moderated Cases of email address spoofing?


 

Hi everyone,

 

There is a mailing list hosted on Groups.IO that’s going through a case of email address spoofing. A few days ago, someone spoofed email address of another member, and despite attempts by the owner (not me) to calm the situation, it happened again this morning. I have notified the owner of the said group and other admins, as well as reported this to Mark for further investigations.

 

With that in mind, did other admins have similar incidents on their Groups.IO addresses? I don’t have it on my groups, but thought I’d ask.

 

Cheers,

Joseph


Joseph Hudson <jhud7789@...>
 

Hi Joseph, that group is the only one that I've noticed it on. I haven't noticed it on any other groups. And now we're messing with the team of mystic access. There's got to be something funny going on here.

On Nov 24, 2017, at 2:39 PM, Joseph Lee <joseph.lee22590@gmail.com> wrote:

Hi everyone,

There is a mailing list hosted on Groups.IO that’s going through a case of email address spoofing. A few days ago, someone spoofed email address of another member, and despite attempts by the owner (not me) to calm the situation, it happened again this morning. I have notified the owner of the said group and other admins, as well as reported this to Mark for further investigations.

With that in mind, did other admins have similar incidents on their Groups.IO addresses? I don’t have it on my groups, but thought I’d ask.

Cheers,
Joseph


 

Joseph,

A few days ago, someone spoofed email address of another member, and
... it happened again this morning.
I'd have a close look at the Received, X-Received, and other fields in the spoofed messages' headers to see if I could determine the origin (IP address) of the messages. It isn't always possible, it depends on whether the sending email service reveals it. Sometimes just knowing the sending service can be enough info, if it isn't a common one.

If so, I'd search my email folder for other occurrences of that IP address to see if I can implicate a member who's posted in the past. But that's predicated on having kept group messages in a folder in Thunderbird or another email interface which allows one to search for header field contents. It is also predicated on the malcontent (spoofer) not taking precautions to obscure his trail.

I have notified the owner of the said group and other admins, as well
as reported this to Mark for further investigations.
Good.

A recent #changlog message indicated that Mark has started keeping SPF result information for incoming messages. That might help in this case, and could prevent future cases. Although every time a service like Groups.io tightens the requirements for email posting it risks cutting off a few legit users along with the riffraff.

Shal


 

Joseph,

On Fri, Nov 24, 2017 at 1:40 PM, Shal Farley <shals2nd@...> wrote:

> A few days ago, someone spoofed email address of another member, and
> ... it happened again this morning.

I'd have a close look at the Received, X-Received, and other fields in the spoofed messages' headers to see if I could determine the origin (IP address) of the messages. It isn't always possible, it depends on whether the sending email service reveals it. Sometimes just knowing the sending service can be enough info, if it isn't a common one.

This is good advice. If viewing the message headers on the Groups.io website, the first Received line will contain the IP address that connected with the Groups.io servers to send the email. That's basically all the info we have.


A recent #changlog message indicated that Mark has started keeping SPF result information for incoming messages. That might help in this case, and could prevent future cases. Although every time a service like Groups.io tightens the requirements for email posting it risks cutting off a few legit users along with the riffraff.

Yep, and this is why I'm starting to look at that stuff. I first need to verify that the SPF parsing library I'm using is doing the right thing (it isn't in at least one case, so I need to fix it), and then I need to see how it will impact people, especially combined with something like DMARC.

Thanks,
Mark


 

Mark,

... and then I need to see how it will impact people, especially
combined with something like DMARC.
It is possible that evaluating the incoming message according to DMARC criteria would help avoid cutting off a few of the legit users, those with a traditional relay in their path at least.

The kind of legit spoof I used to do, sending work email from my home service, or vice versa, would I think wind up with a valid DKIM, but not aligned - so it would not pass DMARC either.

That said, there are probably far more use cases out there than I can imagine. I hope none of them rule out the possibility of using SPF to verify email commands in most cases.

As a filter for message submission SPF alone may be too strict, as may be DMARC, unless you can think of a good work-around for the legit users. Maybe something similar to the Email Alias in their account, a sender (envelope from) alias.

Shal


Sarah k Alawami
 

I doubt this is the same, but sometimes I use a vpn toroute my traffic somewhare else. I have to in some of my cases. Would that get me into trouble? I know what email spoofing is, I've had it done to me a few times by the way, but thought I'd ask anyway aince every so often I need to pretend I'm somewhare when I'm really not in terms of internet.

On Nov 25, 2017, at 9:43 AM, Shal Farley <shals2nd@gmail.com> wrote:

Mark,

... and then I need to see how it will impact people, especially
combined with something like DMARC.
It is possible that evaluating the incoming message according to DMARC criteria would help avoid cutting off a few of the legit users, those with a traditional relay in their path at least.

The kind of legit spoof I used to do, sending work email from my home service, or vice versa, would I think wind up with a valid DKIM, but not aligned - so it would not pass DMARC either.

That said, there are probably far more use cases out there than I can imagine. I hope none of them rule out the possibility of using SPF to verify email commands in most cases.

As a filter for message submission SPF alone may be too strict, as may be DMARC, unless you can think of a good work-around for the legit users. Maybe something similar to the Email Alias in their account, a sender (envelope from) alias.

Shal



 

Would this sort of check have an adverse impact on a legitimate user using the
TOR network for email or for posting via the web site? I don't, but some people
do, and more people may start using it as some governments try to increase
their snooping and censorship.

Jim Fisher

On 24 Nov 2017 at 20:28, Mark Fletcher wrote:

Yep, and this is why I'm starting to look at that stuff. I first need to
verify that the SPF parsing library I'm using is doing the right thing (it
isn't in at least one case, so I need to fix it), and then I need to see
how it will impact people, especially combined with something like DMARC.

Thanks,
Mark
--
http://jimellame.tumblr.com - My thoughts on freedom (needs updating)
http://jimella.wordpress.com - political snippets, especially economic policy
http://jimella.livejournal.com - misc. snippets, some political, some not
Forget Google! I search with https://duckduckgo.com which doesn't spy on you


 

Jim,

Would this sort of check have an adverse impact on a legitimate user
using the TOR network for email or for posting via the web site?
What I'm suggesting is only a filter for incoming email, so it would have no effect on posting or other access via the Groups.io web site.

I'm not sure how someone would use TOR with email.

If TOR is hiding their access to their email service that would have no effect: my proposed check matches the domain in the From address with the connection that delivered the message to Groups.io.

I'm not sure if this is possible, but if there is an email service which somehow uses TOR to hide the path from itself to Groups.io then yes, that would fail the test I propose, and might fail a conventional SPF check. But as long as the TOR path didn't alter the body of the message, nor certain headers, then the delivered message might pass the From-aligned DKIM portion of a DMARC check. And that could be a good reason to use that (but not the SPF portion of DMARC) as an OR condition for inbound messages.

Shal


 

Sarah,

I doubt this is the same, but sometimes I use a vpn toroute my traffic
somewhare else. ... Would that get me into trouble?
I don't think so. At least, not solely due to the VPN.

For posting messages here the only thing that would be required (if Mark adopts my suggested filtering) would be that you send messages from the email service matching your email From address. That is, if your group messages are From yourname @ example.com then you must send the message from an account at example.com. A message arriving "From" your address but actually delivered by some other service would be a "spoof".

So you can use a VPN tunnel to connect to your email service and send messages to Groups.io, and that's ok.

If you log in to Groups.io's web site via a VPN tunnel I don't think that's a problem either.

Shal


Sarah k Alawami
 

Yeah I thought that would be ok, but it never hurts to ask. I'll have to do this when I go back home in a year to get some stuff done as they block about 90 percent of the sites I visit over there. Oh well.

Thanks all and I'll leave you all alone now, at least until I have another question or bug report. Lol!

Take care all.

On Nov 25, 2017, at 1:56 PM, Shal Farley <shals2nd@gmail.com> wrote:

Sarah,

I doubt this is the same, but sometimes I use a vpn toroute my traffic
somewhare else. ... Would that get me into trouble?
I don't think so. At least, not solely due to the VPN.

For posting messages here the only thing that would be required (if Mark adopts my suggested filtering) would be that you send messages from the email service matching your email From address. That is, if your group messages are From yourname @ example.com then you must send the message from an account at example.com. A message arriving "From" your address but actually delivered by some other service would be a "spoof".

So you can use a VPN tunnel to connect to your email service and send messages to Groups.io, and that's ok.

If you log in to Groups.io's web site via a VPN tunnel I don't think that's a problem either.

Shal



 

Mark,

I first need to verify that the SPF parsing library I'm using is doing
the right thing ...
SPF normally checks the RFC5321.MailFrom ("envelope from"), which I think may be too permissive to counter some of the abuse scenarios I contemplate for email commands (and possibly message submission). This can be solved by requiring that it check instead the 5322 ("header From") domain, or require that the two be aligned.

1) Can your library do that, or can you readily do that with the library's results?

2) As I've mentioned before, I understand that using "header From" will be too strict for some legit use cases. For commands that's easily handled by reverting to the current practice of sending a confirmation request message. For message posts some more convenient (for the sender) mitigation would be preferable.

Shal


Drew
 

Pseudonymous remailers are used to send and receive untraceable email (aka nym servers).

Instead of blocking email because it fails SPF or DKIM (if that is what's being proposed) might Groups.io simply stamp a conspicuous warning on the email and let subscribers make their own determination?

FWIW, there is at least one add-on for Thunderbird email that displays the result of DKIM verification by shading the "From" header with different colors. Perhaps Groups.io would want to do something similar.

Drew


 

Drew,

Instead of blocking email because it fails SPF or DKIM (if that is
what's being proposed) ...
My original proposal had only to do with email commands. I chimed in on this topic about spoofed message postings because some similar techniques might apply.

... might Groups.io simply stamp a conspicuous warning on the email
and let subscribers make their own determination?
That would be one way to mitigate the inconvenience (to the sender). Another would be to force such messages into moderation, but that creates an inconvenience for the moderators.

Pseudonymous remailers are used to send and receive untraceable email
(aka nym servers).
I'm not familiar with their use, but from what I understand as long as the group subscription has the nym's address then those messages should pass SPF and therefor DMARC, should pass my test (header-from aligned with SPF), and if the nym server signs the message correctly would pass DKIM as well.

That is, I don't know if Groups.io would know that the message came from a nym server, except by having a list of nym server domains.

Shal


 

Shal,

> I doubt this is the same, but sometimes I use a vpn toroute my traffic
> somewhare else. ... Would that get me into trouble?

I don't think so. At least, not solely due to the VPN.

For posting messages here the only thing that would be required (if Mark
adopts my suggested filtering) would be that you send messages from the
email service matching your email From address. That is, if your group
messages are From yourname @ example.com then you must send the message
from an account at example.com. A message arriving "From" your address
but actually delivered by some other service would be a "spoof".
That sounds as if it might give me a problem. My email address domain is
jimella.co.uk. That is not where my messages are sent from, but is my own
domain name and through which I receive messages. My outgoing messages are sent
directly via my ISP (Talktalk), which is not where my domain name is registered
and located. I've been working that way since 1996 with no problems so far! I'm
sure I'm not the only one to use that sort of system.

Jim
--
http://jimellame.tumblr.com - My thoughts on freedom (needs updating)
http://jimella.wordpress.com - political snippets, especially economic policy
http://jimella.livejournal.com - misc. snippets, some political, some not
Forget Google! I search with https://duckduckgo.com which doesn't spy on you


 

Shal,

I'm not sure how someone would use TOR with email.

If TOR is hiding their access to their email service that would have no
effect: my proposed check matches the domain in the From address with
the connection that delivered the message to Groups.io.

I'm not sure if this is possible, but if there is an email service which
somehow uses TOR to hide the path from itself to Groups.io then yes,
that would fail the test I propose, and might fail a conventional SPF
check. But as long as the TOR path didn't alter the body of the message,
nor certain headers, then the delivered message might pass the
From-aligned DKIM portion of a DMARC check. And that could be a good
reason to use that (but not the SPF portion of DMARC) as an OR condition
for inbound messages.
The TOR browser automatically uses the TOR network, but as far as I know has no
built in email facilities. However, the TOR network was in use for quite a time
before they produced the browser. I understand (I haven't tried it) that to use
the network without the browser the user installs a piece of software which
effectively sits between all their applications and their router. The only
change it makes to what is sent is to the destination address and to encrypt
the content, so there would be no change to any of the headers in the message.
However, the actual path used is hidden from the destination (in this case the
Groups.io server) in that it is passed through several TOR servers on the way,
and only the last of these would be seen by Groups.io as the source (usually
not even in the same country as the originator).

Use of TOR can have surprising effects for the user. I recently tried, as an
experiment, using the TOR browser to access a Yahoo group. Yahoo reacted in
two ways. First, it switched me to French language because it thought I was in
France (I am in UK) - fortunately I can read French so it wasn't a problem.
Secondly, and reassuringly, it sent me an email warning that my account had
been accessed from an unexpected location and I might need to change my
password. Would Groups.io do either of those, I wonder? Would we want it to?

Jim--
http://jimellame.tumblr.com - My thoughts on freedom (needs updating)
http://jimella.wordpress.com - political snippets, especially economic policy
http://jimella.livejournal.com - misc. snippets, some political, some not
Forget Google! I search with https://duckduckgo.com which doesn't spy on you


 

Jim,

That is not where my messages are sent from, but is my own domain name
and through which I receive messages. My outgoing messages are sent
directly via my ISP (Talktalk), which is not where my domain name is
registered and located.
Yup, the filter I propose would catch your messages, where straight SPF would pass them.

One work-around (I think) would be for you to enter your ISP email address into the Email Alias field in your account's Email Alias field (at the bottom of the Login page in your account), then have your ISP send your messages without spoofing your domain address.

Groups.io would then recognize your ISP address as an alias for your domain address and allow your sent messages to post while still sending outbound messages to your domain address.

Shal


Linda
 

Hi, My domain mail provider requires that mail be sent through my ISP, same as Jim's.  Linda


Arno Martens
 

Mon, 27 Nov 2017 05:19:01 -0800, "Linda" <lindon@thetravelzine.com>,
wrote:
Hi, My domain mail provider requires that mail be sent through my ISP, same as Jim's.  Linda

My Gmail is set as POP3 and I have a persona in my regular client for
that.
Just sent a reply to the above and it was rejected, as it should be, but
Google blames IO [;->)]:
=======================================
Subject: Delivery Status Notification (Failure)
From: Mail Delivery Subsystem <mailer-daemon@googlemail.com>
Date: Mon, 27 Nov 2017 05:35:45 -0800 (PST)

** Message not delivered **

Your message couldn't be delivered to main@beta.groups.io because the
remote server is misconfigured. See technical details below for more
information.

Learn more here: https://beta.groups.io/g/main/join
(Warning: This link will take you to a third-party site)

The response was:

500 Error: Your email address, ------@gmail.com, is not subscribed to
that group. To subscribe, send an email to
main+subscribe@beta.groups.io, or visit
https://beta.groups.io/g/main/join
==================================


 

Arno,

Just sent a reply to the above and it was rejected, as it should be,
but Google blames IO
Because the message was rejected by Groups.io:

500 Error: Your email address, ------@gmail.com, is not subscribed to
that group.
I don't know what that claim that Groups.io is "misconfigured" is about.

Now, add your Gmail address to your Groups.io Account, at the bottom of the Login page, under Email Aliases. Then Groups.io should accept it as an alias for your subscription address and allow your next post from the Gmail persona.

Shal


 

On 27 Nov 2017 at 15:05, Shal Farley wrote:

> It seems your proposal would effectively exclude me (and others like
> me) from using Groups.io ...

Not at all my intent, nor do I imagine that Mark would let that happen.
I didn't think either for a moment. It's the sort of unintended consequence
that can so easily arise.

As I've said, if used to try and prevent spoofing in message posts my
suggestion would need some form of mitigation (fix) to allow the
legitimate use of spoofing. I fully believe that setup you use isn't
necessarily rare or extinct. I used to do that sort of spoofing myself.
Which is why I'm sending this reply to the group, although yours was sent
privately.

A fix which would not require adjustment to your process would be to add
a field to your Groups.io Account (in the Advanced Settings drop-down on
the Login page) which would let you designate your ISP domain as an
allowed sender for messages with your own domain in the From field.
I could probably do that if that field were added (not sure what my ISP's
domain name is - I know it must be "talktalk.something", but whether the
"something" is net, com or co.uk I don't know but can no doubt find out).
However, that wouldn't work for a member who is email only with no access to
the web site unless there was some way for them to add it by email, but I don't
see how that could be done.

Jim--
http://jimellame.tumblr.com - My thoughts on freedom (needs updating)
http://jimella.wordpress.com - political snippets, especially economic policy
http://jimella.livejournal.com - misc. snippets, some political, some not
Forget Google! I search with https://duckduckgo.com which doesn't spy on you