Hey everyone, I'm having in a (small) beef with my national government because I (prematurely?) blamed them for not protecting one of their official domain names properly. I was sent a phishing message, which I quickly identified as being... a phishing message. But then I looked at the "From:" header, and noticed that the domain name there was real. I haven't seen a sender's domain name being spoofed in over 10 years (thank you SPF, DKIM, DMARC), so I assumed they were in the wrong. But are they?
In the full message headers below, almost everything identifiable from the original headers has been replaced by something innocuous, but you can easily see that this message was sent through PHP from a hacked WordPress account (surprise!) on a shared hosting server. I see the shared hosting party has some precautions installed to track abuse, but OTOH I subtract points for publishing the version number of their mailserver (Exim).
I'm worried about the fact that SpamAssassin didn't properly do an SPF lookup, which would have immediately failed (the domain in question has the following SPF record: "v=spf1 -all", which is highly restrictive (in fact, it doesn't get more restrictive than this).
Yet, SpamAssassin added these entries to the tally:
Particularly the first one: "sender does not publish an SPF Record" is worrisome. Who is "sender" here? The one mentioned in "From:" (govdomain.com) or the actual sender? Because SPF would not be very efficient if spammers could just not publish SPF records on their servers and spoof away.
So what happened here? Anyone?
In the full message headers below, almost everything identifiable from the original headers has been replaced by something innocuous, but you can easily see that this message was sent through PHP from a hacked WordPress account (surprise!) on a shared hosting server. I see the shared hosting party has some precautions installed to track abuse, but OTOH I subtract points for publishing the version number of their mailserver (Exim).
I'm worried about the fact that SpamAssassin didn't properly do an SPF lookup, which would have immediately failed (the domain in question has the following SPF record: "v=spf1 -all", which is highly restrictive (in fact, it doesn't get more restrictive than this).
Yet, SpamAssassin added these entries to the tally:
Code:
0.0 SPF_NONE SPF: sender does not publish an SPF Record
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
Particularly the first one: "sender does not publish an SPF Record" is worrisome. Who is "sender" here? The one mentioned in "From:" (govdomain.com) or the actual sender? Because SPF would not be very efficient if spammers could just not publish SPF records on their servers and spoof away.
So what happened here? Anyone?
Code:
Return-path: <SRS0=dKC7rF=XD=vmi711998.hackedhostingserver.com=mobilfilmizle@mydomain.com>
Envelope-to: [email protected]
Delivery-date: Tue, 28 Jun 2022 17:13:57 +0200
Received: from vmi711998.hackedhostingserver.com ([185.193.66.138])
by server.mydomain.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.94)
(envelope-from <[email protected]>)
id 1o6Cua-0000Fr-Kh
for [email protected]; Tue, 28 Jun 2022 17:13:57 +0200
Received: from mobilfilmizle by vmi711998.hackedhostingserver.com with local (Exim 4.95)
(envelope-from <[email protected]>)
id 1o6CuY-0006Fd-LS
for [email protected];
Tue, 28 Jun 2022 17:13:54 +0200
To: [email protected]
Subject: You bla bla bla (replaced)
X-PHP-Script: mobilfilmizle.org/wordpress/wp-includes/ID3/class-wp-users-list-table.php for 89.203.249.150, 172.70.251.21
X-PHP-Originating-Script: 1018:class-wp-users-list-table.php
MIME-Version: 1.0
Content-Type: multipart/alternative;boundary=5787e705ae243331566f72be171dd7
From: Your Government <[email protected]>
Reply-To: [email protected]
Message-Id: <[email protected]>
Date: Tue, 28 Jun 2022 17:13:54 +0200
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vmi711998.hackedhostingserver.com
X-AntiAbuse: Original Domain - mydomain.com
X-AntiAbuse: Originator/Caller UID/GID - [1018 993] / [47 12]
X-AntiAbuse: Sender Address Domain - vmi711998.hackedhostingserver.com
X-Get-Message-Sender-Via: vmi711998.hackedhostingserver.com: authenticated_id: mobilfilmizle/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: vmi711998.hackedhostingserver.com: mobilfilmizle
X-Source:
X-Source-Args: php-fpm: pool mobilfilmizle_org
X-Source-Dir: mobilfilmizle.org:/public_html/wordpress/wp-includes/ID3
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 185.193.66.138, -10 Spam score
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam detection software, running on the system "server.mydomain.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: p{ margin:10px 0; padding:0; } table{ border-collapse:collapse;
} h1,h2,h3,h4,h5,h6{ display:block; margin:0; padding:0; } img,a img{ border:0;
height:auto; outline:none; text-decoration:none; } body, [...]
Content analysis details: (-0.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.0 SPF_NONE SPF: sender does not publish an SPF Record
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
1.1 MPART_ALT_DIFF_COUNT BODY: HTML and text parts are different
0.0 HTML_MESSAGE BODY: HTML included in message
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: mcusercontent.com, pxlme.me]
SpamTally: Final spam score: -14