New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Help me understand this spam
Hey guys and gilrs,
I am receiving email spam (on the Inbox) on a gmail account from ... my own account. I don't think it's hacked, just spoofed. I don't understand how it happens and if there is something I can do to help prevent it.
My guess is that merck.com is using Google Apps and has been hacked or has some web form being exploited - but it's getting inboxed, which is troubling me.
What do you think?
Below are the headers:
Delivered-To: [email protected]
Received: by 10.76.109.45 with SMTP id hp13csp1828639oab;
Sun, 31 Jan 2016 10:12:43 -0800 (PST)
X-Received: by 10.141.5.213 with SMTP id h204mr12976232qhd.48.1454263963453;
Sun, 31 Jan 2016 10:12:43 -0800 (PST)
Return-Path: <[email protected]>
Received: from taz.merck.com (taz.merck.com. [155.91.38.113])
by mx.google.com with ESMTPS id w138si27474829qhb.76.2016.01.31.10.12.43
for <[email protected]>
(version=TLS1 cipher=AES128-SHA bits=128/128);
Sun, 31 Jan 2016 10:12:43 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 155.91.38.113 as permitted sender) client-ip=155.91.38.113;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 155.91.38.113 as permitted sender) [email protected];
dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
X-IronPort-AV: E=Sophos;i="5.22,376,1449550800";
d="scan'208,217";a="151138605"
Received: from unknown (HELO ipmh3.merck.com) ([54.62.195.241])
by taz.merck.com with ESMTP; 31 Jan 2016 13:12:42 -0500
X-IronPort-AV: E=Sophos;i="5.22,376,1449550800";
d="scan'208,217";a="224708185"
Received: from usctcl1-usctcl2-intranet-snat.merck.com (HELO iserv118) ([54.62.195.245])
by ipmh3.merck.com with ESMTP; 31 Jan 2016 13:12:44 -0500
Message-ID: <18016717.1454263962910.JavaMail.www@iserv118>
Date: Sun, 31 Jan 2016 13:12:42 -0500 (EST)
From: [email protected]
To: [email protected]
Subject: Ticks from The Merck Veterinary Manual
Mime-Version: 1.0
Content-Type: multipart/mixed;
Comments
Received: from taz.merck.com (taz.merck.com. [155.91.38.113])
Spoofed mail, didn't come from GMAIL at all. We have a lot of this at work and I end up having to block IP Ranges, just best to ignore it as it's not came from Google's mail servers at all.
It also seems to be advertising their own product - strange. There is some companies that do spit out your own address when sending you specific pieces of mail though.
Times where I feel like Google is a little too permissive of what comes in. Spoofing "From" to be from *@gmail.com when not originating from a Google server is a fairly decent reason to bounce an email.
With a steady focus on innovation and sound science, we work to deliver spam email, forged email, viagra deals and more spam that can help millions around the world.
Seems kind of harsh for automated emails...
You don't have to spoof From addresses for automated emails
Point being if you control the only SMTP server(s) that a domain's email should route through and you receive from another server claiming to be sending from that domain, that's generally something you'd want to avoid. At best it's someone who has no idea how to run a mail server, which still means you want to avoid them because they'll be spamming later even if not by choice.
I'm more surprised the SPF didn't fail it.
Have to? No, but for a lot of people, I would say that either setting up (hosted!) email on their own domain or providing their day-to-day Gmail account credentials to a PHP script are both overkill...
To which I would say you must not really want to send email anyway. Surprise, you have to do things for servers to work right :P
Indeed. It's unfortunate that some of the more popular scripts/CMSes (WordPress!) don't even expose custom SMTP settings without third-party plugins, relying on PHP's settings. If I had to guess, I wouldn't be surprised if the majority of web servers are not setup to send scripted mail "properly."