Email were sent to a bunch of Wikimedia mailing lists specifying a forged sender address, which was accepted for delivery by the mailing list software despite the IP sending the email not being able to pass SPF check if such a check were made.
Example:
1 | Received: by 10.25.242.8 with SMTP id q8csp729203lfh; |
---|---|
2 | Mon, 27 Mar 2017 12:52:57 -0700 (PDT) |
3 | X-Received: by 10.55.51.3 with SMTP id z3mr15510936qkz.260.1490644377570; |
4 | Mon, 27 Mar 2017 12:52:57 -0700 (PDT) |
5 | Return-Path: <wikiquote-l-bounces@lists.wikimedia.org> |
6 | Received: from lists.wikimedia.org (lists.wikimedia.org. [208.80.154.75]) |
7 | by mx.google.com with ESMTPS id u67si1450024qkh.159.2017.03.27.12.52.57 |
8 | (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); |
9 | Mon, 27 Mar 2017 12:52:57 -0700 (PDT) |
10 | Received-SPF: pass (google.com: domain of wikiquote-l-bounces@lists.wikimedia.org designates 208.80.154.75 as permitted sender) client-ip=208.80.154.75; |
11 | Authentication-Results: mx.google.com; |
12 | dkim=pass header.i=@lists.wikimedia.org; |
13 | spf=pass (google.com: domain of wikiquote-l-bounces@lists.wikimedia.org designates 208.80.154.75 as permitted sender) smtp.mailfrom=wikiquote-l-bounces@lists.wikimedia.org |
14 | DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.wikimedia.org; s=wikimedia; |
15 | h=Sender:Content-Type:Reply-To:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:Message-ID:Date:To:From; bh=kEHOha/Scy56S/LbJV1s66vl+L3OyHpJBRCB8sEBDp0=; |
16 | b=bHrOMD9lDIEwwXAD9eeBiE6Pa19mqjh1K+I/XTPt1TCrromq0Xpzvmc8SwBdhyDDIzNq+smvbqf1zKN0/bQMJcKkBdD0W9VD7ZcLtBl3qI9cjqS1fiExqnp5eP1v8yplv+p0hMgbw3ALWEd3OsDaQhxFwDHmO7en42uh3SxRlX0=; |
17 | Received: from localhost ([::1]:54758 helo=fermium.wikimedia.org) |
18 | by fermium.wikimedia.org with esmtp (Exim 4.84_2) |
19 | (envelope-from <wikiquote-l-bounces@lists.wikimedia.org>) |
20 | id 1csahD-00023D-Fa; Mon, 27 Mar 2017 19:52:55 +0000 |
21 | Received: from [221.199.61.194] (port=28951 helo=fpwm.yandex.ru) |
22 | by fermium.wikimedia.org with esmtp (Exim 4.84_2) |
23 | (envelope-from <ktc@ktchan.info>) |
24 | id 1csah8-0001xj-4V; Mon, 27 Mar 2017 19:52:51 +0000 |
25 | From: "Katie Chan" <ktc@ktchan.info> |
26 | To: "Wikimedia GLAM collaboration Public" <glam@lists.wikimedia.org>, |
27 | "wikisource-l" <wikisource-l@lists.wikimedia.org>, "wikiquote-l" |
28 | <wikiquote-l@lists.wikimedia.org> |
29 | Date: Mon, 27 Mar 2017 14:51:16 -0500 |
30 | Message-ID: <1668507701.20170327225116@ktchan.info> |
31 | Content-Language: en-gb |
32 | MIME-Version: 1.0 |
33 | Subject: [Wikiquote-l] =?utf-8?q?crazy_stuff?= |
34 | X-BeenThere: wikiquote-l@lists.wikimedia.org |
35 | X-Mailman-Version: 2.1.18 |
36 | Precedence: list |
37 | List-Id: Mailing list for the Wikiquote projects |
38 | <wikiquote-l.lists.wikimedia.org> |
39 | List-Unsubscribe: <https://lists.wikimedia.org/mailman/options/wikiquote-l>, |
40 | <mailto:wikiquote-l-request@lists.wikimedia.org?subject=unsubscribe> |
41 | List-Archive: <https://lists.wikimedia.org/pipermail/wikiquote-l/> |
42 | List-Post: <mailto:wikiquote-l@lists.wikimedia.org> |
43 | List-Help: <mailto:wikiquote-l-request@lists.wikimedia.org?subject=help> |
44 | List-Subscribe: <https://lists.wikimedia.org/mailman/listinfo/wikiquote-l>, |
45 | <mailto:wikiquote-l-request@lists.wikimedia.org?subject=subscribe> |
46 | Reply-To: Mailing list for the Wikiquote projects |
47 | <wikiquote-l@lists.wikimedia.org> |
48 | Content-Type: multipart/mixed; boundary="===============4274199592207540311==" |
49 | Errors-To: wikiquote-l-bounces@lists.wikimedia.org |
50 | Sender: "Wikiquote-l" <wikiquote-l-bounces@lists.wikimedia.org> |
51 | X-Spam-Score: 10.2 (++++++++++) |
52 | X-Spam-Report: Spam detection software, running on the system "fermium.wikimedia.org", |
53 | has identified this incoming email as possible spam. The original |
54 | message has been attached to this so you can view it or label |
55 | similar future email. If you have any questions, see |
56 | the administrator of that system for details. |
57 | |
58 | Content preview: Hello friend, I've been looking for something interesting |
59 | and have come across that crazy stuff, just take a look http://hncg.com.cn/quarter.php?1312 |
60 | See you soon, Katie Chan [...] |
61 | |
62 | Content analysis details: (10.2 points, 4.0 required) |
63 | |
64 | pts rule name description |
65 | ---- ---------------------- -------------------------------------------------- |
66 | 1.3 URIBL_CR_SURBL Contains an URL listed in the CR SURBL blocklist |
67 | [URIs: hncg.com.cn] |
68 | 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist |
69 | [URIs: hncg.com.cn] |
70 | 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL |
71 | [221.199.61.194 listed in zen.spamhaus.org] |
72 | 0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL |
73 | 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available. |
74 | [221.199.61.194 listed in bb.barracudacentral.org] |
75 | 0.0 HTML_MESSAGE BODY: HTML included in message |
76 | 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS |
Does the server or mailman do any sort of sender authentication before sending on emails using schemes such as SPF, DKIM, or DMARC as & if appropriate?