This is indeed a replay attack. It's quite widespread and appears to be focused on taking advantage of domain reputation on the DKIM d= domain for various email platforms. The end recipients appear to be exclusively Gmail, as far as I've seen, and are delivered using BCC, leaving the To header intact.
I recommend including the Date and Subject fields twice in your DKIM signature h= string, and possibly other key fields; that will break the original signature if a second such header is later added. https://tools.wordtothewise.com/rfc/6376#section-8.15 e.g., instead of h=Message-ID:Subject:From:Reply-To:To:MIME-Version:Content-Type: Content-Transfer-Encoding:Date; use h=Message-ID:Subject:Subject:From:Reply-To:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Date:Date; On Sun, Jan 30, 2022 at 4:48 PM Ángel via mailop <[email protected]> wrote: > On 2022-01-30 at 14:09 +0200, Edgaras | SENDER wrote: > > Hello, > > > > We noticed in Google Postmaster Tools a lot of bad reputation IPs > > which do not belong to us, and are actually forbidden from sending > > emails on our behalf via SPF -all, yet Gmail thinks the messages > > from these IPs were fully authenticated. > > > > After investigating some reports, it looks like a DKIM replay attack, > > where Gmail does not validate the original DKIM signature (which > > includes Message-ID:Reply-To:To: fields), and even ignores SPF > > permerror, if the message contains ARC headers. > > > > Full headers below, any insights or suggestions would be appreciated: > > > Hello Edgar(as)? > > I have been looking at your email, but I am confused at how it was > produced, and so which are the weird bits. > > It purports to be a mail from [email protected] to > [email protected], which then was "forwarded" (!) by 212.83.129.110 > to [email protected] with a MAIL FROM:< > [email protected]> and a EHLO of > lingojam.com > > > It makes sense that DKIM could be skipped if there is ARC, but then ARC > should be checked! > > Some interesting bits: > - Two Date: headers > - Two different Subject: headers > - Original Return-Path: <[email protected]> appears twice > > - A couple of headers have two consecutive dots where there should be > one: "212.83.129..110", "mx.google..com", > > > Received-SPF: permerror (google.com: permanent error in processing > > during lookup of [email protected]: > > host.universidadebrasil.email not found) client-ip=212.83.129..110; > > Authentication-Results: mx.google..com; > > Note: the first Subject header wasn't encoding those utf-8 characters? > > > > Best regards > > > PS: yes universidadebrasil.edu.br has a bad SPF record: > "v=spf1 include:spf.protection.outlook.com > include:universidadebrasil.edu.br ip4:192.99.207.72 > include:host.universidadebrasil.email ip4:45.33.9.144 > include:mailgrid.com.br -all" but no txt on > host.universidadebrasil.email > > > > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
