worrying spoof

keat63

• September 14, 2020 05:00

I'm not convinced that this came from amazon, unless amazon has been hacked. How did this pass spf checks etc. I've removed my server name and my email address, everything else is as it came. Received: from v160-251-14-211.ymvq.static.cnode.io ([160.251.14.211]:59327 helo=mail.amazon.com) by my.server.co.uk with esmtp (Exim 4.93) (envelope-from ) id 1kHjUF-00016n-3M for me@me.co.uk; Mon, 14 Sep 2020 09:05:19 +0100 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=amazon; d=amazon.com; h=MIME-Version:From:To:Date:Subject:Content-Type:Content-Transfer-Encoding; i=notice@amazon.com; bh=O9uo9/G2je0sKQFChHbIcmPxffM=; b=eorrJr+ROHfpdmYg0G0tQQbNygzvc1f7b7XpFyNL3NHBuCwQv5Lba5aI25jVH+ZpfMIpQfrr//js FxzT1pH7KbGlnevMAClJ1DXp/bynyPsxXxmhaZ3tS1i4oOYP8M0SZia779NlYGli08XSG1oUJHwN IZmheVtfxdiag7Up7Ls= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=amazon; d=amazon.com; b=mHoP4tSxiYw/8i/4E1zbh+hMvUrYUeCtOjHd4zbNCi9JlCkgSNtEv8MepA3lJF4mZIgqjx1PyFj7 u8ZEFk2bkRazXK4kkrXxXDo4ZtukkJ+Lh0Y25a0Gc1+BEKMoAAFatSldRsYuUyTL7x39LyxQq83m C7DuXWmsk43RKSjLJl0=; Received: by mail.amazon.com id hbsi3u1ef6c3 for ; Mon, 14 Sep 2020 17:04:35 +0900 (envelope-from ) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 16 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 X-Spam-Score: 0 ReturnReceipt: 1 MIME-Version: 1.0 From: "RAY-BAN" To: "keat" Date: 14 Sep 2020 08:04:35 +0000 Subject: Best of Groupon: The Deals That Make Us Proud Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64

• 

  keat63

  • September 14, 2020 10:05

  I guess it did fail SPF

  SPF_SOFTFAIL

  1.50

  SPF: sender does not match SPF record (softfail)

  But i have soft fail and not hard fail. However, what's worrying is that it looks like it came from something reporting its-self as amazon.com. It didn't come from somedoamin.com, spoofing amazon.com. The headers would indicate that it actually came from Amazon.com. Did the spammers, spoof a whole domain.

  0
• 

  cPanelLauren

  • September 15, 2020 02:09

  It's clearly not from amazon: Received: from v160-251-14-211.ymvq.static.cnode.io ([160.251.14.211]:59327 helo=mail.amazon.com)
  What they did here was change the mail helo to reference mail.amazon.com the actual hostname of the server is v160-251-14-211.ymvq.static.cnode.io They were able to send from amazon in the same way I can add a domain to my server like google.com and make email addresses associated with it. The domain doesn't resolve to that IP address but if I were to send mail and people weren't using any spam defenses it could be received to a user's inbox. I *think* the soft fail result is a result of Amazon's own SPF record indicates a soft fail rather than a hard fail - soft fail = ~all hard fail = -all

  0

Please sign in to leave a comment.