A slightly different informational report today, that illustrates the benefits of setting up authentication correctly on your outgoing mail server and using DMARC reporting.

I won’t go into DMARC too deeply here because there are hundreds of sites explaining how to set it up and why you should use it. I will just link to the main DMARC site.

Basically when you set up DMARC on your outgoing mail server any receiving mail server that uses DMARC as part of its authentication checks will perform certain simple basic checks on the domain DNS listings when it receives an email that says it comes from you and checks whether you allow the sending IP to send messages saying they are coming from you.

If the IP address the email was sent from matches the list of allowed sending IP addresses for the domain, then it accepts the message. If the authentication checks fail, then it either quarantines or rejects the messages completely. My DMARC instructions tell the receiving server to quarantine failed messages, rather than reject outright.

If set up correctly, this should mean that any mail server receiving messages that pretend to come from your email addresses will not deliver them to the recipient.

I woke up this morning to a series of messages from Hotmail. At first I thought they were spam and a new malware delivery method. I would have expected Hotmail to use postmaster@ or dmarc@ or some sensible email address, not [email protected] which looks like a typical phishing or scam email address. And at least have a sensible subject. Other DMARC reject notices I have previously received from Yahoo and others have had subjects saying something like DMARC report or DMARC Notice and the original email subject in brackets. These just have the original email subject.

OK that is the DMARC bit out of the way, lets take a quick look at the IP address that actually sent the emails to Hotmail in the first place. This is mildly interesting because that tracks back to a limited company Ridgefield Pennine Ltd who are supposed to be a tech support company and internet services company. These messages were sent from 81.142.190.61 which tracks back to r-pl.co.uk which is “hosted ” on a standard BT openworld internet connection. I assume somebody is using their BT infinity fibre connection to host a server.

The domain r-pl.co.uk just gives an Apache2 Ubuntu Default Page. This either means that the server is newly set up and has already been compromised or hasn’t been set up properly and an infected computer on the network is relaying through the server.

Anybody can be hacked or compromised but there is a higher expectation that a tech support company or an individual offering tech support services would keep his own house in order. It is not a good advert for his services if his infrastructure is compromised. That doesn’t show the knowledge or ability to assist, protect and defend his clients properly.

There are 2 attachments to these emails. A .dat file which is the failure message and reasons for failing. the second is a copy of the original email

One of the emails look like

From : [email protected]

Date : Sat 15/07/2021 23:51

To : [email protected]

Subject : ms

Attachments: Untitled attachment 00109.dat and ms (3.21 KB).msg

Body Content:

This is an email abuse report for an email message received from IP 81.142.190.61 on Sat, 15 Jul 2021 15:51:19 -0700.

The message below did not meet the sending domain’s authentication policy.

For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.

opening the .dat ( which you need to do very carefully as they can be executable files ) gives the rejection report

Feedback-Type: auth-failure
User-Agent: XMR/2.2
Version: 1.0
Original-Mail-From: <[email protected]>
Arrival-Date: Sat, 15 Jul 2021 15:51:19 -0700
Message-ID: <22562397911521172814324@VPS>
Authentication-Results: hotmail.com; spf=fail (sender IP is 81.142.190.61; identity alignment result is pass and alignment mode is relaxed) [email protected]; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=thespykiller.co.uk; x-hmca=fail [email protected]
Source-IP: 81.142.190.61
Auth-Failure: spf
Reported-Domain: thespykiller.co.uk
DKIM-Domain: thespykiller.co.uk

That shows an SPF fail and no DKIM so will fail.

The original sent email that was spoofing ( pretending to come from one of my domains) is:

The box.txt attachment which in an effective scam would be in the body of the email not as an attachment says.

Become A Kroger Shopper.

We are looking for people to apply for positions in our team as a secret customer.
How it works :

Register and if you are selected, you will receive $100 for shopping at Kroger,
affiliates or at competition stores.
Send us your feedback for your Kroger shopping experience.
Your review will make a difference for providing better services and products.
Secret Shoppers are selected randomly every week and if selected,
they will be contacted via phone or email.

You will be paid with amounts between $200-400 per assignment.
You can shop any products you want at your designated store.
No experience, fees or interview are required.
Tips and training will be provided for free to our shoppers.
A secret shopper career can be very exciting and for those who love to shop it’s
the perfect job that offers fun assignments and flexible schedules.
Your contribution will bring improvement in the services offered to our clients.

Email me the below details :

== 1. Name :
== 2. FullAddress:
== 3. Citys / States / Countrys :
== 4. Zip Codes :
== 5. Phones :
== 6. Genders & Ages :
== 7. Email :

Thank you for your participation and being here with us.

Sincerely,

Sales/Hiring Manager
Detective Shopper?
The MS applications team
(C) 2017 SR & I. All rights reserved.

OK that is the DMARC bit out of the way, lets take a quick look at the IP address that actually sent the emails to Hotmail in the first place. This is mildly interesting because that tracks back to a limited company Ridgefield Pennine Ltd who are supposed to be a tech support company and internet services company. These messages were sent from 81.142.190.61 which tracks back to r-pl.co.uk which is “hosted ” on a standard BT openworld internet connection.

I assume somebody is using their BT infinity fibre connection to host a server. The domain r-pl.co.uk just gives an Apache2 Ubuntu Default Page. This either means that the server is newly set up and has already been compromised or hasn’t been set up properly and an infected computer on the network is relaying through the server.

The headers’ on the original email are quite interesting:

Authentication-Results: hotmail.com; spf=fail (sender IP is 81.142.190.61; identity alignment result is pass and alignment mode is relaxed) [email protected]; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=thespykiller.co.uk; x-hmca=fail [email protected]
X-Envelope-Sender: [email protected]
X-SID-PRA: [email protected]
X-AUTH-Result: FAIL
X-SID-Result: FAIL
Received: from dain.r-pl.co.uk ([81.142.190.61]) by BAY004-MC1F36.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
Sat, 15 Jul 2021 15:51:19 -0700
Received: from localhost (localhost [127.0.0.1])
by dain.r-pl.co.uk (Postfix) with ESMTP id 905DC441FA5
for <[redacted]@hotmail.com>; Sat, 15 Jul 2021 23:51:18 +0100 (BST)
X-Virus-Scanned: Debian amavisd-new at r-pl.co.uk
Received: from dain.r-pl.co.uk ([127.0.0.1])
by localhost (mail.r-pl.co.uk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ckjSqcIjV0JE for <[redacted]@hotmail.com>;
Sat, 15 Jul 2021 23:51:16 +0100 (BST)
Received: from 167.114.77.157 (unknown [81.142.190.59])
by dain.r-pl.co.uk (Postfix) with ESMTP id 74C58441FBA
for <[redacted]@hotmail.com>; Sat, 15 Jul 2021 23:51:12 +0100 (BST)
MIME-Version: 1.0
From: [email protected]
Reply-To: [email protected]
To: “REDACTED” <[email protected]>
Subject: ms
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_001_4382_1B02281A.45786121″
X-Mailer: Smart_Send_3_1_6
Date: Sat, 15 Jul 2021 18:51:10 -0700
Message-ID: <22562397911521172814324@VPS>
Return-Path: [email protected]
X-OriginalArrivalTime: 15 Jul 2021 22:51:19.0949 (UTC) FILETIME=[DFE9DBD0:01D2FDBC]