Siteprotect.com and cp20.com dmarc/SPF fail

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Siteprotect.com and cp20.com dmarc/SPF fail

Ian Evans
I'm a reviewer and sent an email from my site responding to one of their coverage requests.

A few minutes later, my postmaster acct received this message:

A message claiming to be from you has failed the published DMARC
policy for your domain.

 Sender Domain: digitalhit.com
 Sender IP Address: 216.24.225.10
 Received Date: Mon, 27 Jul 2020 15:14:35 -0400
 SPF Alignment: no
 DKIM Alignment: no
 DMARC Results: Quarantine

Followed by:
------ This is a copy of the headers that were received before the error
       was detected.

X-DKIM-Failure: bodyhash_mismatch
Received: from mail.cp20.com ([216.24.225.10])
by semfq01.mfg.siteprotect.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

cp20.com appears to be a company for legit email marketing. 

The company I'm writing to is a legit PR firm. 

I'm not sure why cp20.com or Siteprotect.com is involved in this email transaction. I don't use them as I send my mail directly from my postfix server. Since the mail would have failed both spf and DKIM and my DKIM is set to quarantine, I'm not sure if they would receive a follow up from me. I'm also assuming I shouldn't be adding the cp20.com ip address to my spf setup. 

Any idea how to deal with this? Thanks. 

Reply | Threaded
Open this post in threaded view
|

Re: Siteprotect.com and cp20.com dmarc/SPF fail

Wietse Venema
Ian Evans:

> I'm a reviewer and sent an email from my site responding to one of their
> coverage requests.
>
> A few minutes later, my postmaster acct received this message:
>
> A message claiming to be from you has failed the published DMARC
> policy for your domain.
>
>  Sender Domain: digitalhit.com
>  Sender IP Address: 216.24.225.10
>  Received Date: Mon, 27 Jul 2020 15:14:35 -0400
>  SPF Alignment: no
>  DKIM Alignment: no
>  DMARC Results: Quarantine
>
> Followed by:
> ------ This is a copy of the headers that were received before the error
>        was detected.
>
> X-DKIM-Failure: bodyhash_mismatch
> Received: from mail.cp20.com ([216.24.225.10])
> by semfq01.mfg.siteprotect.com with esmtps
> (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

Other than the time, was any information in the header even remotely
related to the message that you were sending?

If it is not your email message, then the question is why cp20
was sending email on behalf of your domain?

It may be worthwhile to look up Postfix's logging for the outbound
delivery of your message. The logging with "status=sent" contains
the name and IP address of the server that Postfix gave the message
to, plus some remote message identfier in the remote SMTP server's
response.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Siteprotect.com and cp20.com dmarc/SPF fail

Ian Evans
On Mon, Jul 27, 2020, 5:32 PM Wietse Venema, <[hidden email]> wrote:
Ian Evans:
> I'm a reviewer and sent an email from my site responding to one of their
> coverage requests.
>
> A few minutes later, my postmaster acct received this message:
>
> A message claiming to be from you has failed the published DMARC
> policy for your domain.
>
>  Sender Domain: digitalhit.com
>  Sender IP Address: 216.24.225.10
>  Received Date: Mon, 27 Jul 2020 15:14:35 -0400
>  SPF Alignment: no
>  DKIM Alignment: no
>  DMARC Results: Quarantine
>
> Followed by:
> ------ This is a copy of the headers that were received before the error
>        was detected.
>
> X-DKIM-Failure: bodyhash_mismatch
> Received: from mail.cp20.com ([216.24.225.10])
> by semfq01.mfg.siteprotect.com with esmtps
> (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

Other than the time, was any information in the header even remotely
related to the message that you were sending?

If it is not your email message, then the question is why cp20
was sending email on behalf of your domain?

It may be worthwhile to look up Postfix's logging for the outbound
delivery of your message. The logging with "status=sent" contains
the name and IP address of the server that Postfix gave the message
to, plus some remote message identfier in the remote SMTP server's
response.

   

Wietse, 

The header in the dmarc email was truncated but I also was sure what information should be obfuscated or the suggested way to obfuscate it. 

The from in the report headers was my email address. The subject line was my re: subject line. 

The original email was a mass e-mail to reporters. The return path was not the publicist's email but:

Return-Path: <bounce_idanfdl_o-[my email] =[hidden email]>

Looking at the Postfix logs it appears the email was sent to the same ip address for cp20.com:

Jul 27 15:14:22 carson postfix/smtp[13747]: 9323F20309D: to=<[some coded letters that probably translate to the publicist email]@cp20.com>, relay=mail.cp20.com[216.24.225.10]:25, delay=0.3, delays=0.01/0.01/0.06/0.22, dsn=2.6.0, status=sent (250 2.6.
0 message received)

Deal with a ton of pr companies that send emails via services like MailChimp. This is my first time seeing this. I've been running dmarc since about 2017.


 
Reply | Threaded
Open this post in threaded view
|

Re: Siteprotect.com and cp20.com dmarc/SPF fail

Wietse Venema
Ian Evans:
> Looking at the Postfix logs it appears the email was sent to the same ip
> address for cp20.com:
>
> Jul 27 15:14:22 carson postfix/smtp[13747]: 9323F20309D: to=<[some coded
> letters that probably translate to the publicist email]@cp20.com>, relay=
> mail.cp20.com[216.24.225.10]:25, delay=0.3, delays=0.01/0.01/0.06/0.22,
> dsn=2.6.0, status=sent (250 2.6.
> 0 message received)

So, your Postfix did send your message to cp20.com.

cp20 forwarded it to some domain hosted at digitalhit.com. Because
of the forwarding, the spf checks failed.

cp20 also made some header and body modifications so that DKIM
checks failed.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Siteprotect.com and cp20.com dmarc/SPF fail

Ian Evans
On Mon, Jul 27, 2020, 6:59 PM Wietse Venema, <[hidden email]> wrote:
Ian Evans:
> Looking at the Postfix logs it appears the email was sent to the same ip
> address for cp20.com:
>
> Jul 27 15:14:22 carson postfix/smtp[13747]: 9323F20309D: to=<[some coded
> letters that probably translate to the publicist email]@cp20.com>, relay=
> mail.cp20.com[216.24.225.10]:25, delay=0.3, delays=0.01/0.01/0.06/0.22,
> dsn=2.6.0, status=sent (250 2.6.
> 0 message received)

So, your Postfix did send your message to cp20.com.

cp20 forwarded it to some domain hosted at digitalhit.com. Because
of the forwarding, the spf checks failed.

cp20 also made some header and body modifications so that DKIM
checks failed.

        Wietse

Just to clarify (and maybe I obfuscated incorrectly) but _I'M_ digitalhit.com. If I did make it more unclear with the obfuscation, I'm sorry. I would think responding to a group email service would forward to the publicist. Not sure why it would forward anything to me (digitalhit.com). I guess I need to dig around and see if I can find a tech contact for cp20.com. And I'm assuming a workaround would be sending a new mail directly to the publicist so as to avoid the return reply path. 
Reply | Threaded
Open this post in threaded view
|

Re: Siteprotect.com and cp20.com dmarc/SPF fail

Wietse Venema
Ian Evans:

> > So, your Postfix did send your message to cp20.com.
> >
> > cp20 forwarded it to some domain hosted at digitalhit.com. Because
> > of the forwarding, the spf checks failed.
> >
> > cp20 also made some header and body modifications so that DKIM
> > checks failed.
>
> Just to clarify (and maybe I obfuscated incorrectly) but _I'M_
> digitalhit.com. If I did make it more unclear with the obfuscation, I'm
> sorry. I would think responding to a group email service would forward to
> the publicist. Not sure why it would forward anything to me (digitalhit.com).
> I guess I need to dig around and see if I can find a tech contact for
> cp20.com. And I'm assuming a workaround would be sending a new mail
> directly to the publicist so as to avoid the return reply path.

So, your Postfix did send your message to cp20.com.

cp20 then sent it to digitalhit.com. Because of the forwarding, the
spf checks failed.

cp20 also made some header and body modifications so that DKIM
checks failed.

Now you know what other sites do if they follow your DMARC policy.

        Wietse