Malicious From: field able to bypass DMARC

[Ravenstar]

I received a spam email today claiming to be from Amazon.

In the email was the following From: line

From: "Amazon.co.uk" <campaign-response@amazon.co.uk> <info@mejorargentina.com>

On Virgin Media's server the Authentication checks ended up being done against the latter address.

Authentication-Results: ukmail.iss.as9143.net;
 spf=pass (200.26.191.13;mejorargentina.com);
 dkim=pass header.d=mejorargentina.com;
 dmarc=none header.from=mejorargentina.com (dis=no_record);

I tried sending a dummy mail with a similar from header from a blueyonder address to my own domain hosted with mail in a box.

From: "Timothy Dutton" <tim@amazon.co.uk> <*********@blueyonder.co.uk>

The DMARC authentication gave pass.

Authentication-Results: box.timothydutton.co.uk; dmarc=pass header.from=amazon.co.uk
Authentication-Results: box.timothydutton.co.uk; dkim=pass
    reason="2048-bit key; unprotected key"
    header.d=blueyonder.co.uk header.i=@blueyonder.co.uk
    header.b=PqyE8fYb; dkim-adsp=discard (unprotected policy);
    dkim-atps=neutral

As a final check I crafted a mail using only a fake amazon.co.uk address in the From: field.

From: Timothy Dutton <timdutt@amazon.co.uk>

This mail did fail on DMARC as expected.

Authentication-Results: box.timothydutton.co.uk; dmarc=fail header.from=amazon.co.uk
Authentication-Results: box.timothydutton.co.uk; dkim=pass
    reason="2048-bit key; unprotected key"
    header.d=blueyonder.co.uk header.i=@blueyonder.co.uk
    header.b=g+m5UnYB; dkim-adsp=discard (unprotected policy);
    dkim-atps=neutral

I think this needs looking into urgently as it really makes a mess of the trust in DMARC checks. While the From: field can support multiple addresses they should normally have a comma between them (and there should in this case be a Sender: field to indicate which account the mail was sent from)

Clearly people can be fooled into thinking a spoofed email address is genuine when in fact it's not.

Tim

[Michael]

Gmail will also give this a dmarc pass. Is this a problem with opendmarc, or with the way email clients display the from header?

[hmiller]

I'm seeing the same bug with opendmarc-1.3.2-0.12.el7.x86_6.rpm

client=outbound-smtp08.blacknight.com[46.22.139.13]
helo=outbound-smtp08.blacknight.com
From: service-online@paypal.com,luke@biomedservices.ie
Subject: "PayPal payment received"
Tests: [BAYES_00=-1.9,DKIM_ADSP_DISCARD=10,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_FONT_LOW_CONTRAST=0.001,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.723,SPF_PASS=-0.001,T_KAM_HTML_FONT_INVALID=0.01]
opendmarc: SPF(mailfrom): luke@biomedservices.ie pass
opendmarc: paypal.com pass

[Benny Pedersen]

hmiller skrev den 2018-12-06 10:47:

I'm seeing the same bug with opendmarc-1.3.2-0.12.el7.x86_6.rpm

opendmarc: SPF(mailfrom): luke@biomedservices.ie pass
opendmarc: paypal.com pass

---

Malicious From: field able to bypass DMARC [1]

clearly a bug, there is no dmarc on biomedservices.ie

try opendmarc build from github

[Dominic]

My feeling is that in the OP's original example this should pass:
From: "Amazon.co.uk" <campaign-response@amazon.co.uk> <info@mejorargentina.com>
because the From header address is info@majorargentina.com, and the earlier part of the line is just the 'text'. I agree though that it looks confusing - intentionally on the part of the malicious sender. Blocking it, although logical, is (I suspect, have not checked) a breach of the DMARC spec.

[Michael]

Yes, I think both opendmarc and gmail are treating ""Amazon.co.uk" campaign-response@amazon.co.uk " as the name part of the from header, and checking the last address for dmarc alignment. Maybe that's part of the spec, I don't know. But I have seen people exploiting this in the wild. It's confusing to end user and admin alike, and some email clients don't make it clear who the email is really from.