Welcome to the mailbox.org user forum!
 

Spoofing protection (again)

David shared this problem 12 months ago
In Progress

Hello. Thanks to this email tester I uncovered, that the Mailbox.org doesn't check SPF, DKIM, and DMARC records, which is terrible and may lead to dire consequences if I wouldn't constantly check the original headers of each letter.

I have turned on every possible protection to strict mode on my custom domain, even copied and changed SPF record to make it stricter:


v=spf1 ip4:213.203.238.0/25 ip4:195.10.208.0/24 ip4:91.198.250.0/24 ip4:80.241.56.0/21 ip6:2001:67c:2050::/48 ip4:80.241.60.0/24 mx -all


But again, some server was still able to spoof my domain and sent a letter to me in the form of "Boss <boss@mydomain.com>", pretending to have rights to send letters from my domain. After I checked the headers, I realized that the Mailbox.org completely doesn't check SPF, DKIM, and DMARC records.


My question is, why a paid mail service hasn't implemented phishing protection, like did the free mail services Protonmail, Tutanota, Gmail, and others?


Please, do not refer to German sources, articles and videos - I'm an international customer with English language proficiency.

Comments (8)

photo
2

Hi there,

thanks for this hint.

We are investigating this issue and come back to you.

Generally we do not recommend setting SPF records to strict (-all).

Best regards

photo
2

Hi support,

Following this topic as I'm also interested/concerned about anti-spoofing protection.

I think what Protonmail does in this instance is very useful, see:


https://protonmail.com/support/knowledge-base/email-has-failed-its-domains-authentication-requirements-warning/


So when an email fails DKIM/SPF checks, a warning is shown to users.


PS: I've reproduced the issue from the original post even when my domain uses ~all instead of -all.

photo
1

Thank you, and I'm aware about -all but the source of this information was fully in German. I struggled with Google Translate, but understood a little. If you do have an English language source, please, provide it in this thread.

photo
1

I'm using Mozilla Thunderbird 78 on Windows and Fastmail on Android. Yes, I can install additional plugins for Thunderbird to check DKIM, SPF and DMARC, but these checks should be done by an Email Security Gateway.


Moreover, by default, the DMARC policy is not enabled for mailbox.org and only 50% of emails would be affected by DMARC policy.

The MTA-STS policy is in testing mode , I have a custom domain, so I'm able to provide my own policies, but by default it is practically off.

photo
photo
2

mailbox.org support has answered this question here (in German though):


https://userforum.mailbox.org/topic/5349-wertet-mailbox-org-dkimdmarc-nicht-aus#comment-22406

It would be nice if the support team could provide an English translation of that answer here. If they delay though and you can't understand the answer after using a translation tool, then reply to this comment and I can translate it for you myself.

photo
2

The question is basically about the setting "DMARC p=reject" or "p=none" on our servers. DMARC combines the checks of SPF and DKIM. If you use your own domain, you can configure this setting by yourself as per this guide (lower part).


Here's a translation of the original text by our CEO Peer Heinlein:


Putting a hard DKIM policy in place has lead to massive issues in real life. Eventually our users blame us for this (and then cancel their accounts or polemicise about us as an unreliable provider in every "third" forum).

There are still many mailing lists or other constructs where DKIM has not been implemented flawlessly.

A hard DKIM policy would cause a lot of (desired) e-mails not to reach their destination.

This is the fault of others, but we end up being the culprit.

We re-evalute the situation every 6 months and are waiting for the right moment to set the hard DKIM policy live - or well, allow for our users to configure this. However, rejecting hard is a tough one, also compare with the thrashing we were given for our SMTP plausibility check.

photo
1

I see, thank you. It there a way to indicate in a web interface, that this letter has a couple of problems? Like Protonmail company did.

photo
1

Again, what I need:


For example, I have my own domain privatemailbox.com, and I configured everything, and I'm using Mailbox service for email. I also configured strict SPF and DMARC rules, so that no scammer is to use my domain, and particularly my email address like david@privatemailbox.com Of course, they can forge the sender ID (e.g. my email david@privatemailbox.com), but because of the configured SPF and DMARC for my domain, other mail providers would check the authenticity of such email letter and reject it, because the sender IP is not in SPF allowed range, and it doesn't have a valid DKIM signature.


What does Mailbox do? Mailbox.org is just ignoring my configured SPF and DMARC policies and instead of rejecting a scammer's letter, it delivers it.

photo
2

i don't understand the mailbox support response.

The problem is not spf/dkim/dmarc configured on mailbox/customdomain dns records but the fact that mailbox does not honor the configuration of spf/dkim/dmarc for incoming mails.

I've never had this kind of problem with other providers and I don't know if it's a problem to implement this configuration on mailbox but I think it's a basic configuration for an email provider (tell me if I'm wrong, I'm not an expert).

Anyway I have opened a ticket a few days ago to have explanations about this situation, I hope for an answer as soon as possible.

photo
1

Have they responded to you?

photo
2

no I opened the ticket on June 7 and I'm still waiting, I received an auto-message which warned me that they have an increase in ticket requests and that the response would be slow (very slow I would say...)


anyway i probably misread the reply above from the mailbox team because they actually talk about configuration on their servers, so i think they want to keep the p=none policy until they decide it's time to adopt a more restrictive policy.


I would like to ask why they don't take into consideration the p=quarantine policy (like mailfence does), at least the messages of that type would go into spam

photo
1

If I understand it correctly: For example, I configured strict DMARC on my custom domain. Mailbox's servers should read my policy and apply it to emails from my domain. So that no one could spoof letters from my domain, because it has strict DMARC policy. I presume other mail providers read my policy and apply it to letters from my domain.


Their DMARC policy is read by other mail providers, which they apply to letters from Mailbox's domain.

photo
1

how inbound mail servers treat messages that fail dmarc is different for each email provider, so you may have a restrictive dmarc configuration (p=reject) but then it depends on how the inbound mail server treats your policy.


for what i know mailfence and microsoft365 for example treat a failed dmarc with the p=quarantine policy so the message arrives in the spam folder, i think this is a good solution rather than p=none but the problem with mailbox.org is that we have no possibility to configure a whitelist, so if for some reason the dmarc of contacts that we know and consider safe fails, we will receive their messages always in the spam folder or not receive them at all in the case of p=reject


it would be interesting to know if it is possible to have a custom configuration for our custom domains. the owner of the domain decides what to do in case of dmarc failure, in this way if there are problems with receiving mail, mailbox.org will not have problems with complaints. but honestly i don't know if this is possible.

photo
1

Look at the RFC 7489 , particularly section 6.6 and 6.6.2. MTA fetches the policy from sender's domain, does some checks and applies the sender's policy from his domain. So Mailbox's DMARC policy p=none is fetched by other email providers to check what they should do with emails from Mailbox.org domain, if they fail DMARC checks.


A custom configuration for our custom domains we can apply and it would be visible to other email providers. I also monitor how other mail providers are working with my letter via DMARC reporting and TLS-RPT. You can my domain's policy here at this service

photo
photo
1

Thank you mailbox team for acknowledging the ticket and starting working on it!

Can't wait to see the changes!

photo
2

Please take note of this scheduled change that addresses the formerly mentioned scenario.

https://mailbox.org/en/post/security-adjustment-and-deactivation-of-certain-mail-functions

photo
1

I tested again with the service on this website and again mailbox.org doesn't check from appropriate DKIM, DMARC and SPF. In theory mailbox.org should reject a letter from boss@my-domain.com, because I set the SPF and DMARC policies for my-domain.com to be the strictest possible .

photo
1

One more update. Still the same issue. Still mailbox doesn't check SPF and DMARC

photo
2

Also hoping to hear about this, it's something holding me back from signing up with mailbox.

photo
1

I tested once again and still the same issue persists. Why does mailbox ignore my domain's SPF and DMARC policies?

photo
1

Guys from mailbox are aware and they are working on this feature, thank you!


I hope and wait.

photo
3

42 days later, is there any update?

photo
1

The problem still persists - Mailbox.org doesn't respect my strict SPF and DMARC rules. So anybody can mimic my domain and send letters to Mailbox without authorization and despite strict SPF and DMARC.


I'm concerned if the administration is to do anything

photo
1

yeah, i know, just setup mailbox with my own domain, found this out, and then i found this topic.

hope they found a solution before someone is using my domainname for bad tings...

photo
1

Hi David, may I ask, what are your SPF / DMARC policies?

photo
2

Hey. Sure, no problem. My SPF policy is in the first post, but I'll paste it here once again:


SPF policy:

v=spf1 ip4:213.203.238.0/25 ip4:195.10.208.0/24 ip4:91.198.250.0/24 ip4:80.241.56.0/21 ip6:2001:67c:2050::/48 ip4:80.241.60.0/24 mx -al


DMARC policy:

v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;pct=100;rua=mailto:david@dmarc.report-uri.com;ruf=mailto:david@dmarc.report-uri.com

photo
1

i hope you have -all and not -al ;)

photo
1

Yeap, it's -all, I missed the last L letter accidently :)

photo
photo
1

I would like to have news about this situation

photo
1

Nothing to tell, the issue still persists.

photo
photo
2

I did a little test and I can receive "fake emails" from gmail and my second domain not hosted on mailbox, so I can probably receive fake email from any domain?

I received these emails both on my domain mail, hosted on mailbox, and on the alias mailbox.

photo
1

Yeap, that's true. To kind of mitigate this, I use Thunderbird with several add-ons to check if SPF, DKIM and DMARC tests have been passed successfully for all emails I receive. But that is me, I don't think email clients like Outlook and others have this functionality, so the people are vulnerable to spoofing.

photo
2

Hi David, you seem to have a great setup. Can you recommend any add-ons for Thunderbird to verify authenticity or at least to have some plausibility checks?

photo
1

Sure :) I use these add-ons:


1. DKIM verifier (try to configure it with unbound libs to check if DKIM signatures are DNSSEC secured. The guide is here ). It also shows SPF and DMARC checks


2. Rspamd-spamness (configure it to check the spam scores of emails)

photo
2

I also like Spam Scores (GitHub).

photo
1

Yeap, also a good addon, it's the same as Rspamd-spamness


I would consider adding DKIM verifier, because you can configure it to check DKIM, SPF and DMARC + if a domain is secured with DNSSEC. And these checks are performed inside Mozilla Thunderbirds with unbound libs, so it doens't only shows the results of such checks from MTA, which are included in every letter, but rechecks everything on its own.

photo
photo
1

Dear all, unfortunately, I won't be able to update you on the matters of this thread. I'm quitting my account due to troubles with email delivery from Russian email providers.

photo
2

That's a shame David, you've been very helpful in this thread. I assume you've spoken with Support about the issues you're having - what's their take on it?

photo
1

They have recommended entering the Mailbox via Tor, but my main problem is that I'm not able to receive crucial emails from Russian mail service providers. Hope you would be successful in persuading Mailbox to respect SPF and DMARC policies :) According to Hardenize service , Mailbox implemented every single security mechanism - it's a good service, just customer's support could be improved as well as monitoring this forum by their specialists.


In 90 days my account would be deleted, wish you all the best, guys!

photo
Leave a Comment
 
Attach a file