How is this spammer spoofing my email?

Soldato
Joined
1 Apr 2014
Posts
19,039
Location
Aberdeen
I've lately - for the past week or so - been getting 'I recorded you' spam. And I'm wondering how they succeed in getting it through. How do they get the emails to pass SPF and DMARC. I know there are some email experts here.

Here are the headers:


Delivered-To: (My Gmail address)
Received: by 2002:a2e:988f:0:b0:2d4:6a22:3c38 with SMTP id b15csp921608ljj;
Thu, 28 Mar 2024 12:51:39 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCUbDrFunghvmIMxM3+2M4WsatMXIHWBs8p/ZuCi5/wCCpQNB3CMh+5KETfw4HqGXWiZ7CBXmTKXKFsWyuQVf+SCAtKwuw==
X-Google-Smtp-Source: AGHT+IEfBQ30sbo3VBrHn5uW6tmSVzfM2D4ddJ2KeFS6Drp2Jt2nbt/xsKJMsHXj2/Y1PSM0bYmT
X-Received: by 2002:a5d:4903:0:b0:341:a6d9:841 with SMTP id x3-20020a5d4903000000b00341a6d90841mr65472wrq.0.1711655499744;
Thu, 28 Mar 2024 12:51:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1711655499; cv=none;
d=google.com; s=arc-20160816;
b=XVinhNCMi0Jce1r3qUUeNj4uJS4zeONzrTZuFczTiST8FsgZsmyAC1ewxJtm0lzzSG
sqAbfUE9HnU4erog6qJw7eSac2qUAlY5AS4SRyPmKtFw2Q0rHecnL77v/rvSrit0QREu
gNR5hfnzdi6tLeRF675RhGCzq3J7Q6bFW7X2Qif8R+EDctts/OvJ1B/NgLSmcvxE7Aul
p6/hdqoDCSmu8cdeHkyGUx8mZ9f3pKxubRuN9bdkv4JAq955Mna0z64U6W+v1dnvnCqt
VZxh7xKit3XNyK8hHi4+GUBBb2gTw2KZty3paqklb27BKpBojGfJ6TGRyjFZc/nObVsw
A51g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=mime-version:message-id:date:subject:to:from;
bh=nX1r8a34Atd5brCcI8O0pnz5HiaFp5b5yS54bfv/hGM=;
fh=2k3OZ4C8ncGztL1hF0+XRTG5LK4iChfciRm0EWnoau8=;
b=xVCquvo9OVgBytTloJB0y29Jr5bQzwWcfdNnqUR+S3Mqj1K73Bb8Q0JntyvHMZxs0t
2vimwDHlMy00ejC8Ogcc4T6c69XkN8dQBrs5qZfotmqFVrSwPhoq3BU47niJzE8zVPdK
FE+97lPzQznlAoH0ACJHWA7TmIjGC7YoSaEVBjc3aAYsMYYgRrevzm5c4h/buFrvHxe6
EN78C0qmYoc9xixHKSWPMmDgW+dh7bFhz9OF0y+MXPURtloXV9SNFcvPsgi8k2GtWZXJ
AX8F7bUrWm+NvktiAzSgJCwKxJzdVeilyuGs+/wMj1HdtLZf+2Fp40kSruWqpwEDosXa
8Tgw==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of (My email on my domain) designates 213.171.216.218 as permitted sender) smtp.mailfrom=(My email on my domain);
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=(My domain)
Return-Path: <(My email on my domain)>
Received: from mailserver-out.cmp.livemail.co.uk (o365.cmp.livemail.co.uk. [213.171.216.218])
by mx.google.com with ESMTPS id g6-20020a056000118600b0033ed8940dfasi1150824wrx.762.2024.03.28.12.51.39
for <My Gmail address>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 28 Mar 2024 12:51:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of (My email on my domain) designates 213.171.216.218 as permitted sender) client-ip=213.171.216.218;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of (My email on my domain) designates 213.171.216.218 as permitted sender) smtp.mailfrom=(My email on my domain);
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=(My domain)
Received: from mailserver.cmp.livemail.co.uk (mailserver.cmp.livemail.co.uk [213.171.216.40]) by mailserver-out.cmp.livemail.co.uk (Postfix) with ESMTPS id 5A60EE0044 for <(My email on my domain)>; Thu, 28 Mar 2024 19:51:39 +0000 (GMT)
Received: from [45.12.27.203] (unknown [45.12.27.203]) by mailserver.cmp.livemail.co.uk (Postfix) with ESMTP id 3848A40615 for <(My email on my domain)>; Thu, 28 Mar 2024 19:51:37 +0000 (GMT)
Received: from spbrebi ([8.150.251.104]) by 02405.com with MailEnable ESMTP; Thu, 28 Mar 2024 21:51:44 +0200
Received: (qmail 20318 invoked by uid 203); 28 Mar 2024 21:51:42 +0200
From: (My email on my domain)
To: (My email on my domain)
Subject: I RECORDED YOU!
Date: Thu, 28 Mar 2024 21:51:44 +0200
Message-ID: <[email protected]>
Mime-Version: 1.0
Content-type: text/plain;

I've bolded the egregious bits.

Whois says the IP address 45.12.27.203 is from Ukraine. 02405.com is Chinese. No results are found for 8.150.251.104 but isn't that Google or Xerox? Chrome says the security certificate for 02405.com is invalid.

My domain is hosted by Fasthosts and has catch-all forwarding to my GMail account. It does not in itself have email capability. I have four TXT records in DNS:

HOST NAME VALUE
(blank) v=spf1 a ip4:213.171.216.0/24 mx ~all
(blank) v=spf1 include:_spf.google.com ~all
(blank) v=spf1 a ip4:213.171.216.0/24 ip4:77.68.64.0/27 mx ~all
_dmarc v=DMARC1;p=none


The emails do not appear in my Sent folder so I'm not actually sending them. Malwarebytes gives me a clean bill of health.

So, how are they doing it? I've been out of the game for over a decade. To be on the safe side I have changed my GMail password.

BTW and just for the record, no, I haven't been recorded in compromising acts.
 
Last edited:
If I read those headers right, the SPF pass is from Google accepting the email from Fasthosts, not Fasthosts from the original sender. Fasthosts probably blanket accept any email for your domain without checking.

The DMARC policy is none - which does nothing. You should use it with an rua= entry to get reports on how your SPF and DKIM policies are (or are not) working before moving to a more restrictive policy.

No results are found for 8.150.251.104 but isn't that Google or Xerox?

No, 8.128.0.0 - 8.191.255.255 is managed by APNIC, and looking at their whois response that address is part of the Alibaba cloud.
 
Back
Top Bottom