[opendmarc-users] Fake mail (internal From: ourdomain) passed by opendmarc

Gary McLean gary.mclean at instinet.co.uk
Wed Mar 15 04:06:42 PDT 2017 

Carry out a dig txt on your domain from your postfix server and see what
results you get back for your policy. You may be running a split dns

You need to dig your policy from dns

Sent from my iPhone

> On 15 Mar 2017, at 11:02, Dominic Raferd <dominic at timedicer.co.uk> wrote:
>
> I am using opendmarc opendmarc 1.3.2~Beta1-2, and hoping someone can
> explain why in my setup opendmarc is failing to block an email which
> is sent from outside and which has an internal 'From' header which
> purports to be from one of our domains 'ourdomain1.co.uk'. This domain
> is subject to dmarc policy p=reject but the email is passed by our
> opendmarc anyway. I have obfuscated our domain and server names below
> but otherwise the data is genuine:
>
> Incoming mail headers after processing through our postfix instance
> (you can see Authentication-Results added by opendmarc and opendkim
> milters and by postfix-policyd-spf-python):
>
> From wwwciroq at host.thenetshop.co.uk  Tue Mar 14 22:55:06 2017
> Return-Path: <wwwciroq at host.thenetshop.co.uk>
> Authentication-Results: ourdomain1.co.uk/E988D3E911; dmarc=none
> (p=none dis=none) header.from=localhost
> Authentication-Results: ourdomain1.co.uk; dkim=none; dkim-atps=neutral
> Authentication-Results: ourdomain1.co.uk; spf=pass (sender SPF
> authorized) smtp.helo=ciroqu.com (client-ip=178.63.169.147;
> helo=ciroqu.com; envelope-from=wwwciroq at host.thenetshop.co.uk;
> receiver=sally at ourdomain2.tld)
> Received: from ciroqu.com (147.169.63.178-static.thenetshop.co.uk
> [178.63.169.147])
> by vps1234567.ourdomain1.co.uk (Postfix) with ESMTPS id E988D3E911
> for <sally at ourdomain2.tld>; Tue, 14 Mar 2017 22:55:02 +0100 (CET)
> Received: from wwwciroq by host.thenetshop.co.uk with local (Exim 4.88)
> (envelope-from <wwwciroq at host.thenetshop.co.uk>)
> id 1cnu93-0006fY-0d
> for sally at ourdomain2.tld; Tue, 14 Mar 2017 21:38:17 +0000
> To: sally at ourdomain2.tld
> Subject:
=?utf-8?Q?=5biTunes=2dConnect=5dSomeone=20has=20been=20logged=20into=20your=20account=20from=20another=20country?=

> X-PHP-Script: meridian.ciroqu.com/mm.php for 197.3.203.251
> X-PHP-Originating-Script: 535:mm.php
> Date: Tue, 14 Mar 2017 21:38:16 +0000
> From: =?utf-8?Q?AppleID?= <root at ourdomain1.co.uk>
> Message-ID: <630f3c03dbe36c18c195d61cb58819de at meridian.ciroqu.com>
> ...
>
> The above email passes spf (correctly, based on envelope sender) and
> opendkim (correctly, because there is no dkim key in the email) but
> more mysteriously it passes opendmarc - maybe this is related to the
> opendmarc message 'header.from=localhost' although the email has *not*
> originated from the localhost (but the 'From:' header does pretend to
> be from our domain 'ourdomain1.co.uk'). The email is sent on by our
> postfix system to gmail which responds thus:
>
> 2E0A53ED08: to=<sallymailbox at gmail.com>,
> orig_to=<sally at ourdomain2.tld>,
> relay=gmail-smtp-in.l.google.com[74.125.195.26]:25, delay=0.5,
> delays=0.04/0.12/0.13/0.21, dsn=5.7.1, status=bounced (host
> gmail-smtp-in.l.google.com[74.125.195.26] said: 550-5.7.1
> Unauthenticated email from ourdomain1.co.uk is not accepted due to
> 550-5.7.1 domain's DMARC policy. Please contact the administrator of
> 550-5.7.1 ourdomain1.co.uk domain if this was a legitimate mail.
> Please 550-5.7.1 visit 550-5.7.1
> https://support.google.com/mail/answer/2451690 to learn about the 550
> 5.7.1 DMARC initiative. l62si6701928wrc.6 - gsmtp (in reply to end of
> DATA command))
>
> So gmail correctly bounces the email because of our p=reject policy.
> But why didn't our opendmarc milter bounce it first? Here are our
> opendmarc settings:
>
> $ cat /etc/opendmarc.conf
> PidFile /var/run/opendmarc/opendmarc.pid
> RejectFailures true
> Syslog true
> UMask 0002
> UserID opendmarc:opendmarc
> PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat
> IgnoreAuthenticatedClients true
> AuthservID  ourdomain1.co.uk
> AuthservIDWithJobID yes
> TrustedAuthservIDs ourdomain1.co.uk
> IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt
> Socket inet:8893 at localhost
>
> $ cat /etc/postfix/opendmarc-ignorehosts.txt
> 127.0.0.1
> 192.168.100.0/23
>
> In my mail log I see an entry from opendmarc thus:
> 2017-03-14 22:55:05 vps1234567 opendmarc[23616]: E988D3E911: localhost
none
>
> My theory at this stage is that because the email purports to be from
> root at ourdomain1.co.uk (which is the same domain as the mail server,
> though not the same FQDN) opendmarc has considered it to be from
> 'localhost', it has then looked up 'localhost' (not
> 'ourdomain1.co.uk') in its database, found no dmarc policy for any
> domain called 'localhost' and hence passed the email. Which if true is
> bizarre.
>
> Thanks for any input
>
> Dominic
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users


Disclaimer
In compliance with applicable rules and regulations, Instinet reviews and archives incoming and outgoing email communications, copies of which may be produced at the request of regulators. This message is intended only for the personal and confidential use of the recipients named above. No confidentiality or legal privilege in this electronic communication is waived or lost by any mistransmission. If the reader of this email is not the intended recipient, you have received this email in error and any review, dissemination, distribution or copying is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and permanently delete the copy you received. 

Instinet accepts no liability for any content contained in the email, or any errors or omissions arising as a result of email transmission. Any opinions contained in this email constitute the sender's best judgment at this time and are subject to change without notice. Instinet does not make recommendations of a particular security and the information contained in this email should not be considered as a recommendation, an offer or a solicitation of an offer to buy and sell securities.

Please read our website for important disclaimers/disclosures regarding Instinet's products and services http://www.instinet.com/includes/index.jsp?thePage=/html/le_comm_disclaimers.txt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20170315/e217d24b/attachment.htm>

More information about the opendmarc-users mailing list