¿Cómo configurar header.from?

Navega tus respuestas
3

Un cliente recibió recientemente un correo electrónico falsificado de una manera que nunca antes había visto. Los siguientes son los detalles relevantes y anónimos de los encabezados del correo electrónico:

  1. authentication-results: spf=none (sender IP is 74.208.4.197) smtp.mailfrom=[hacked domain name]; [client's old domain name]; dkim=none (message not signed) header.d=none;[client's old domain name]; dmarc=none action=none header.from=[client's old domain name];
  2. Reply-To: [Director] <[director's old email address on client's old domain]-l.in>
  3. From: [Director] <[director's new email address on client's new domain]> To: [accounts' distribution group] <[accounts' new email address on client's new domain]>

Lo diferente y lo interesante de esto es que el atacante pudo omitir la política DMARC del nuevo dominio del cliente. Creo que sé cómo el atacante pudo hacer esto:

  1. Se usó un dominio sin política SPF, DKIM o DMARC ( hacked domain name ) para el nivel SMTP / 5321 / smtp.mailfrom .
  2. Se usó un dominio con una política SPF pero sin una política DKIM o DMARC ( client's old domain name ) para el nivel MIME / 5322 / header.from .

Leí que los MTA obtienen la política DMARC del dominio especificado en el valor del encabezado header.from . Entonces, mi pregunta es la siguiente: para confirmar mi teoría, ¿cómo puedo enviar un correo electrónico con un valor de encabezado "personalizado" header.from ? Estoy acostumbrado a usar CLI como telnet , etc.

Le he hecho a una pregunta muy similar anteriormente pero esa respuesta no responde a esta pregunta.

Los encabezados de correo electrónico completos (pero anónimos): 

Received: from HE1PR0502MB3002.eurprd05.prod.outlook.com (10.175.30.147) by
 AM5PR0502MB2994.eurprd05.prod.outlook.com (10.175.40.20) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.302.9 via Mailbox Transport; Thu, 14 Dec 2017 09:34:42 +0000
Received: from AM3PR05CA0056.eurprd05.prod.outlook.com
 (2a01:111:e400:52b7::24) by HE1PR0502MB3002.eurprd05.prod.outlook.com
 (2603:10a6:3:d7::19) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.9; Thu, 14
 Dec 2017 09:34:41 +0000
Received: from DB5EUR03FT048.eop-EUR03.prod.protection.outlook.com
 (2a01:111:f400:7e0a::200) by AM3PR05CA0056.outlook.office365.com
 (2a01:111:e400:52b7::24) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.302.9 via Frontend
 Transport; Thu, 14 Dec 2017 09:34:40 +0000
Received: from mout.perfora.net (74.208.4.197) by
 DB5EUR03FT048.mail.protection.outlook.com (10.152.21.28) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.20.302.6 via Frontend Transport; Thu, 14 Dec 2017 09:34:39 +0000
Received: from box.backup ([93.158.216.105]) by mrelay.perfora.net (mreueus002
 [74.208.5.2]) with ESMTPA (Nemesis) id 0MFrWa-1eCoig3ce6-00EttU for
 <[accounts' old email address on client's old domain]>; Thu, 14 Dec 2017 10:34:37 +0100
From: [Director] <[director's new email address on client's new domain]>
To: [accounts' distribution group] <[accounts' new email address on client's new domain]>
Subject: Handle this asap
Thread-Topic: Handle this asap
Thread-Index: AQHTdL7FI+cnKCIw4k+addTBVGYrjQ==
Date: Thu, 14 Dec 2017 09:34:37 +0000
Message-ID: <[email protected]>
Reply-To: [Director] <[director's old email address on client's old domain]-l.in>
Content-Language: en-US
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: DB5EUR03FT048.eop-EUR03.prod.protection.outlook.com
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-Network-Message-Id: 31f5cd96-3a15-44e2-9b9e-08d542d5e661
X-Message-Flag: Follow up
X-MS-TNEF-Correlator:
received-spf: None (protection.outlook.com: mylesstandish.net does not
 designate permitted sender hosts)
x-forefront-antispam-report: CIP:74.208.4.197;IPV:NLI;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(8156002)(2980300002)(428003)(199004)(189003)(8676002)(9686003)(305945005)(7596002)(105586002)(16003)(106466001)(6862004)(5660300001)(16586007)(7116003)(568964002)(22720200003)(84326002)(567704001)(63106013)(9886003)(3480700004)(564344004)(1096003)(7636002)(50126003)(6636002)(246002)(21480400003)(5003630100001)(104016004)(356003)(42882006)(5000100001)(512874002)(4610100001)(43066004)(89386003)(33896004)(59450400001)(5890100001)(33964004)(2476003)(2351001)(362424002)(24616003)(79866001);DIR:INB;SFP:;SCL:1;SRVR:HE1PR0502MB3002;H:mout.perfora.net;FPR:;SPF:None;PTR:mout.perfora.net;A:1;MX:1;LANG:en;
authentication-results: spf=none (sender IP is 74.208.4.197)
 smtp.mailfrom=mylesstandish.net; [client's old domain name]; dkim=none
 (message not signed) header.d=none;[client's old domain name]; dmarc=none
 action=none header.from=[client's old domain name];
x-provags-id: V03:K0:+bX50qyGpYWG3nl2KR5LrxNR5QAuHerD/Ci0f15XSi0PrkdhYn7
 +asr62VMEJkFiChjE1rpF24A9/b1VQ4nq4V8xll8uJfrCxXKQFtioq5I3UUXzzIzsmoKlBz
 c8zcN90wq7PruWyApRfkG93yISwROTLUDhZAYhqn0DByTKPp8Ptj/h4ZVWFkXx+j2BfrGnl
 GRtxBbN6NAonCIMyPfftg==
x-ms-publictraffictype: Email
X-Microsoft-Exchange-Diagnostics: 1;AM5PR0502MB2994;27:PiEq5e2siU4JRO2TOrf1wEQY8e6CKGY0XpuGPTv1fAFH0U+X/mtVoF0DxL6/hHUuOK471Zu3M4iWfglkgAeZ9eoeyHp1ANXSL162vYFQaKRRjLwewNhY6osSswalTYkk
X-Microsoft-Antispam-Message-Info: jzBEPkz1MG4wSRW5IeNhdiFkN52T1FtBma8q4n/g2yIjDgQHGfmm8feWpuoG6UZX
Content-Type: multipart/mixed;
    boundary="_002_0LkRJt1f0gbO2qeR00cNDFmrelayperforanet_"
MIME-Version: 1.0
    
pregunta mythofechelon 27.12.2017 - 10:54
fuente

0 respuestas

Lea otras preguntas en las etiquetas

EAP-EKE con RADIUS, ¿es útil la clave derivada? Mi sitio web está en la lista negra de Kaspersky. ¿Eso significa que está infectado? [cerrado]