0

Today I received a phishing mail from my own (valid) sender address (info@example.com).

I checked the e-mail header and see the mail was received by my valid mailserver.

Received: from mail.example.com ([::1]:36128) by domain.1blu.de (kopano-dagent)  with LMTP; Mon, 14 Nov 2022 04:45:45 +0100

SPF, DMARC and DKIM are not valid. There is no outgoing mail in my postfix log. How the spammer can send these emails?

schroeder
  • 129,372
  • 55
  • 299
  • 340
nils50122
  • 1
  • 1
    Any header in an e-mail can be spoofed, including a Received one. The only rule is that it is not possible to spoof all of them... – Serge Ballesta Nov 14 '22 at 09:06
  • The question title and body do not match. The email was not sent from your server. These were sent from an outside party. What you want to know is how you received it even though SPF, DKIM, and DMARC failed? – schroeder Nov 14 '22 at 11:01
  • [::1] is not your mailserver. This spammer isn't even competent at forging MIME headers. – Ben Voigt Nov 14 '22 at 20:47
  • @BenVoigt I fail to see your point. [::1] is IPv6 localhost, that Receivedheader could be valid – Ángel Nov 16 '22 at 01:19
  • @Ángel: But then it would be "from (some alias of domain.1blu.de)". I didn't say [::1] cannot be a mailserver, I said it is not an address for OP's mailserver. – Ben Voigt Nov 16 '22 at 15:40
  • If it's localhost, it is their server. I don't know why it woul use a HELO of mail.example.com (which is likely anonymized and could actually be an obscure alias of the server) – Ángel Dec 04 '22 at 00:10

0 Answers0