View Single Post
Old 25 Jun 2017, 05:58 AM   #538
jarland
Essential Contributor
 
Join Date: Apr 2014
Posts: 288

Representative of:
MXRoute.com
Quote:
Originally Posted by FredOnline View Post
https://mxstatus.co/incident/10

Today we noticed that a new customer had begun a phishing campaign in our name. They signed up using a stolen credit card and a VPN. They proceeded to send email to a little over 1,000 people (not necessarily customers of ours, just random people) claiming the email to be from service@mxroute.com. For this reason, while weighing possible options to prevent such a thing in the future, we will be re-enabling a feature disabled some time ago due to user request. You will not be able to adjust a From header, our mail server will rewrite it to match the account that you are logged in with. This is to discourage customers from spoofing email from other customer domains, including ours, while passing SPF checks. I'm afraid this is not negotiable.

If you see an email from service@mxroute.com, it is NOT us. The subject of this email was "We are not able to connect with you, check our privacy policy updates."
The reality of how scary this is, it's something I've held close to my chest for a while. All you really need for solid inbox delivery is to pass SPF checks, and average recipients won't check for DKIM pass. No loss for sending without DKIM signature because no header = no check, the header defines how it should be checked.

So SPF is king and DKIM is a flawed standard that never amounted to much. Now consider how many companies include major mail providers in their SPF records (me and all customers included). It means you can't trust emails for passing SPF, and you shouldn't even consider DKIM unless you've specifically worked out with a sender that you should always look for it. The end result is that spoofing emails that pass the most relevant check, for a LOT of companies, is painfully simple.

I think the only answer is to always outline expectations with your customers, to say what you will and will not request of them via email. An old tactic, but probably the best one to date. Creative solutions around this kind of problem are fresh on my mind right now, as it's obvious I've reached a point that someone would seek to target my customers specifically, or at least to capitalize on my name.
jarland is offline   Reply With Quote