I've noticed a couple of times now that I get Delivery Status Notification (Failure) emails for emails I've not sent. I'm worried that someone else is using my account to send spam but I'm at the limits of my knowledge on these kinds of things.
Here's my set up:
- Google Apps on a personal domain
- 2FA auth, 32 char password (not reused with any other account)
- DKIM set up to authenticate outgoing emails
The above made me feel very confident that I didn't need to worry about emails. Google would handle the hard stuff and I'd set up the security to meet my risk appetite.
Here's an example of one the emails I've received:
Delivered-To: dropbox@williammayor.co.uk
Received: by 10.28.230.77 with SMTP id d74csp2527957wmh;
Thu, 16 Feb 2017 05:56:46 -0800 (PST)
X-Received: by 10.28.51.205 with SMTP id z196mr12396419wmz.22.1487253406837;
Thu, 16 Feb 2017 05:56:46 -0800 (PST)
Return-Path: <>
Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com. [2a00:1450:400c:c09::244])
by mx.google.com with ESMTPS id z26si7277207wrz.96.2017.02.16.05.56.46
for <dropbox@williammayor.co.uk>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 16 Feb 2017 05:56:46 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of postmaster@mail-wm0-x244.google.com designates 2a00:1450:400c:c09::244 as permitted sender) client-ip=2a00:1450:400c:c09::244;
Authentication-Results: mx.google.com;
dkim=pass header.i=@googlemail.com;
spf=pass (google.com: best guess record for domain of postmaster@mail-wm0-x244.google.com designates 2a00:1450:400c:c09::244 as permitted sender) smtp.helo=mail-wm0-x244.google.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com
Received: by mail-wm0-x244.google.com with SMTP id r18so3245363wmd.3
for <dropbox@williammayor.co.uk>; Thu, 16 Feb 2017 05:56:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlemail.com; s=20161025;
h=from:to:auto-submitted:subject:references:in-reply-to:message-id
:date;
bh=mZaso4RaS6Rf+0QVb1hTu2CwYlfXSyEt+yTtW7hR8uk=;
b=JZYDQJVNVPKjA4Vq876gSrhWhjsXaHpAMnMY+y5Z9XZb/e7wVS7rxnOPzLYM/gO6ic
6J8e/E94h1Uk/Hgrzk9G+poYUcuESpe2R1sF7y2+XnMsd00gJfbnQb9rQQK/IGVlL/vi
8XHDawTG8ndMH0r9h003UIRGrKpt8T5jx5bdSaB8nTSvS9aaeSABBviwCvKHZGoWYveR
cDQjvmtLAwIFO5k+4p/g4JpsYlZ2ojEN6fAIARwiXD2rVnROjDRWUMvCvDUPAlkWOKs8
On8Jvp8qm0cUA1Dw/yIxA2hkxwYzqn9jwMygqjUCxDjM3YNBuWlcAdk0GJdUJZC+MB/O
mPww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:auto-submitted:subject:references
:in-reply-to:message-id:date;
bh=mZaso4RaS6Rf+0QVb1hTu2CwYlfXSyEt+yTtW7hR8uk=;
b=lNavoK0q1Ic3pUvUQTypuNIITK1HVvq9BaRO5ar5Qs7OUU9hXRgcUbZsu7LaHtj+9g
W5W37mG/HrlpG7XubPE1kqzqoN/tweLAmugnbijBH0d5Kl8Qaw2gxyEvll8zlBGDcJ5e
ybIeUvJLVyXLw2zP1IPlFcM3rmt/8DULsCZ0QNarGigUyTkNc8+tI7Um7OPE6jSPGmhg
7HPBX6Qgjq33T2RJdv9V9FeL7eTlB6yTTIC60NDsWdzLGS2CEPw+wlF9iGpleNf+fsZk
WqHd323ds91smc5QXLs+yaH98gIRU4dYBoCtqfs8axxncBbPkzlYx5tIseTBsL4oXiTQ
KvIw==
X-Gm-Message-State: AMke39llod4HSPtWN0UbX5cUGczBpbi+v8wlvcKYXUWllEul0FQDOWx/SYOPpTkn/8iOdVJHu+tQUqoSHFlDxDcLdh/ba4/TXpKVCp4=
X-Received: by 10.28.194.5 with SMTP id s5mr1688371wmf.98.1487253406629;
Thu, 16 Feb 2017 05:56:46 -0800 (PST)
Content-Type: multipart/report; boundary=001a114b06eefe38320548a62ae8; report-type=delivery-status
Return-Path: <>
Received: by 10.28.194.5 with SMTP id s5mr1816172wmf.98; Thu, 16 Feb 2017
05:56:46 -0800 (PST)
From: Mail Delivery Subsystem <mailer-daemon@googlemail.com>
To: dropbox@williammayor.co.uk
Auto-Submitted: auto-replied
Subject: Delivery Status Notification (Failure)
References: <58A56946.2178.568202@dropbox.williammayor.co.uk>
In-Reply-To: <58A56946.2178.568202@dropbox.williammayor.co.uk>
Message-ID: <58a5af9e.05c21c0a.9a844.2280.GMRIR@mx.google.com>
Date: Thu, 16 Feb 2017 05:56:46 -0800 (PST)
--001a114b06eefe38320548a62ae8
Content-Type: multipart/related; boundary=001a114b06eefe38a60548a62ae9
--001a114b06eefe38a60548a62ae9
Content-Type: multipart/alternative; boundary=001a114b06eefe38aa0548a62aea
--001a114b06eefe38aa0548a62aea
Content-Type: text/plain; charset=UTF-8
** Address not found **
Your message wasn't delivered to th3801@gone.bristol.ac.uk because the address couldn't be found. Check for typos or unnecessary spaces and try again.
Learn more here: https://support.google.com/mail/?p=NoSuchUser
The response from the remote server was:
550 5.1.1 The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces. Learn more at https://support.google.com/mail/?p=NoSuchUser y128si668637wme.153 - gsmtp
--001a114b06eefe38aa0548a62aea
Content-Type: text/html; charset=UTF-8
<html>
<head>
<style>
* {
font-family:Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif;
}
</style>
</head>
<body>
<table cellpadding="0" cellspacing="0" class="email-wrapper" style="padding-top:32px;background-color:#ffffff;"><tbody>
<tr><td>
<table cellpadding=0 cellspacing=0><tbody>
<tr><td style="max-width:560px;padding:24px 24px 32px;background-color:#fafafa;border:1px solid #e0e0e0;border-radius:2px">
<img style="padding:0 24px 16px 0;float:left" width=72 height=72 alt="Error Icon" src="cid:icon.png">
<table style="min-width:272px;padding-top:8px"><tbody>
<tr><td><h2 style="font-size:20px;color:#212121;font-weight:bold;margin:0">
Address not found
</h2></td></tr>
<tr><td style="padding-top:20px;color:#757575;font-size:16px;font-weight:normal;text-align:left">
Your message wasn't delivered to <a style='color:#212121;text-decoration:none'><b>th3801@gone.bristol.ac.uk</b></a> because the address couldn't be found. Check for typos or unnecessary spaces and try again.
</td></tr>
<tr><td style="padding-top:24px;color:#4285F4;font-size:14px;font-weight:bold;text-align:left">
<a style="text-decoration:none" href="https://support.google.com/mail/?p=NoSuchUser">LEARN MORE</a>
</td></tr>
</tbody></table>
</td></tr>
</tbody></table>
</td></tr>
<tr style="border:none;background-color:#fff;font-size:12.8px;width:90%">
<td align="left" style="padding:48px 10px">
The response from the remote server was:<br/>
<p style="font-family:monospace">
550 5.1.1 The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces. Learn more at https://support.google.com/mail/?p=NoSuchUser y128si668637wme.153 - gsmtp
</p>
</td>
</tr>
</tbody></table>
</body>
</html>
--001a114b06eefe38aa0548a62aea--
--001a114b06eefe38a60548a62ae9
Content-Type: image/png; name="icon.png"
Content-Disposition: attachment; filename="icon.png"
Content-Transfer-Encoding: base64
Content-ID: <icon.png>
iVBORw0KGgoAAAANSUhEUgAAAJAAAACQCAYAAADnRuK4AAAACXBIWXMAABYlAAAWJQFJUiTwAAAA
GXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAABTdJREFUeNrsnD9sFEcUh5+PRMqZ
yA0SPhAUQAQFUkyTgiBASARo6QApqVIkfdxGFJFSgGhJAUIiBaQB0ZIOKVCkwUgURjIg2fxL4kS+
YDvkbC/388bi8N16Z4/d7J/5PsniuD3fyePP772ZeTsDQRAYQL/UGAJAIEAgQCBAIAAEAgQCBAIE
AkAgyJT3Mv+Eq7vYK8mTE+MDRCAghQECAeRQA5V2ZOpmg5vDx3NPzRbmGRMEcmTrEbNNB8zWfRD+
f/Efs2e3zCZvMjaksBg27TfbcuSNPEKP9ZyuAQKtHX2O9ncNgWC57umMPKvRNb0GEKgnLoUyxTQC
rcns0/6uIRAs8/hGf9cQCJZpTpjdO2f25/03z+mxntM1eLtsZAgiUtX4JcaBCAQIBAgECARQ8CJa
G5jab4J4pm4WZmO3OALVh802fIwcLkyPkcKAGggAgQCBAIEAgQCBABAIEAjKA/1AnahhbO5FdOOY
VsrrDbPBYcYKgf5D2wLaV3p+22xh1u17tO3S+DTcvxvagUDeivPgx/a/95J/73w7Sj26Hn4pKo2M
ehuV/KyBJM6d0f7k6RKx/R63vvL2tmf/ItDdM2ZTP6f7nkp9Y2fDx1v9akmpIU+KSCLVUghUQfSL
zVKeTklbLxGoctw/nzC5rw8L5KRNbkpnKq6pgSqEClzNnFzY+XnYWrt6VpVk1vbwWvg+RKCKMOUw
Q1LEOXA+/MX3mpJvGDHb265xtnzmFoUK1HaKQGlMtePYM+q2KKjXuaS1NJYIEKgI8jhEgqHt4cqy
Ky53j3hyHz2bqSLp2o2LbJ7MxKovkGqXteoWpaOk96O9/yF/dF7NwlS36AuIQIBA5celQK4PIxBE
4LLzrtoLgaALdSy6CJRkWQCBPGLsTHznomZ9nszUECgJ2ml3WWHe+QVFNPSQx6UdZNtxr9pbEShN
eTTz8mQXHoHSlke7+Z+c9m6VGoHSkEfs/trLW3wQKApN1V3lGfnGu2Z6BFoLtYCs3GWBPAiUCLVh
/HoaeRCoT9R873KLM/IgUBfapnCpe5AHgXry4pf412ihEHkQqCdxd5VqrcezhUIESsJMTJ+Pdthp
Z0WgyNlXXPHc2Mc4IVAELl2Gnh8mhUDvCkfbIVAkcbf/aOoO3fMKhqAD3frTa4quwpn0hUDOkQhI
YYBAgECAQAAU0QlYObl+5Ug8NcprZkZxjUCxRPVA6zmtEXHCBykskrhjgHXN09PoEcgFl4M4H11j
nBAoApcj6ZoPGScEAgTKApcDoTw5sgWB+sGlz1n90IBAPdE6j1o21PfcC11jLagL1oFWRyGlKU3p
OxcSJQ7NZAjkhHp/uG2HFAYIBAgECASAQIBAgECAQAAIBOkxEARBtp9wdVfAMOfIifEBIhCQwgCB
ABAI0oV2jhxZ+nfBatuPZfgBCy0Eqqo8c01b+uu51XZvzOgDWoHNTGR+pCwpLEd5svuAZXlO2uEr
PyEQ8hRWHgRCHmqg0sjTnLalv6crJQ8C/U8stqNO0I4+VZOHFIY8COS1PGL2ybd5yUMKK7s8zYmL
dujyd3n+nESgcsvzZd4/KwIhDwIhT35QA6UyE1qyxZnfvJMHgdKS549JC1qvvJOHFIY8CFR5eV5O
XimqPAhUdHnmfx+zgxdOFXkoqIGKKs/cswnb/8Oeog8HEai48nxUhiFBIORBIOShBioskkbySCLk
IQIhDwIhj28p7FApR6b1qlEbHGpkO/rr6215vi/zH1r2x7tApSGFAQIBAgECAQIBIBAgECAQIBBA
LK8FGADCTxYrr+EVJgAAAABJRU5ErkJggg==
--001a114b06eefe38a60548a62ae9--
--001a114b06eefe38320548a62ae8
Content-Type: message/delivery-status
Reporting-MTA: dns; googlemail.com
Received-From-MTA: dns; dropbox@williammayor.co.uk
Arrival-Date: Thu, 16 Feb 2017 05:56:46 -0800 (PST)
X-Original-Message-ID: <58A56946.2178.568202@dropbox.williammayor.co.uk>
Final-Recipient: rfc822; th3801@gone.bristol.ac.uk
Action: failed
Status: 5.1.1
Remote-MTA: dns; aspmx.l.google.com. (64.233.184.27, the server for the domain gone.bristol.ac.uk.)
Diagnostic-Code: smtp; 550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 https://support.google.com/mail/?p=NoSuchUser y128si668637wme.153 - gsmtp
Last-Attempt-Date: Thu, 16 Feb 2017 05:56:46 -0800 (PST)
--001a114b06eefe38320548a62ae8
Content-Type: message/global
X-Google-DKIM-Signature: v=3D1; a=3Drsa-sha256; c=3Drelaxed/relaxed;
d=3D1e100.net; s=3D20161025;
h=3Dx-gm-message-state:x-original-authentication-results:from:to:da=
te
:mime-version:subject:message-id:priority;
bh=3DcLIrxsPDFqXpSrCEsnAawqYFKnHyhNN8eD3gdiiezjk=3D;
b=3Dh2AU9eKe/E9Ja5/aaA1mw0usLBYSGeOZL54VeAe1VS8gvTaQ1YhVIz9viubNwdn=
LMt
DtS7a4iYr33YpA4ZTwfOXgYQW7MLDmwQf/yicRyipxTvlJXVWJnB2qysyZKvGJaj2e=
jM
wJ62p6tEGM2qnt/OUQCN9c7XlsnOMpPaXQodclo0GEcUNYfelAvHJhYTCI2MzAe8xh=
XB
DCBi43k5DvghMZe8rclFtljbQEUjVulCiVoS8DnBaipY6gJnYxmRjgmxQEVkQXC0kk=
sH
YI/KF/jnyiMiCuzxLNV/PzcTQJxpxRuIrqwU/a8qoU4r0TFCLaaLVyWf9TwNDcJmDE=
Ut
uU3Q=3D=3D
X-Gm-Message-State: AMke39msHsCTdSS32ZOVyKZPWRvhw/izv1k9fe7uxgkDWcIKEssIZ0V=
qvuNeRh5F2mwzL2PZcKgOmF3KjwjciM7J4GrlPNxeq6FhFgW/v0234JtjSKcsXNuEAM5640uQ3F=
YurH/nG8KZE+nFbNcR8itG1WBr9sY8M0qmOJq8G+nGM696WKhPWlUAbGN8SexL88mAsD8+4xq6C=
4kZrcLYjTwe6jJsItoTXryg4rKzc/G1wC6Bqk6nciBzRxo9KMfpb7DL4KPz3U9jxtuhI0MOTBoR=
X1vV2o/cAA75JwXav3hcYm+sH3FB5A5sZE6FF/UyoG/oB73KYnJ4uDy228CQyh36Uf2lWSZi7bE=
P0rENMiwv3phbF5nT/+DY1eP4rMRDQeaCBJP7bEaIIWSA+Zckplar
X-Received: by 10.28.194.5 with SMTP id s5mr1688355wmf.98.1487253406479;
Thu, 16 Feb 2017 05:56:46 -0800 (PST)
X-Received: by 10.28.194.5 with SMTP id s5mr1688348wmf.98.1487253406319;
Thu, 16 Feb 2017 05:56:46 -0800 (PST)
Return-Path: <dropbox@williammayor.co.uk>
Received: from mail-wr0-f197.google.com (mail-wr0-f197.google.com. [209.85.=
128.197])
by mx.google.com with ESMTPS id f200si612772wme.108.2017.02.16.05.5=
6.46
for <th3801@my.bristol.ac.uk>
(version=3DTLS1_2 cipher=3DECDHE-RSA-AES128-GCM-SHA256 bits=3D128/1=
28);
Thu, 16 Feb 2017 05:56:46 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.128.197 is neither permitted nor =
denied by best guess record for domain of dropbox@williammayor.co.uk) clien=
t-ip=3D209.85.128.197;
Authentication-Results: mx.google.com;
spf=3Dneutral (google.com: 209.85.128.197 is neither permitted nor d=
enied by best guess record for domain of dropbox@williammayor.co.uk) smtp.m=
ailfrom=3Ddropbox@williammayor.co.uk
Received: by mail-wr0-f197.google.com with SMTP id y7so3180714wrc.7
for <th3801@my.bristol.ac.uk>; Thu, 16 Feb 2017 05:56:46 -0800 (PST=
)
X-Original-Authentication-Results: mx.google.com; spf=3Dneutral (goog=
le.com: 190.67.150.7 is neither permitted nor denied by best guess record f=
or domain of dropbox@williammayor.co.uk) smtp.mailfrom=3Ddropbox@williammay=
or.co.uk
X-Received: by 10.223.136.205 with SMTP id g13mr2341030wrg.56.1487253406058=
;
Thu, 16 Feb 2017 05:56:46 -0800 (PST)
X-Received: by 10.223.136.205 with SMTP id g13mr2341026wrg.56.1487253405942=
;
Thu, 16 Feb 2017 05:56:45 -0800 (PST)
Return-Path: <dropbox@williammayor.co.uk>
Received: from [190.67.150.7] ([190.67.150.7])
by mx.google.com with ESMTP id 6si9416331wrr.155.2017.02.16.05.56.4=
3
for <th3801@bris.ac.uk>;
Thu, 16 Feb 2017 05:56:45 -0800 (PST)
Received-SPF: neutral (google.com: 190.67.150.7 is neither permitted nor de=
nied by best guess record for domain of dropbox@williammayor.co.uk) client-=
ip=3D190.67.150.7;
From: <dropbox@williammayor.co.uk>
To: <th3801@bris.ac.uk>
Date: 16 Feb 2017 02:22:38 -0600
MIME-Version: 1.0
Subject: Local representation needed for the International Company
Message-ID: <58A56946.2178.568202@dropbox.williammayor.co.uk>
Priority: normal
X-mailer: Pegasus Mail for Windows (4.61)
Content-type: multipart/alternative; boundary=3D"Alt-Boundary-29754.9314526=
"
Dear th3801,
We are looking for employees working remotely.
My name is Major, I am the personnel manager of a large International compa=
ny.
Most of the work you can do from home, that is, at a distance.
Salary is $2200-$5400.
If you are interested in this offer, please visit=20
Our Site
d_healthBest regards!
--001a114b06eefe38320548a62ae8--
As you can see the email seems to be sent from dropbox@williammayor.co.uk, that's not a real email address. I have a wildcard alias set up on my domain so I can sign up for accounts without revealing my actual address. Someone seems to have found my dropbox one?
The original email is some kind of spam/fraud about remote working. Sent to a Bristol University account.
My thoughts are:
- Someone is sending emails and spoofing my email address
- Someone is trying to trick me into thinking they're doing that
What's going on? How can I stop it? What mistakes have I made here? I rely on Google Apps to take care of the tricky parts and I'm concerned that I've missed something important (especially seeing as I manage other IT infrastructures using Google Apps).
Thanks!
