Welcome to the mailbox.org user forum!
 
New Topic
Properties
Category Password and Security
Tags SPF, dmarc, dkim, phishing, spoofing

Spoofing protection (again)

4092220 shared this problem 4 months ago
In Progress

Hello. Thanks to this email tester I uncovered, that the Mailbox.org doesn't check SPF, DKIM, and DMARC records, which is terrible and may lead to dire consequences if I wouldn't constantly check the original headers of each letter.

I have turned on every possible protection to strict mode on my custom domain, even copied and changed SPF record to make it stricter: 


v=spf1 ip4:213.203.238.0/25 ip4:195.10.208.0/24 ip4:91.198.250.0/24 ip4:80.241.56.0/21 ip6:2001:67c:2050::/48 ip4:80.241.60.0/24 mx -all


But again, some server was still able to spoof my domain and sent a letter to me in the form of "Boss <boss@mydomain.com>", pretending to have rights to send letters from my domain. After I checked the headers, I realized that the Mailbox.org completely doesn't check SPF, DKIM, and DMARC records.


My question is, why a paid mail service hasn't implemented phishing protection, like did the free mail services Protonmail, Tutanota, Gmail, and others?


Please, do not refer to German sources, articles and videos - I'm an international customer with English language proficiency.

3 The same problem 0  

Comments (5)

photo
2
mailbox.org Support 4 months ago

Hi there,

thanks for this hint.

We are investigating this issue and come back to you.

Generally we do not recommend setting SPF records to strict (-all).

Best regards

Reply
photo
2
3345038 4 months ago

Hi support,

Following this topic as I'm also interested/concerned about anti-spoofing protection.

I think what Protonmail does in this instance is very useful, see:


https://protonmail.com/support/knowledge-base/email-has-failed-its-domains-authentication-requirements-warning/


So when an email fails DKIM/SPF checks, a warning is shown to users.


PS: I've reproduced the issue from the original post even when my domain uses ~all instead of -all.

photo
1
4092220 4 months ago

Thank you, and I'm aware about -all but the source of this information was fully in German. I struggled with Google Translate, but understood a little. If you do have an English language source, please, provide it in this thread.

photo
1
3292338 4 months ago

Did you try: https://kb.mailbox.org/display/MBOKBEN/Private+Clients?beecom.language=en

photo
1
4092220 4 months ago

I'm using Mozilla Thunderbird 78 on Windows and Fastmail on Android. Yes, I can install additional plugins for Thunderbird to check DKIM, SPF and DMARC, but these checks should be done by an Email Security Gateway.


Moreover, by default, the DMARC policy is not enabled for mailbox.org and only 50% of emails would be affected by DMARC policy.

The MTA-STS policy is in testing mode , I have a custom domain, so I'm able to provide my own policies, but by default it is practically off.

photo
photo
2
6643578 3 months ago

mailbox.org support has answered this question here (in German though):


https://userforum.mailbox.org/topic/5349-wertet-mailbox-org-dkimdmarc-nicht-aus#comment-22406

It would be nice if the support team could provide an English translation of that answer here. If they delay though and you can't understand the answer after using a translation tool, then reply to this comment and I can translate it for you myself.

Reply
photo
2
mailbox.org Support 2 months ago

The question is basically about the setting "DMARC p=reject" or "p=none" on our servers. DMARC combines the checks of SPF and DKIM. If you use your own domain, you can configure this setting by yourself as per this guide (lower part).


Here's a translation of the original text by our CEO Peer Heinlein: 


Putting a hard DKIM policy in place has lead to massive issues in real life. Eventually our users blame us for this (and then cancel their accounts or polemicise about us as an unreliable provider in every "third" forum).

There are still many mailing lists or other constructs where DKIM has not been implemented flawlessly.

A hard DKIM policy would cause a lot of (desired) e-mails not to reach their destination.

This is the fault of others, but we end up being the culprit.

We re-evalute the situation every 6 months and are waiting for the right moment to set the hard DKIM policy live - or well, allow for our users to configure this. However, rejecting hard is a tough one, also compare with the thrashing we were given for our SMTP plausibility check.

Reply
photo
1
4092220 2 months ago

I see, thank you. It there a way to indicate in a web interface, that this letter has a couple of problems? Like Protonmail company did.

photo
photo
1
4092220 2 months ago

Thank you mailbox team for acknowledging the ticket and starting working on it!

Can't wait to see the changes!

Reply
photo
2
mailbox.org Support 2 months ago

Please take note of this scheduled change that addresses the formerly mentioned scenario.

https://mailbox.org/en/post/security-adjustment-and-deactivation-of-certain-mail-functions

Reply
photo
1
4092220 52 days ago

I tested again with the service on this website and again mailbox.org doesn't check from appropriate DKIM, DMARC and SPF. In theory mailbox.org should reject a letter from boss@my-domain.com, because I set the SPF and DMARC policies for my-domain.com to be the strictest possible .

photo
1
4092220 14 days ago

One more update. Still the same issue. Still mailbox doesn't check SPF and DMARC

photo
Leave a Comment
 
Attach a file
© 2018 mailbox.org