One of my co-workers received an email with spoofed headers "from" me. I thought that this thought of thing wasn't really possible if things are set up correctly, so I'm trying to figure out whether this means I've missed something.
Here's the full raw message, but I've replaced my domains and addresses.
Code:
Delivered-To: recipient_gmail_id@gmail.com
Received: by 10.223.177.130 with SMTP id q2csp2261010wra;
Thu, 30 Mar 2017 19:51:22 -0700 (PDT)
X-Received: by 10.55.148.71 with SMTP id w68mr642645qkd.268.1490928682633;
Thu, 30 Mar 2017 19:51:22 -0700 (PDT)
Return-Path: <1billion@melakoster.com>
Received: from forward2-smtp.messagingengine.com (forward2-smtp.messagingengine.com. [66.111.4.226])
by mx.google.com with ESMTPS id t62si3512532qkc.177.2017.03.30.19.51.22
for <recipient_gmail_id@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 30 Mar 2017 19:51:22 -0700 (PDT)
Received-SPF: neutral (google.com: 66.111.4.226 is neither permitted nor denied by best guess record for domain of 1billion@melakoster.com) client-ip=66.111.4.226;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 66.111.4.226 is neither permitted nor denied by best guess record for domain of 1billion@melakoster.com) smtp.mailfrom=1billion@melakoster.com
Received: from mailmx.nyi.internal (mx2.nyi.internal [10.202.2.201]) by mailforward.nyi.internal (Postfix) with ESMTP id 1995A13C3 for <recipient_gmail_id@gmail.com>; Thu, 30 Mar 2017 22:51:22 -0400 (EDT)
Received: from mx2.messagingengine.com (localhost [127.0.0.1]) by mailmx.nyi.internal (Postfix) with ESMTP id 0FE03D812C for <coworker@ourdomain.com.au>; Thu, 30 Mar 2017 22:51:22 -0400 (EDT)
Received: from mx2.messagingengine.com (localhost [127.0.0.1])
by mx2.messagingengine.com (Authentication Milter) with ESMTP
id CC04B40548E;
Thu, 30 Mar 2017 22:51:22 -0400
Authentication-Results: mx2.messagingengine.com;
dkim=none (no signatures found);
dmarc=none (p=none) header.from=ourdomain.com.au;
spf=none smtp.mailfrom=1billion@melakoster.com smtp.helo=p3plwbeout02-02.prod.phx3.secureserver.net
Received-SPF: none
(melakoster.com: No applicable sender policy available)
receiver=mx2.messagingengine.com;
identity=mailfrom;
envelope-from="1billion@melakoster.com";
helo=p3plwbeout02-02.prod.phx3.secureserver.net;
client-ip=72.167.218.32
Received: from p3plwbeout02-02.prod.phx3.secureserver.net (p3plsmtp02-02.prod.phx3.secureserver.net [72.167.218.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx2.messagingengine.com (Postfix) with ESMTPS for <coworker@ourdomain.com.au>; Thu, 30 Mar 2017 22:51:21 -0400 (EDT)
Received: from localhost ([72.167.218.15]) by :WBEOUT: with SMTP id tmeHcZWgvUsyotmeHcXu9l; Thu, 30 Mar 2017 19:50:49 -0700
X-SID: tmeHcZWgvUsyo
Received: (qmail 3500 invoked by uid 99); 31 Mar 2017 02:50:49 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 105.0.36.156
User-Agent: Workspace Webmail 6.6.16
Message-Id: <20170330195046.4c44dbeb8d194485a4a3f447668ee816.b00bb92ff0.wbe@email02.godaddy.com>
From: me Surname <me@ourdomain.com.au>
X-Sender: 1billion@melakoster.com
Reply-To: me Surname <me@mymail-network.com>
To: coworker@ourdomain.com.au
Subject: Process
Date: Thu, 30 Mar 2017 19:50:46 -0700
Mime-Version: 1.0
X-CMAE-Envelope: MS4wfHsxmI1B4cDdUB+52edyAgbMQ7JyfW1md9TY8IOqk6vOAVypaPtmJqjWNiM82fBGVVm2uQ9ajB6ItC+H/yDl5qvVlEC+Z++45aMvfzQGcAuNxcYG5/ye IkdpDrAfRUnhLIsISA3zUwAIoBpGAb7z0ROjizJLDKNSApoQOF0u20SX
<html><body><span style=3D"font-family:Verdana; color:#000000; font-size:10=
pt;"><div><span>Hi coworker,</span></div><div><br></div><div>Are you at the offi=
ce to make a payment now? get back to me now so I can send through the deta=
ils.<br><br>Regards,</div><div><br></div><div style=3D"">me</div></span><=
/body></html>
In summary it looks like:
From: my actual address
X-Sender: attacker address & domain
Reply-To: My Name <myuser@some-other-domain.com>
AFAIK my domain records are set up correctly with SPF & DKIM records.
I know that fastmail doesn't use DKIM or SPF like a firm pass or fail, but I would have thought that for a sending domain registered with fastmail this kind of spoof would have been blocked.
Anyhow, as I said above, I'm not trying to rip on fastmail spam detection (or lack there of), but rather, just trying to confirm whether this is indicative of anything set up correctly with fastmail & my domain.
Thanks in advance.