Hi,
I am receiving spam to my list-owner address that appears to be sent from the same list-owner address. Here are some of the headers, anonymized a bit (google is there because my email is forwarded to my gmail address).
Received-SPF: pass (google.com: domain of mailman-bounces@my.server.com designates MY.IP.ADDR.ESS as permitted sender) client-ip=MY.IP.ADDR.ESS; Authentication-Results: mx.google.com; dkim=pass header.i=@my.server.com; spf=pass (google.com: domain of mailman-bounces@my.server.com designates MY.IP.ADDR.ESS as permitted sender) smtp.mailfrom=mailman-bounces@my.server.com DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=my.server.com; s=mcmaildk; h=Sender:Content-Type:Date:Message-Id:MIME-Version:Subject:To:From; bh=(STUFF) Received: from localhost ([127.0.0.1] helo=www.my.server.com) by my.server.com with esmtp (Exim 4.84) (envelope-from <mailman-bounces@my.server.com>) id 1ajRhe-0006bB-4A for listmaster@my.server.com; Fri, 25 Mar 2016 08:23:06 -0500 Received: from [SPAM.IP.ADDR.ESS] (helo=spammer.domain.com) by my.server.com with esmtp (Exim 4.84) (envelope-from <mylist-owner@my.server.com>) id 1ajRhW-0006b2-Jk for mylist-owner@my.server.com; Fri, 25 Mar 2016 08:23:00 -0500 From: A. Spammer <mylist-owner@my.server.com> To: mylist-owner <mylist-owner@my.server.com> Errors-To: mailman-bounces@my.server.com Sender: "Mylist" <mailman-bounces@my.server.com>
The SPF and DKIM passes make it seem like this spam is actually being sent from my server, not just from somewhere else with a spoofed sender. Is there some way that my mailman may be misconfigured that could be allowing the spammer to spam through it in this way? Or has my server been hacked?
Thanks!! Mike
On 03/25/2016 09:17 AM, Michael Shulman wrote:
Neither.
The mail was sent to "mylist-owner <mylist-owner@my.server.com>". It was delivered to Mailman for mylist-owner. Mailman then resent it to the owner address <listmaster@my.server.com> and the outgoing MTA DKIM signed it.
This has nothing to do with the fact that the original mail spoofed <mylist-owner@my.server.com> as the From: or the envelope sender of the original, except that depending on your DKIM signing rules you may have not DKIM signed it if it was From: a different domain.
It passes SPF because it came to google from your server and it passes DKIM because you signed it on the way out. It would have been exactly the same if it had been sent to an alias that forwards directly to your google address. I.e. had it been sent to <listmaster@my.server.com> instead of <mylist-owner@my.server.com>, it would have been forwarded and signed in exactly the same way without having gone through Mailman at all.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 03/25/2016 09:17 AM, Michael Shulman wrote:
Neither.
The mail was sent to "mylist-owner <mylist-owner@my.server.com>". It was delivered to Mailman for mylist-owner. Mailman then resent it to the owner address <listmaster@my.server.com> and the outgoing MTA DKIM signed it.
This has nothing to do with the fact that the original mail spoofed <mylist-owner@my.server.com> as the From: or the envelope sender of the original, except that depending on your DKIM signing rules you may have not DKIM signed it if it was From: a different domain.
It passes SPF because it came to google from your server and it passes DKIM because you signed it on the way out. It would have been exactly the same if it had been sent to an alias that forwards directly to your google address. I.e. had it been sent to <listmaster@my.server.com> instead of <mylist-owner@my.server.com>, it would have been forwarded and signed in exactly the same way without having gone through Mailman at all.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Mark Sapiro -
Michael Shulman