Email protected with SPF but received valid signature from other IP anyway

Question

I've received an email in spam from info@mydomain.com to info@mydomain.com, but the "sent by" came from rec15.appleandrdoidmail.mx. info@mydomain.com is an alias. Weird thing is that it says is signed by mydomain.com!

I've been looking at the email source and the email passed DKIM and SPF filters (haven't found DMARC info):

Assumpte:   8NUE7 Comprobante Electronico de Pago N: (94596)
SPF:    PASS amb la IP 0.0.0.0 Més informació
DKIM:   'PASS' amb el domini mydomain.com Més informació

I've been looking at the mail logs for connections and found this:

Oct 20 13:32:00 mydomain postfix/smtpd[5162]: connect from rec15.appleandroidemail.mx[45.7.231.194]
Oct 20 13:32:01 mydomain postfix/smtpd[5162]: 5A04D1B5C75: client=rec15.appleandroidemail.mx[45.7.231.194]
Oct 20 13:32:01 mydomain postfix/cleanup[5164]: 5A04D1B5C75: message-id=<20201020133159.0905B124154@rec15.appleandroidemail.mx>
Oct 20 13:32:01 mydomain postfix/qmgr[2202]: 5A04D1B5C75: from=<www-data@rec15.appleandroidemail.mx>, size=3140, nrcpt=1 (queue active)
Oct 20 13:32:01 mydomain postfix/smtpd[5162]: disconnect from rec15.appleandroidemail.mx[45.7.231.194] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 20 13:32:07 mydomain postfix/smtpd[5180]: connect from mydomain.com[127.0.0.1]
Oct 20 13:32:07 mydomain postfix/smtpd[5180]: EA2481B5F8A: client=mydomain.com[127.0.0.1]
Oct 20 13:32:07 mydomain postfix/cleanup[5164]: EA2481B5F8A: message-id=<20201020133159.0905B124154@rec15.appleandroidemail.mx>
Oct 20 13:32:08 mydomain postfix/qmgr[2202]: EA2481B5F8A: from=<www-data@rec15.appleandroidemail.mx>, size=4004, nrcpt=1 (queue active)
Oct 20 13:32:08 mydomain postfix/smtpd[5180]: disconnect from mydomain.com[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 20 13:32:08 mydomain amavis[16608]: (16608-05) Passed CLEAN {RelayedInbound}, [45.7.231.194]:50918 [45.7.231.194] <www-data@rec15.appleandroidemail.mx> -> <miquel@mydomain.com>, Queue-ID: 5A04D1B5C75, Message-ID: <20201020133159.0905B124154@rec15.appleandroidemail.mx>, mail_id: qwEeUiSFqmai, Hits: 3.204, size: 3164, queued_as: EA2481B5F8A, 6422 ms
Oct 20 13:32:08 mydomain postfix/smtp[5165]: 5A04D1B5C75: to=<miquel@mydomain.com>, orig_to=<info@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.8, delays=0.33/0.01/0/6.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as EA2481B5F8A)
Oct 20 13:32:08 mydomain postfix/qmgr[2202]: 5A04D1B5C75: removed
Oct 20 13:32:08 mydomain dovecot: lmtp(5182): Connect from local
Oct 20 13:32:08 mydomain dovecot: lmtp(miquel@mydomain.com): 8ksOBtjmjl8+FAAAWnabiA: msgid=<20201020133159.0905B124154@rec15.appleandroidemail.mx>: saved mail to INBOX
Oct 20 13:32:08 mydomain dovecot: lmtp(5182): Disconnect from local: Successful quit
Oct 20 13:32:08 mydomain postfix/lmtp[5181]: EA2481B5F8A: to=<miquel@mydomain.com>, relay=mydomain.com[private/dovecot-lmtp], delay=0.15, delays=0.13/0.01/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 <miquel@mydomain.com> 8ksOBtjmjl8+FAAAWnabiA Saved)
Oct 20 13:32:08 mydomain postfix/qmgr[2202]: EA2481B5F8A: removed

SPF configuration:

mydomain.com.       86400   IN  TXT "v=spf1 ip4:xx.xx.xx.xx include:_spf.mydomain.com ~all"
mydomain.com.       86400   IN  TXT "v=spf2.0/pra ip4:xx.xx.xx.xx include:_spf.mydomain.com ~all"

DKIM configuration:

20XXXX._domainkey.mydomain.com. 82086 IN TXT    "v=DKIM1; k=rsa; p=MIGfMA0GC..."

DMARC configuration:

v=DMARC1; p=reject; pct=100; rua=mailto:abuse@mydomain.com; ruf=mailto:abuse@mydomain.com; aspf=s; adkim=s; fo=1

I've reviewed all DMARC xml reports and haven't found any entry for 45.7.231.194 IP address, neither reject, none or quarantine.

In the email source I've found:

X-Received: by 2002:a2f:a551:: with SMTP id a23mr2209527ljn.5.1603290742268;
        Tue, 20 Oct 2020 06:32:24 -0700 (PDT)
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of www-data@rec15.appleandroidemail.mx designates 45.7.231.194 as permitted sender) smtp.mailfrom=www-data@rec15.appleandroidemail.mx;
       dkim=pass header.i=@mydomain.com header.s=20XXXX header.b=EBPdgUba
Received-SPF: pass (google.com: best guess record for domain of www-data@rec15.appleandroidemail.mx designates 45.7.231.194 as permitted sender) client-ip=45.7.231.194;
...
Received: from localhost (mydomain.com [127.0.0.1]) by mydomain.com (Postfix) with ESMTP id EA2481B5F8A for <miquel@mydomain.com>; Tue, 20 Oct 2020 13:32:07 +0000 (UTC)

So it seems that someone authorized 45.7.231.194 to send emails in the name of mydomain.com, but I thought that SPF was for this purpose, to protect someone to use mydomain.com to send emails on its name. What I'm missing? Is there something misconfigured?

Please any help on how to block this attack will be really appreciated.

Google's SPF handling is completely ridiculous and violates the spec in numerous ways including this one, where it says SPF passed for a name that hasn't got an SPF record. It should not be trusted. — Michael Hampton, Oct 22 '20 at 14:56
@MichaelHampton I'm not really sure this is a Google problem, could be anyway, but seems that `rec15.appleandroidemail.mx` is using my server to send emails through my server, or at least using the accounts in my server, something like a relay server — Miquel, Oct 22 '20 at 18:02
The mail went to your domain, so that is not relaying. Relaying is when your mail server accepts mail for other domains and then delivers them to those other domains. — Michael Hampton, Oct 22 '20 at 19:03

score 1 · Answer 1 · edited Oct 07 '21 at 08:14

1

As defined in RFC 7208, 1.1.3, SPF is not tested against the RFC 5322 From header, but against the envelope sender i.e. the address in RFC 5321 MAIL FROM command.

from=<www-data@rec15.appleandroidemail.mx>

Therefore, rec15.appleandroidemail.mx is the domain of the envelope sender, and this hostname doesn't have an SPF record.

You'd need an additional DMARC policy to enforce alignment between the MAIL FROM and the envelope sender.

edited Oct 07 '21 at 08:14

Community

1

answered Oct 22 '20 at 16:35

Esa Jokinen

43,252
2
75
122

But @EsaJokinen, don't understand: DMARC is already in place for `mydomain.com`. Also the `from` field of the email received in gmail was `info@mydomain.com` which was confusing me. I'm not really expert, but seemed that `rec15.appleandroidemail.mx` used my server as a relay, but I think it's forbidden to use my server as relay. – Miquel Oct 22 '20 at 17:59
I've edited the question adding DMARC configuration. Also I've reviewed DMARC xml reports and haven't found any entry for `45.7.231.194` IP address, neither reject, none or quarantine – Miquel Oct 22 '20 at 20:29

score 0 · Answer 2 · answered Oct 22 '20 at 09:52

0

Your SPF records is configured as a "Soft Fail", which allows the mail even when it fails. This is for testing purposes.

You need to configure your SPF records as a "Hard Fail" by setting -all instead of ~all-

answered Oct 22 '20 at 09:52

Gerald Schneider

19,757
8
52
79

It is not clear to me what the problem is, but this is not the right diagnosis. All SPF results shown are ‘pass’. While ‘softfail’ is a weaker negative result than ‘fail’, it certainly isn’t a positive result. – glts Oct 22 '20 at 12:19
Thanks for suggestion, I've modified in order to be more protected. As @glts says, it seems that SPF passed. Also looked at DMARC xml reports but haven't found any entry for `45.7.231.194`, neither reject, none or quarantine – Miquel Oct 22 '20 at 20:33

Email protected with SPF but received valid signature from other IP anyway

2 Answers2