Today we received a spoofed email: it was sent to us "from us". (Assume we own foo.com — real domain redacted.)
This is disturbing, as it shows as "from foo.com", yet the sender is definitely not from "foo.com".
The mailbox "[email protected]" is a Google Group, set to allow anyone to "publish posts" (i.e. so people on the internet can send it messages, like a regular mailbox) but only members of "foo.com" can view those "posts" (i.e. the received emails).
We have DMARC (p=reject), DKIM and SPF configured.
Our DNS:
TXT foo.com "v=spf1 include:_spf.google.com include:helpscoutemail.com ~all"
TXT _dmarc.foo.com "v=DMARC1; p=reject; rua=mailto:[email protected];ruf=mailto:[email protected]; pct=100; aspf=r; adkim=r;"
TXT google._domainkey.foo.com "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B..."
The message's headers:
Delivered-To: [email protected]
Received: by 2002:ad4:552d:0:0:0:0:0 with SMTP id ba13csp6199730qvb;
Sun, 12 Dec 2021 09:14:44 -0800 (PST)
X-Received: by 2002:a05:6102:a46:: with SMTP id i6mr23802281vss.19.1639329284522;
Sun, 12 Dec 2021 09:14:44 -0800 (PST)
ARC-Seal: i=3; a=rsa-sha256; t=1639329284; cv=pass;
d=google.com; s=arc-20160816;
b=WReYbvjEI4p+IYx6Y3fT/N5jiaEEA60C4t/3utW/afsQbsrWaMMeWv51lxVOb/HvIx
oLaSaK6Hskbjeo9rUnYYIlZEnT9ME4Gf/1tfyVXC+YTRBsBEWHCKr064RzBS9X8LUr2C
Mo++Fm16blzUIgR8wZoq54WwY7ZK6POjEOXWqUqvKsJOk6GyrAgxza2DrKJsOYCFBu2G
wzH+gfyx7HwCSNzcd+u18ByLyzXLs1vPW7/T5ztP5v+02QHLTG2snvrrW8TwWpGtDLt3
zU8oGksIcHluHiQwYS056Prsa7/4rHng9D9QNIP6AjlamZejEAlAZjlbajLt4xM17Ozn
Xt8A==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:list-archive:list-help:list-post:list-id
:mailing-list:precedence:reply-to:to:message-id:subject:date
:mime-version:from:content-transfer-encoding:dkim-signature;
bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
b=qHESIMBiX+DsyurBJ3jkT1tBYiQGFfvjr57xoDFsgoF/KhZNtVfb1JjwT/klZN/Phu
NoXTTYULEP9j64ynhf6ug1ACwgUqoFieD3fsMpBhO6PrnwjxxU/E8c8TH2eJNR5/SiQm
9k9/PCH1Vr48EjXGwfBCDV18bkwCyZnYfBGHoskl3EM0WeTIoA3x8s8EGUc4+TSRXUhq
+tA+2fbTJlofwk5z0Oga5fICZVcPeKPTWSltaXuuUOgpViq9JWbVkWx7+HonhJxzzMw0
o7LcUhOXfQHutnKRs/Xpaa73AwDgT30QtEn0T1JBnl2Vl9RjH9+nhdWxHjQ0QLdEDPB3
Xkdw==
ARC-Authentication-Results: i=3; mx.google.com;
dkim=pass [email protected] header.s=20210112 header.b=pcMriXR7;
arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
spf=pass (google.com: domain of [email protected] designates 209.85.220.69 as permitted sender) [email protected];
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com
Return-Path: <[email protected]>
Received: from mail-sor-f69.google.com (mail-sor-f69.google.com. [209.85.220.69])
by mx.google.com with SMTPS id v33sor3392168uad.28.2021.12.12.09.14.44
for <[email protected]>
(Google Transport Security);
Sun, 12 Dec 2021 09:14:44 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 209.85.220.69 as permitted sender) client-ip=209.85.220.69;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=20210112 header.b=pcMriXR7;
arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
spf=pass (google.com: domain of [email protected] designates 209.85.220.69 as permitted sender) [email protected];
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com
ARC-Seal: i=2; a=rsa-sha256; t=1639329284; cv=pass;
d=google.com; s=arc-20160816;
b=A2s3aYE1vCQIscDH9RsEl6k0DGqxlZiSGi1iQgz57BP+AWIVt5X9b7nyraOJ8F6DPL
tga5EsK1KrNHLURbQTBSO+pyg862afsmkhS/VFD3sBxSj6hhnc4oCpVJ3rPUWVxSE5IB
z4NH0ujDotd4dBNBReOsLfetWC0BeyV6nvHfENuJM+PcpR2vO42O3zWARnvq0wtqZYPd
eBbEJcfX5V6dGi7K9a5I4s+Hrz4V5VNQO8772L+lDQyRdthazJiKgKmB+jX+rztxflIM
r9efmFXPwO8t3LVtqOzPFfQJqQiMJ9en62O4ZUwbdKxdLzx8Iw9BLVVm0SkDFpXIQTod
lU2Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:list-archive:list-help:list-post:list-id
:mailing-list:precedence:reply-to:to:message-id:subject:date
:mime-version:from:content-transfer-encoding:dkim-signature;
bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
b=fXMcTPuKuu1Ahb/4kHcUPsbwEnwqaLpheL7AOFtyzp7FKfdBOErXZFdf1zCbmSX7S1
Gi3D/zlXgcSAmHFUj1eOeuZwaUp3IWo2pkQiN5aMJ9oLlWaEbC/JLsthY8uh0zUSIuX/
+Wdwjdpy1ZglE49PhkqGrFEr8ND1O/m8ETTHF1M9LhzWwR1c42MM3N17hUFMHcF4x6oz
nq8M+JQy0V+Foz5AKXPRJGedCgpwGGBcRgoMW+xn/UaSgH1TgHiK82cL6Xy3ScisHeLo
Wadb7qdxrMKrpn2H5ZvH0rq2VEvTNrLfrxKqO79a4WoohanhBf9Y/5eUckK2pm4nrHNC
DWhg==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass [email protected] header.s=1a1hai header.b=Jw3cDWAa;
spf=pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=foo-com.20210112.gappssmtp.com; s=20210112;
h=content-transfer-encoding:from:mime-version:date:subject:message-id
:to:x-original-sender:x-original-authentication-results:reply-to
:precedence:mailing-list:list-id:list-post:list-help:list-archive
:list-unsubscribe;
bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
b=pcMriXR70y9+xfVEs+8AoajJ0xymE3UTgGyG2NmKWWjdf05SzeYGX8w1GX3rVZ1hG+
QGcKfhU2Ra9bmXS2sAz2g8iDtWvnoTj+TDFnMs9OWFWSLRLr/wqDqSKnQGrCUr2Y/k/f
Q9j7R5eV2nwkYa1XIRAAJaanwMw/y5uDSv04a7bf4itRHQWv3sBD0YaK7KW9X3/UhUOc
5sKMmmK44qVb3NMkOQdureAtqPhUthfkVfQJElPAAUh1LtMy7lyS1g1KqGcUzm1D2WaY
wI6UkGWu9smajIb7O2SPVCCOPPCurlGWKD9eC6xdz9Av1qZZlMIyn+eNJDSik9JnG7/w
aFiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:content-transfer-encoding:from:mime-version:date
:subject:message-id:to:x-original-sender
:x-original-authentication-results:reply-to:precedence:mailing-list
:list-id:x-spam-checked-in-group:list-post:list-help:list-archive
:list-unsubscribe;
bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
b=AwA9C6EysiLXrTEGUbzx+5vqODTMTskz7zHz2xe1quctysAvVhk58jn1xx322hfhh1
yqXDXN/aE2MZwMrS++nikbt7lAJZfoNdpV8rKMgc0lb98yXjnd4n3tidH68eVp0cTVE2
IYeKviGklV95rwOCQXuooqAKzN9/UJwGtH3C/NYZQnZQrGcFuIe5L5f5taRW/lby9IBN
5u+rTEBn1UaNjDAVX13MbSpN6hjMGNmr1GaFiFSmnBeMBIH0pOzT3+UIR16Sza5unglm
vkGD5OxPZGdH+fujwjjqrwjvmZSA1k9AhEvujR8B4FpgxGCreExueBMJcmWatPeSpmBO
fjEA==
X-Gm-Message-State: AOAM531eWx5fz9pqU8qZS4uNtUeKxraKEAR9y1v6gcqUG3XiMb0qBByI FhppMXUtlC8OQUQYY5dXRcAfUe4+
X-Google-Smtp-Source: ABdhPJxynnRydm4JBkMLYoGgqV5RwhkwWcH4Z4w/ljLx6E0GPOqp9cSaCwpFSv4oC456afPUA5CYQA==
X-Received: by 2002:ab0:c10:: with SMTP id a16mr37954454uak.51.1639329284212;
Sun, 12 Dec 2021 09:14:44 -0800 (PST)
X-BeenThere: [email protected]
Received: by 2002:a05:6102:2454:: with SMTP id g20ls4382592vss.4.gmail; Sun, 12 Dec 2021 09:14:43 -0800 (PST)
X-Received: by 2002:a05:6102:508c:: with SMTP id bl12mr23055020vsb.73.1639329283746;
Sun, 12 Dec 2021 09:14:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1639329283; cv=none;
d=google.com; s=arc-20160816;
b=0ToKjpZRQyjPknycN2z3IfIE1Iv7fkhCJbCVUn129k6GVlQVRq7t1xSCqEXMUpWfbb
vdYNomuAczbfJOR/0o4gBaiPYM4l2L8A8BgUcx2LW26PPeMg1OKO6xexmcO0Qu79Vp+4
23N3Alz3gRrG44HSkGQ13CwkukROblWgUMZ72U4nO30y0w38NZk4y1aPTPhV+TuFDWsY
RLSYc3eLKdExhzkmnEgtyDKI/kHLZ++mgu4aFbK6SB4b8uB6v4onz7ONR+/BTGVwcnIs
pOC6Xv6GwfBXu839bAhi94H83xV7QD5NFWuh0gMm445CzVz09zeesh89Qxcm/U/fKKI0
6jbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:message-id:subject:date:mime-version:from
:content-transfer-encoding:dkim-signature;
bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
b=VMzdwjpJVsJyaKxFawsaBAj83gW8hSdi5iOxGMCrQaQ39h5lkhZAM/cc4rtc3RbAt3
ZmpKTQ0Pdgb+MgpaIOT6X5szReSt7ZVMNsjsKOe2tkfhaC94azGx4H1MdopSdDnPqZoB
wvlUU3H16eWofWXcgKNj236adKuN0x3rzeTAKCCjNjwNfOOg5H5Y//pTOtqHc+A3XQjP
HsGhTohABGTAy68aVCBeHeh/2R5NRy+KuI7ipqkcwO6uPpnue4mMP7B6JtGjDOaiDJXs
7wZ/G3p4fuJPCSeQWuPD6YzK+0dg3cw5GpNQHLib70Q6g41Ws70727llGEc0Ef89B+o/
z8BQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=1a1hai header.b=Jw3cDWAa;
spf=pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
Received: from st43p00im-zteg10073501.me.com (st43p00im-zteg10073501.me.com. [17.58.63.180])
by mx.google.com with ESMTPS id x11si6141232vss.670.2021.12.12.09.14.43
for <[email protected]>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 12 Dec 2021 09:14:43 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) client-ip=17.58.63.180;
Received: from smtpclient.apple (49.sub-174-209-97.myvzw.com [174.209.97.49]) by st43p00im-zteg10073501.me.com (Postfix) with ESMTPSA id 49D5FAE07BE for <[email protected]>; Sun, 12 Dec 2021 17:14:42 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: "'The Spammer' via Hello" <[email protected]>
Mime-Version: 1.0 (1.0)
Date: Sun, 12 Dec 2021 12:14:40 -0500
Subject: Helping what I already have!
Message-Id: <[email protected]>
To: [email protected]
X-Mailer: iPhone Mail (19B74)
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.1.170-22c6f66c430a71ce266a39bfe25bc2903e8d5c8f:6.0.425,18.0.790,17.11.62.513.0000000 definitions=2021-12-12_06:2021-12-08_01,2021-12-12_06,2021-12-02_01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 malwarescore=0 clxscore=1011 spamscore=0 adultscore=0 bulkscore=0 suspectscore=0 mlxlogscore=485 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2112120106
X-Original-Sender: [email protected]
X-Original-Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=1a1hai header.b=Jw3cDWAa;
spf=pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
X-Original-From: The Spammer <[email protected]>
Reply-To: The Spammer <[email protected]>
Precedence: list
Mailing-list: list [email protected]; contact [email protected]
List-ID: <hello.foo.com>
X-Spam-Checked-In-Group: [email protected]
X-Google-Group-Id: 138202709934
List-Post: <https://groups.google.com/a/foo.com/group/hello/post>, <mailto:[email protected]>
List-Help: <https://support.google.com/a/foo.com/bin/topic.py?topic=25838>, <mailto:[email protected]>
List-Archive: <https://groups.google.com/a/foo.com/group/hello/>
List-Unsubscribe: <mailto:[email protected]>, <https://groups.google.com/a/foo.com/group/hello/subscribe>
Sent from my iPhone
Why is this email being allowed through?
Is it that icloud.com (the sender's SMTP server) doesn't honour DMARC, so accepts the email, then forwards onto gmail, and gmail assumes that icloud.com did the initial DMARC checks so doesn't bother? (Sorry, I'm very green in this area.).
Best Answer
I won't claim to be an expert on this, but the IETF pages for the
X-Original-Fromheader seem to imply this is expected behaviour when sending an email to a Google Apps mailing list.Have you checked the Google DMARC pages to see if the troubleshooting steps help you?
Given the spammer is sending from an iCloud address can you update the policy to block based on that
X-Original-Fromheader?EDIT: re-reading the question, I don't think it is being spoofed - I think Google Apps' rewriting of the 'from' address is intended/default behaviour. Have you tested sending an email to the mailbox from a non-domain email address (e.g. throwaway hotmail account or similar)? Do you get the same behaviour?