Wie hat eine Phishing-E-Mail SPF, DKIM und DMARC bestanden?

Ein Freund hat eine gefälschte E-Mail erhalten (von der Bank of America unter Verwendung einer uber.com -Adresse). die von Google Mail korrekt als „Spam“ identifiziert wurde. Betrachtet man jedoch die Rohnachricht, so scheint sie die SPF-, DKIM- und DMARC-Prüfungen bestanden zu haben.

1) Wie gelang es einer Spam-E-Mail, SPF, DKIM und DMARC unter Verwendung einer Quelldomäne wie uber.com weiterzuleiten – einer Domäne, die die Spammer wahrscheinlich nicht kontrollieren?

2) Gibt es noch etwas im Header / Body der Nachricht, das die zu fälschende E-Mail endgültig bestimmt? (dh außer probabilistischem Denken oder Blacklisting von Elementen, die beispielsweise in externen Links enthalten sind)

Unten wird die gesamte Rohnachricht eingefügt (Ziel-E-Mail aus Gründen der Anonymität geändert).

Delivered-To: [email protected] Received: by 2002:a19:f009:0:0:0:0:0 with SMTP id p9csp8149944lfc; Thu, 2 May 2019 15:48:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqyhm5pZuY7Fm7UQDAafePILEmcZUG7oB/gvcd6J/EhUFwZiS3XMf65THeoGx++FQCmhzOCE X-Received: by 2002:a17:906:13d2:: with SMTP id g18mr3231656ejc.78.1556837320717; Thu, 02 May 2019 15:48:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556837320; cv=none; d=google.com; s=arc-20160816; b=eXB2eqanspJQA6s/q5LqzZmlHbIEk21g9zucGA8hxmjYVXu0b3XnZzYUdJjY5bA0at P6F6qlig4aO5N2Gsr8a9MDRSvvfAibeRTENq/7iO3gaUQIbAM9gQ/aQhV6uLiD+DoSZU dHhhwJB2GQ/5Dh6HoXNuj4SrTMn3yHOEuQA4I+Htw7B1CASkDTIKcs7CART606F33R3N hJqQWlkTlXRNKeSCVY9Ji+7Ij08mciIOJXA2ug0ZYvH9W/C1St8yENSLKfFcrJlk/U/c OyxFmB11yDK9wP9Af5JyzOlkNvGVhXgo1oZzNuB0cyY0nn/HynNrzWhhhTBohg6p92k7 9CuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:to:subject:reply-to:mime-version:from:date :dkim-signature:dkim-signature; bh=qLQDboUSSv8iAbkYL4wb/BR8FXlb49YUxc2eDjBWs5k=; b=EtdsO3m3lHH8+WCcDco6Ahfet2PLEix2p1NKcgzqD7fH+37MPmVieWp3qZo2gy0cgD VP4TGaspSGND2cjBZUqlTr6ScJPj98eRtsIOVb/CRgocSy354o72WzT43P2LXJaOSz+L Rq814M7GHwrtutY3bWpYteO2nEAg18EgSyjC7mYqYvERRa7OFhIJO36/ZnAxCGV5xWTm nd3evLaWNpsRP8eUysyOkuC1wGNW9HGCdcs0q5meSfxl+3PmYzTZ4MlrhAxvEWyPRRM4 gDnwQ7w6RUZjGtbsEWul/5zKa5HDX1jTtH4DRYWe3MaLJ4zpFPQ289mnypfpoHB9vNKb wS5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass [email protected] header.s=s1 header.b=sGXq8dN3; dkim=pass [email protected] header.s=smtpapi header.b=hex9bvGh; spf=pass (google.com: domain of [email protected] designates 50.31.36.149 as permitted sender) smtp.mailfrom="[email protected]"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=uber.com Return-Path: <[email protected]> Received: from o15.email.uber.com (o15.email.uber.com. [50.31.36.149]) by mx.google.com with ESMTPS id c8si312626edb.189.2019.05.02.15.48.40 for <[email protected]> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 May 2019 15:48:40 -0700 (PDT) Received-SPF: pass (google.com: domain of [email protected] designates 50.31.36.149 as permitted sender) client-ip=50.31.36.149; Authentication-Results: mx.google.com; dkim=pass [email protected] header.s=s1 header.b=sGXq8dN3; dkim=pass [email protected] header.s=smtpapi header.b=hex9bvGh; spf=pass (google.com: domain of [email protected] designates 50.31.36.149 as permitted sender) smtp.mailfrom="[email protected]"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=uber.com DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=uber.com; h=content-type:from:mime-version:reply-to:subject:to; s=s1; bh=v7x4HoONz0ezNRDnKYF0uc2hhtM=; b=sGXq8dN3+HHhABwT351Y+af+nr2B8 pHTDx2MjlKRIDe7H/cnIsI/CpwpJLrb8Stp9RsP0sP5nK3TZmKHQwJedhRvBTC7n r/uPT0JSi+ONLtF9C+0qRXmWmJtqQzFf9slsVRdHaXX8RLa6yaLLzwsHuuRdaJZG o4oB6ZA5AJCesY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.info; h=content-type:from:mime-version:reply-to:subject:to:x-feedback-id; s=smtpapi; bh=v7x4HoONz0ezNRDnKYF0uc2hhtM=; b=hex9bvGhVyaiDwHKrN h24yUEJB4HO3pTdxhcoAK5VsaYOCXZx9p4blLSQp3uV8ew7NLo2z/zx4csNICZWh SmC8COHDgWcHciNfl43kiraXp400kRYiGsS1pHqVRX5Ob8D0JkPBK5O8DVaeruG8 CZA/6xSoS+V/bEH7nyXlXwrfc= Content-Type: multipart/alternative; boundary=05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2 Date: Thu, 02 May 2019 22:48:36 +0000 (UTC) From: Bank Of America <[email protected]> Mime-Version: 1.0 Reply-to: [email protected] Subject: [ALERT] Your account id has been blocked !! To: [email protected] Message-ID: <[email protected]> X-SG-EID: BJ2Hyk3p2HXeBi9v1wQzSyZ8DM5WrDY+tsMwP5EVk1O0bcaJmQS4hZuUFgRtapyAExYteHWmn73qmX 7VEhHR5sd3ci/g+WzM8Uf68Ux7oY1gt0agNXHr4DKEE+nngxEBm8ZP2xGBiEEEpg5Whgqt/yWpHjZ7 HukhCl3QGdVTLehqCV+7CWTGIxhA8qDvQEtuCLBT6YeFBksxtcPbtJlU+nsHzCU+ZUGuJa5/mD+y0F s7tmnWQuHkKZKYL9EbGQts X-SG-ID: Z2FxZazunBjVeNuNdzHDqrF8mxuCpi0krmont6YQrP1PhrSAm6F2vnhCz+cZmwIQQzzeNf3kS2PU4G C99ZbMEWr4lLYj5ol2knDZ/n3jZwq//ee6CYHr7NePdVS5vtJCVf7ranRUtPwlaGzBDEs80XrtvoiJ GPsexH5dsi0CLhc= X-Feedback-ID: 3504297:hpZl/F8wyMjPOktsUM9fV9PBbsSgTLHDWo42qpJEarc=:hISn6uOVLCzR0vuCEri7CQ==:SG --05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Mime-Version: 1.0 Dear Valued Customer,=20 You Have A Personal Security Alert from BankOfAmerica. Sign-On https://flyingteachers.nl//wp-content/Wordpress/ Note: You will need to update your information for that service completely.= =20 =C2=A9 Copyright, BankOfAmerica, 2019.=20 Access https://google.com --05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 Mime-Version: 1.0 <HTML><HEAD></HEAD> <BODY>&nbsp;<IMG src=3D"https://www2.bac-assets.com/homepage/spa-assets/ima= ges/assets-images-global-logos-boa-logo-CSXe4b047c0.svg" width=3D279 height= =3D64>=20 <TABLE id=3Dyui_3_7_2_1_1357636237151_3250 style=3D"FONT-SIZE: 12px; FONT-F= AMILY: Arial, Helvetica, sans-serif" cellSpacing=3D0 cellPadding=3D0 width= =3D600 border=3D0> <TBODY></TBODY></TABLE><BR>Dear Valued Customer, <BR><BR>You Have A Person= al Security Alert from BankOfAmerica.<BR> <P></P> <P><FONT id=3Dyui_3_16_0_1_1399663152274_19869 style=3D"FONT-SIZE: 12px; CO= LOR: #333333; LINE-HEIGHT: 18px" face=3D"Verdana, sans-serif"> <TABLE id=3Dyui_3_16_0_1_1399663152274_48813 style=3D"BACKGROUND: no-repeat= left top" height=3D15 cellSpacing=3D0 cellPadding=3D0 width=3D111 bgColor= =3D#6cae35 border=3D0> <TBODY id=3Dyui_3_16_0_1_1399663152274_48812> <TR id=3Dyui_3_16_0_1_1399663152274_48811 bgColor=3D#6cae35> <TD id=3Dyui_3_16_0_1_1399663152274_48862 bgColor=3D#6cae35 vAlign=3Dmiddle= width=3D15 align=3Dcenter><FONT size=3D2><HTTPS: id=3Dyui_3_16_0_1_1399663= 152274_48861 width=3D"15" height=3D"15" email_cta_arrow.gif=3D"" media=3D""= static_assets=3D"" mcontent=3D"" content.usaa.com=3D""></HTTPS:></FONT></T= D> <TD id=3Dyui_3_16_0_1_1399663152274_48810 bgColor=3D#6cae35 vAlign=3Dmiddle= width=3D96 align=3Dcenter><A id=3Dyui_3_16_0_1_1399663152274_48814 style= =3D"TEXT-DECORATION: none; COLOR: #fff; FONT: bold 11px arial, sans-serif" = href=3D"http://email.uber.com/wf/click?upn=3D-2FQ0tIReEQQvMTn37D6ijIfRAMGF2= MPDMqrIBax6TjqHI26EB2dJUvOpfb6-2BtHW1GBBasvV-2BPdUGxE65m1S0AUw-3D-3D_upBRTD= Ma1f8arr27T-2FChSHKA02CtoItCQ9e6PNbvcG9XxnPK4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2= BjkyEJ4uGUdSbHsos4WOz9Yr529xiH9tDHJLxlZMIShGPk0S8U4onf5vQHto3-2B7-2BwbS3DDx= gGjcR-2BFeB1tfaZTkc-2BdDdmBj2b7z5S6KGHutMpn48l3JhaVOuRvB-2F5niKuSo53oVEp9Ag= pJI7RnaO6AO3D5pLjHBeAsWMwbWL4o9BhEfMC8cT0zWfUna8GP3wEKDFrXWVmspJeNCXCcqbUUp= SUF49HwDS-2F279HaQ-2BkL8PVsX8eMAvnRBRi8DRIAWf938W9MaPq8yv9aeEq8G6uedSgCjCX1= FAAhXKhtxerCOMO6JhOYPlm2-2FHX633X1SrBaiTYZGOw-3D-3D" rel=3Dnofollow target= =3D_blank>Sign-On</A></TD></TR></TBODY></TABLE></FONT></P>Note: You will ne= ed to update your information for that service completely. <BR><BR><FONT id= =3Dyui_3_13_0_1_1398145588576_6499 size=3D1></FONT><FONT size=3D2>=C2=A9 Co= pyright, BankOfAmerica, 2019.</FONT>=20 <img src=3D"http://email.uber.com/wf/open?upn=3DupBRTDMa1f8arr27T-2FChSHKA0= 2CtoItCQ9e6PNbvcG9XxnPK4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2BjkyEJ4uGUdSbHsos4WOz= 9Yr529xiH9tDHJLxlZMIShGPk0S8U4onf5vQHto3-2B7-2BwbS3DDxgGjcR-2BFeB1tfaZTkc-2= BdDdmBj2b7z5S6KGHutMpn48l3JhaVOuRvB-2F5niKuSo53oVEnZOKS1AsqehIRfEXmYLYu3fhQ= UZgheXahrlWwKmrfQylaw7Y2sX09qWBC67FiV-2Fwmf5O6ZvgYoAV3vtQZhLjSa6B7I0DiwhfzK= 11lBOmIXiMuUc30aqH9s9sDIGqnGR8O-2Fdgjw-2FWHQjWqMlfMnd1TWWYULqOl5xYb-2BD-2B1= JMvHPISuLN3S-2BBtXPo-2BSzlYb9YTw-3D-3D" alt=3D"" width=3D"1" height=3D"1" b= order=3D"0" style=3D"height:1px !important;width:1px !important;border-widt= h:0 !important;margin-top:0 !important;margin-bottom:0 !important;margin-ri= ght:0 !important;margin-left:0 !important;padding-top:0 !important;padding-= bottom:0 !important;padding-right:0 !important;padding-left:0 !important;"/= > </BODY></HTML> <a href=3D"http://email.uber.com/wf/click?upn=3D-2FQ0tIReEQQvMTn37D6ijIUDYH= X2-2FyU5mi0Enz-2FchsQI-3D_upBRTDMa1f8arr27T-2FChSHKA02CtoItCQ9e6PNbvcG9XxnP= K4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2BjkyEJ4uGUdSbHsos4WOz9Yr529xiH9tDHJLxlZMISh= GPk0S8U4onf5vQHto3-2B7-2BwbS3DDxgGjcR-2BFeB1tfaZTkc-2BdDdmBj2b7z5S6KGHutMpn= 48l3JhaVOuRvB-2F5niKuSo53oVEggJcxBzsBUTFT7XWbdRLfOKJHct29bBLqq-2FiX-2BnFPQ-= 2BLCqjk6YuSfSFkaKdm5QvdZMBusseXcTQlJhzVP-2Beo5392uwTJHnkaMczik43b2te8teMEjS= hfujpSCF4MTUkjQ5IBldCR7EOeT4-2BF6vpq0Ctnr2W7ZarsqWFftMiNy8s-2BU-2F5eF1gGJwN= 7E92IF4inQ-3D-3D" target=3D"_blank" rel=3D"noopener">Access</a> --05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2-- 

Kommentare

• Diese Mail sieht nicht originell genug aus, um eine ordnungsgemäße Analyse durchzuführen. Ich habe keine Ahnung, was durch das OP im Body geändert worden sein könnte, da der Body-Hash nicht übereinstimmt. Die DKIM-Signature -Felder scheinen ebenfalls bearbeitet zu werden, dh es gibt nur Leerzeichen, in denen ich Zeilenumbruch + Leerzeichen erwarten würde.
• Die ursprüngliche Ziel-E-Mail-Adresse wurde durch “ ersetzt myemail “ in einem Text edi tor – das ‚ ist das Ausmaß der Änderung. In der Tat war mir vorher nicht klar, dass diese Änderung allein ‚ dazu führen könnte, dass die Nachrichtenübersichtsprüfung fehlschlägt …