Welcome to the mailbox.org user forum!
 
New Topic
Properties
Category Password and Security
Tags SPF, dmarc, dkim, phishing, spoofing

Spoofing protection (again)

David shared this problem 12 months ago
In Progress

Hello. Thanks to this email tester I uncovered, that the Mailbox.org doesn't check SPF, DKIM, and DMARC records, which is terrible and may lead to dire consequences if I wouldn't constantly check the original headers of each letter.

I have turned on every possible protection to strict mode on my custom domain, even copied and changed SPF record to make it stricter: 


v=spf1 ip4:213.203.238.0/25 ip4:195.10.208.0/24 ip4:91.198.250.0/24 ip4:80.241.56.0/21 ip6:2001:67c:2050::/48 ip4:80.241.60.0/24 mx -all


But again, some server was still able to spoof my domain and sent a letter to me in the form of "Boss <boss@mydomain.com>", pretending to have rights to send letters from my domain. After I checked the headers, I realized that the Mailbox.org completely doesn't check SPF, DKIM, and DMARC records.


My question is, why a paid mail service hasn't implemented phishing protection, like did the free mail services Protonmail, Tutanota, Gmail, and others?


Please, do not refer to German sources, articles and videos - I'm an international customer with English language proficiency.

6 The same problem 0  

Comments (8)

photo
2
mailbox.org Support 12 months ago

Hi there,

thanks for this hint.

We are investigating this issue and come back to you.

Generally we do not recommend setting SPF records to strict (-all).

Best regards

Reply
photo
2
3345038 12 months ago

Hi support,

Following this topic as I'm also interested/concerned about anti-spoofing protection.

I think what Protonmail does in this instance is very useful, see:


https://protonmail.com/support/knowledge-base/email-has-failed-its-domains-authentication-requirements-warning/


So when an email fails DKIM/SPF checks, a warning is shown to users.


PS: I've reproduced the issue from the original post even when my domain uses ~all instead of -all.

photo
1
David 12 months ago

Thank you, and I'm aware about -all but the source of this information was fully in German. I struggled with Google Translate, but understood a little. If you do have an English language source, please, provide it in this thread.

photo
1
3292338 12 months ago

Did you try: https://kb.mailbox.org/display/MBOKBEN/Private+Clients?beecom.language=en

photo
1
David 12 months ago

I'm using Mozilla Thunderbird 78 on Windows and Fastmail on Android. Yes, I can install additional plugins for Thunderbird to check DKIM, SPF and DMARC, but these checks should be done by an Email Security Gateway.


Moreover, by default, the DMARC policy is not enabled for mailbox.org and only 50% of emails would be affected by DMARC policy.

The MTA-STS policy is in testing mode , I have a custom domain, so I'm able to provide my own policies, but by default it is practically off.

photo
photo
2
6643578 11 months ago

mailbox.org support has answered this question here (in German though):


https://userforum.mailbox.org/topic/5349-wertet-mailbox-org-dkimdmarc-nicht-aus#comment-22406

It would be nice if the support team could provide an English translation of that answer here. If they delay though and you can't understand the answer after using a translation tool, then reply to this comment and I can translate it for you myself.

Reply
photo
2
mailbox.org Support 11 months ago

The question is basically about the setting "DMARC p=reject" or "p=none" on our servers. DMARC combines the checks of SPF and DKIM. If you use your own domain, you can configure this setting by yourself as per this guide (lower part).


Here's a translation of the original text by our CEO Peer Heinlein: 


Putting a hard DKIM policy in place has lead to massive issues in real life. Eventually our users blame us for this (and then cancel their accounts or polemicise about us as an unreliable provider in every "third" forum).

There are still many mailing lists or other constructs where DKIM has not been implemented flawlessly.

A hard DKIM policy would cause a lot of (desired) e-mails not to reach their destination.

This is the fault of others, but we end up being the culprit.

We re-evalute the situation every 6 months and are waiting for the right moment to set the hard DKIM policy live - or well, allow for our users to configure this. However, rejecting hard is a tough one, also compare with the thrashing we were given for our SMTP plausibility check.

Reply
photo
1
David 11 months ago

I see, thank you. It there a way to indicate in a web interface, that this letter has a couple of problems? Like Protonmail company did.

photo
1
David 2 months ago

Again, what I need:


For example, I have my own domain privatemailbox.com, and I configured everything, and I'm using Mailbox service for email. I also configured strict SPF and DMARC rules, so that no scammer is to use my domain, and particularly my email address like david@privatemailbox.com Of course, they can forge the sender ID (e.g. my email david@privatemailbox.com), but because of the configured SPF and DMARC for my domain, other mail providers would check the authenticity of such email letter and reject it, because the sender IP is not in SPF allowed range, and it doesn't have a valid DKIM signature.


What does Mailbox do? Mailbox.org is just ignoring my configured SPF and DMARC policies and instead of rejecting a scammer's letter, it delivers it.

photo
2
TeCer 53 days ago

i don't understand the mailbox support response.

The problem is not spf/dkim/dmarc configured on mailbox/customdomain dns records but the fact that mailbox does not honor the configuration of spf/dkim/dmarc for incoming mails.

I've never had this kind of problem with other providers and I don't know if it's a problem to implement this configuration on mailbox but I think it's a basic configuration for an email provider (tell me if I'm wrong, I'm not an expert).

Anyway I have opened a ticket a few days ago to have explanations about this situation, I hope for an answer as soon as possible.

photo
1
David 48 days ago

Have they responded to you?

photo
2
TeCer 48 days ago

no I opened the ticket on June 7 and I'm still waiting, I received an auto-message which warned me that they have an increase in ticket requests and that the response would be slow (very slow I would say...)


anyway i probably misread the reply above from the mailbox team because they actually talk about configuration on their servers, so i think they want to keep the p=none policy until they decide it's time to adopt a more restrictive policy.


I would like to ask why they don't take into consideration the p=quarantine policy (like mailfence does), at least the messages of that type would go into spam

photo
1
David 48 days ago

If I understand it correctly: For example, I configured strict DMARC on my custom domain. Mailbox's servers should read my policy and apply it to emails from my domain. So that no one could spoof letters from my domain, because it has strict DMARC policy. I presume other mail providers read my policy and apply it to letters from my domain.


Their DMARC policy is read by other mail providers, which they apply to letters from Mailbox's domain.

photo
1
TeCer 48 days ago

how inbound mail servers treat messages that fail dmarc is different for each email provider, so you may have a restrictive dmarc configuration (p=reject) but then it depends on how the inbound mail server treats your policy.


for what i know mailfence and microsoft365 for example treat a failed dmarc with the p=quarantine policy so the message arrives in the spam folder, i think this is a good solution rather than p=none but the problem with mailbox.org is that we have no possibility to configure a whitelist, so if for some reason the dmarc of contacts that we know and consider safe fails, we will receive their messages always in the spam folder or not receive them at all in the case of p=reject


it would be interesting to know if it is possible to have a custom configuration for our custom domains. the owner of the domain decides what to do in case of dmarc failure, in this way if there are problems with receiving mail, mailbox.org will not have problems with complaints. but honestly i don't know if this is possible.

photo
1
David 48 days ago

Look at the RFC 7489 , particularly section 6.6 and 6.6.2. MTA fetches the policy from sender's domain, does some checks and applies the sender's policy from his domain. So Mailbox's DMARC policy p=none is fetched by other email providers to check what they should do with emails from Mailbox.org domain, if they fail DMARC checks.


A custom configuration for our custom domains we can apply and it would be visible to other email providers. I also monitor how other mail providers are working with my letter via DMARC reporting and TLS-RPT. You can my domain's policy here at this service

photo
photo
1
David 10 months ago

Thank you mailbox team for acknowledging the ticket and starting working on it!

Can't wait to see the changes!

Reply
photo
2
mailbox.org Support 10 months ago

Please take note of this scheduled change that addresses the formerly mentioned scenario.

https://mailbox.org/en/post/security-adjustment-and-deactivation-of-certain-mail-functions

Reply
photo
1
David 9 months ago

I tested again with the service on this website and again mailbox.org doesn't check from appropriate DKIM, DMARC and SPF. In theory mailbox.org should reject a letter from boss@my-domain.com, because I set the SPF and DMARC policies for my-domain.com to be the strictest possible .

photo
1
David 8 months ago

One more update. Still the same issue. Still mailbox doesn't check SPF and DMARC

photo
2
5822703 4 months ago

Also hoping to hear about this, it's something holding me back from signing up with mailbox.

photo
1
David 4 months ago

I tested once again and still the same issue persists. Why does mailbox ignore my domain's SPF and DMARC policies?

photo
1
David 3 months ago

Guys from mailbox are aware and they are working on this feature, thank you!


I hope and wait.

Files: spoofing protection.PNG
photo
3
1311609 2 months ago

42 days later, is there any update?

photo
1
David 2 months ago

The problem still persists - Mailbox.org doesn't respect my strict SPF and DMARC rules. So anybody can mimic my domain and send letters to Mailbox without authorization and despite strict SPF and DMARC.


I'm concerned if the administration is to do anything

photo
1
1311609 2 months ago

yeah, i know, just setup mailbox with my own domain, found this out, and then i found this topic.

hope they found a solution before someone is using my domainname for bad tings...

photo
1
3375833 2 months ago

Hi David, may I ask, what are your SPF / DMARC policies?

photo
2
David 2 months ago

Hey. Sure, no problem. My SPF policy is in the first post, but I'll paste it here once again:


SPF policy: 

v=spf1 ip4:213.203.238.0/25 ip4:195.10.208.0/24 ip4:91.198.250.0/24 ip4:80.241.56.0/21 ip6:2001:67c:2050::/48 ip4:80.241.60.0/24 mx -al


DMARC policy: 

v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;pct=100;rua=mailto:david@dmarc.report-uri.com;ruf=mailto:david@dmarc.report-uri.com

photo
1
1311609 2 months ago

i hope you have -all and not -al ;)

photo
1
David 2 months ago

Yeap, it's -all, I missed the last L letter accidently :)

photo
photo
1
TeCer 2 months ago

I would like to have news about this situation

Reply
photo
1
David 59 days ago

Nothing to tell, the issue still persists.

photo
photo
2
TeCer 57 days ago

I did a little test and I can receive "fake emails" from gmail and my second domain not hosted on mailbox, so I can probably receive fake email from any domain?

I received these emails both on my domain mail, hosted on mailbox, and on the alias mailbox.

Reply
photo
1
David 55 days ago

Yeap, that's true. To kind of mitigate this, I use Thunderbird with several add-ons to check if SPF, DKIM and DMARC tests have been passed successfully for all emails I receive. But that is me, I don't think email clients like Outlook and others have this functionality, so the people are vulnerable to spoofing.

photo
2
3375833 55 days ago

Hi David, you seem to have a great setup. Can you recommend any add-ons for Thunderbird to verify authenticity or at least to have some plausibility checks?

photo
1
David 54 days ago

Sure :) I use these add-ons:


1. DKIM verifier (try to configure it with unbound libs to check if DKIM signatures are DNSSEC secured. The guide is here ). It also shows SPF and DMARC checks


2. Rspamd-spamness (configure it to check the spam scores of emails)

photo
2
ethan 48 days ago

I also like Spam Scores (GitHub).

photo
1
David 48 days ago

Yeap, also a good addon, it's the same as Rspamd-spamness


I would consider adding DKIM verifier, because you can configure it to check DKIM, SPF and DMARC + if a domain is secured with DNSSEC. And these checks are performed inside Mozilla Thunderbirds with unbound libs, so it doens't only shows the results of such checks from MTA, which are included in every letter, but rechecks everything on its own.

photo
photo
1
David 21 days ago

Dear all, unfortunately, I won't be able to update you on the matters of this thread. I'm quitting my account due to troubles with email delivery from Russian email providers.

Reply
photo
2
Dan Mullen 21 days ago

That's a shame David, you've been very helpful in this thread. I assume you've spoken with Support about the issues you're having - what's their take on it?

photo
1
David 6 days ago

They have recommended entering the Mailbox via Tor, but my main problem is that I'm not able to receive crucial emails from Russian mail service providers. Hope you would be successful in persuading Mailbox to respect SPF and DMARC policies :) According to Hardenize service , Mailbox implemented every single security mechanism - it's a good service, just customer's support could be improved as well as monitoring this forum by their specialists.


In 90 days my account would be deleted, wish you all the best, guys!

photo
Leave a Comment
 
Attach a file
© 2018 mailbox.org