5QKtbWRy9nMOhomUrZ+398oRwLC0P0RAkCbOj5a2x5JZtrZG4/71RKmHD/ftzOJI2goX2A4KaWrsczH4RsR/kfvpmz0jNRF4nxZONN4a5NKLavt6WPG7yWokVrGh2n/zUZPiFFv8kZL0uNPdIyCC94OiBh0c6GlSRpmTe0GbTQmbDgXZ+8nf7O5kiWpALbpSBHJ22QmdFhLLQWS18xZhl/AwprHFV+txsWtat02ldjYUmoGKhXNmTcWHDLPw7n5uyKXwsaOuX1uXSLzaWUgpnrD/v/FonebJoo1qkcnZoziov6TJmw==
X-YMail-OSG: dOZOfQ0VM1lyzg2OUT1yoveGRURYm6FHV_CU8qWTCRbr8jkKD_gBSwprVT5nSNr
oxL32bI8ge8m_n_BDyDXFKnfZTDdFMGUPxFQt8bl2TLbWIC72.HGgEg6S8trxoSkeYLsPM8tUIhL
XPCdlp3sNlz4quLJyyJznVo55S3vYeLt5fYSOqw2kJtOvf3l.puohOlVCc5WBZO1lp82MLbBi0rq
0tCsbA3xDFW8_3JsxoJGinZ8fn0BBoqUfkfFdGv7UyoM94wlv4_GWYAQwIzicSQsC5od.fBm1lM_
zSZlsV9hfeDUkwDyQiAmFq5rCUJ.3N7Lu9IKZTwnKjWvRFNudXOkEEJwW7Dg0eRNCBx.N2c.52Bi
dfwYepO_0jqL.vF19srHCbj6PrUQjFYiIzaauD.m9IdfE692oG6o9B.w20VkMLmTcxjBKg7NC1pk
6mWavSA7yHndoNrMfcB.liBw3XSLggRvPH60M
Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ir2.yahoo.com with HTTP; Wed, 28 Feb 2018 13:02:56 +0000
Date: Wed, 28 Feb 2018 13:02:52 +0000 (UTC)
From: hs <helenslomonn@gmail.com>
Reply-To: hs <helensslomonn@gmail.com>
Message-ID: <909434698.11100734.1519822972957@mail.yahoo.com>
Subject: MRS.HELEN SOLOMON FUNDS TRANSFER ASSISTANCE.
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
References: <909434698.11100734.1519822972957.ref@mail.yahoo.com>
To: Undisclosed recipients:;
Return-Path: helenslomonn@gmail.com
MIME-Version: 1.0