Un cliente ha ricevuto di recente un'email che è stata falsificata in un modo che non avevo mai visto prima. Di seguito sono riportati i dettagli pertinenti resi anonimi dalle intestazioni dell'email:
-
authentication-results: spf=none (sender IP is 74.208.4.197) smtp.mailfrom=[hacked domain name]; [client's old domain name]; dkim=none (message not signed) header.d=none;[client's old domain name]; dmarc=none action=none header.from=[client's old domain name];
-
Reply-To: [Director] <[director's old email address on client's old domain]-l.in>
-
From: [Director] <[director's new email address on client's new domain]> To: [accounts' distribution group] <[accounts' new email address on client's new domain]>
Ciò che è diverso e interessante è che l'utente malintenzionato è stato in grado di ignorare la politica DMARC del nuovo dominio del client. Penso di sapere come l'aggressore sia stato in grado di fare questo:
- Un dominio senza criteri SPF, DKIM o DMARC (
hacked domain name
) è stato utilizzato per il livello SMTP / 5321 /smtp.mailfrom
. - Un dominio con un criterio SPF ma nessun criterio DKIM o DMARC (
client's old domain name
) è stato utilizzato per il livello MIME / 5322 /header.from
.
Ho letto che gli MTA ottengono la politica DMARC del dominio specificato nel valore dell'intestazione header.from
. Quindi, la mia domanda è questa: per confermare la mia teoria, come posso inviare un'e-mail con un valore di intestazione "personalizzato" header.from
? Sono abituato a usare CLI come telnet
, ecc.
Ho chiesto a una domanda molto simile in precedenza ma quella risposta non risponde a questa domanda.
Le intestazioni email complete (ma anonime):
Received: from HE1PR0502MB3002.eurprd05.prod.outlook.com (10.175.30.147) by
AM5PR0502MB2994.eurprd05.prod.outlook.com (10.175.40.20) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.302.9 via Mailbox Transport; Thu, 14 Dec 2017 09:34:42 +0000
Received: from AM3PR05CA0056.eurprd05.prod.outlook.com
(2a01:111:e400:52b7::24) by HE1PR0502MB3002.eurprd05.prod.outlook.com
(2603:10a6:3:d7::19) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.9; Thu, 14
Dec 2017 09:34:41 +0000
Received: from DB5EUR03FT048.eop-EUR03.prod.protection.outlook.com
(2a01:111:f400:7e0a::200) by AM3PR05CA0056.outlook.office365.com
(2a01:111:e400:52b7::24) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.302.9 via Frontend
Transport; Thu, 14 Dec 2017 09:34:40 +0000
Received: from mout.perfora.net (74.208.4.197) by
DB5EUR03FT048.mail.protection.outlook.com (10.152.21.28) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.20.302.6 via Frontend Transport; Thu, 14 Dec 2017 09:34:39 +0000
Received: from box.backup ([93.158.216.105]) by mrelay.perfora.net (mreueus002
[74.208.5.2]) with ESMTPA (Nemesis) id 0MFrWa-1eCoig3ce6-00EttU for
<[accounts' old email address on client's old domain]>; Thu, 14 Dec 2017 10:34:37 +0100
From: [Director] <[director's new email address on client's new domain]>
To: [accounts' distribution group] <[accounts' new email address on client's new domain]>
Subject: Handle this asap
Thread-Topic: Handle this asap
Thread-Index: AQHTdL7FI+cnKCIw4k+addTBVGYrjQ==
Date: Thu, 14 Dec 2017 09:34:37 +0000
Message-ID: <[email protected]>
Reply-To: [Director] <[director's old email address on client's old domain]-l.in>
Content-Language: en-US
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: DB5EUR03FT048.eop-EUR03.prod.protection.outlook.com
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-Network-Message-Id: 31f5cd96-3a15-44e2-9b9e-08d542d5e661
X-Message-Flag: Follow up
X-MS-TNEF-Correlator:
received-spf: None (protection.outlook.com: mylesstandish.net does not
designate permitted sender hosts)
x-forefront-antispam-report: CIP:74.208.4.197;IPV:NLI;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(8156002)(2980300002)(428003)(199004)(189003)(8676002)(9686003)(305945005)(7596002)(105586002)(16003)(106466001)(6862004)(5660300001)(16586007)(7116003)(568964002)(22720200003)(84326002)(567704001)(63106013)(9886003)(3480700004)(564344004)(1096003)(7636002)(50126003)(6636002)(246002)(21480400003)(5003630100001)(104016004)(356003)(42882006)(5000100001)(512874002)(4610100001)(43066004)(89386003)(33896004)(59450400001)(5890100001)(33964004)(2476003)(2351001)(362424002)(24616003)(79866001);DIR:INB;SFP:;SCL:1;SRVR:HE1PR0502MB3002;H:mout.perfora.net;FPR:;SPF:None;PTR:mout.perfora.net;A:1;MX:1;LANG:en;
authentication-results: spf=none (sender IP is 74.208.4.197)
smtp.mailfrom=mylesstandish.net; [client's old domain name]; dkim=none
(message not signed) header.d=none;[client's old domain name]; dmarc=none
action=none header.from=[client's old domain name];
x-provags-id: V03:K0:+bX50qyGpYWG3nl2KR5LrxNR5QAuHerD/Ci0f15XSi0PrkdhYn7
+asr62VMEJkFiChjE1rpF24A9/b1VQ4nq4V8xll8uJfrCxXKQFtioq5I3UUXzzIzsmoKlBz
c8zcN90wq7PruWyApRfkG93yISwROTLUDhZAYhqn0DByTKPp8Ptj/h4ZVWFkXx+j2BfrGnl
GRtxBbN6NAonCIMyPfftg==
x-ms-publictraffictype: Email
X-Microsoft-Exchange-Diagnostics: 1;AM5PR0502MB2994;27:PiEq5e2siU4JRO2TOrf1wEQY8e6CKGY0XpuGPTv1fAFH0U+X/mtVoF0DxL6/hHUuOK471Zu3M4iWfglkgAeZ9eoeyHp1ANXSL162vYFQaKRRjLwewNhY6osSswalTYkk
X-Microsoft-Antispam-Message-Info: jzBEPkz1MG4wSRW5IeNhdiFkN52T1FtBma8q4n/g2yIjDgQHGfmm8feWpuoG6UZX
Content-Type: multipart/mixed;
boundary="_002_0LkRJt1f0gbO2qeR00cNDFmrelayperforanet_"
MIME-Version: 1.0