Linux News
The world is talking about GNU/Linux and Free/Open Source Software

Regular Gmail or Gmail for Work?

Story: Gmail and a Can of Spam

Total Replies: 4

Author	Content
dotmatrix Jan 12, 2016 2:58 PM EDT	I know a lot about email servers and security -- or I think I do until I don't. It's very difficult for me to determine from the article if: The email account is a regular gmail account or a gmail for work account. If the sent 'spam' has stopped being sent. I did notice that 'fixedbylinux.com' is a domain which seems to be connected Helios and that domain is running gmail for work... So, if I assume that the 'compromised' account is a gmail for work account and the user is a self-proclaimed web security novice -- and since I've checked the domain records... I can give the following advice... Ken: Your domain may 'responsible' for spoofed email messages. This may be the problem or not -- but it is a problem you need to fix. Set up SPF: https://support.google.com/a/answer/178723?hl=en Set up DKIM: https://support.google.com/a/answer/174124?hl=en Add a DMARC DNS record: https://support.google.com/a/answer/2466580?hl=en Then verify it works by checking it all out Here: http://mxtoolbox.com/ And Here: http://www.protodave.com/tools/dkim-key-checker/ And Here:https://dmarcian.com/dmarc-inspector/google.com
mbaehrlxer Jan 13, 2016 4:52 AM EDT	so you are suggesting that in fact noone broke into the account but just managed to spoof the sender after all? greetings, eMBee.
jdixon Jan 13, 2016 9:23 AM EDT	> ...so you are suggesting that in fact noone broke into the account but just managed to spoof the sender after all? In this case the login records show that someone did in fact get into the account, as you can see in the security checkup screen capture in the article. The question left is exactly how they did so.
dotmatrix Jan 13, 2016 9:31 AM EDT	@mbaehrlxer: I'm suggesting that spoofing the given domain is possible, and that spoofed spam is the majority of spam. Further, I seem to remember reading somewhere that spam email compromises about 60% of used Internet bandwidth. It could be that the email account in question was compromised but no email sent from the actual domain, but spoofed and sent from somewhere else to the victim's contact list. It could be that the email account in question was compromised and used to send spam directly. It could be that the email account in question was not compromised, but spoofed only. I haven't had a gmail account for a decade, so I'm not sure the screenshot posted reflects successful logins to an account or email origin addresses. It's likely that the first option is what happened. Compromised account, stolen contact list, spoofed email to contact list. However, I don't have one of the spam email messages to examine it, so I'm guessing. Having said that... SPF, DKIM, and DMARC are mandatory in today's world for email systems. It's a bit unfortunate that gmail for work exists --- because the persons using gmail for work can piggyback on Google's server reputation rather than configuring things to work securely. If the domain was running its own SMTP, it's likely many messages would be rejected by several of the big email providers. EDIT* Even if your domain is not sending any email*** At the very least, ensure that others don't receive spoofed messages from your domain by using a 'reject' DMARC... nothing needs to be setup at all in order for this to work -- just enter a single short TXT record in DNS for the domain. https://dmarc.org/wiki/FAQ DMARC FAQ wrote:First create a DMARC record on your main domain (example.com) for all your parked domains: _dmarc.parked.example.com IN TXT "v=DMARC1; p=reject; rua=mailto:aggregates@example.com; " And this tool will give you a copy/paste record: http://www.kitterman.com/dmarc/assistant.html If you enter in an email address in the record for reporting, you'll get a daily list of the number of emails received at many of the big email providers claiming to be from your domain. For domains that are newly setup with DMARC, it's likely the daily reports will show tens or maybe hundreds of spoofed messages per day -- note that not a single one of these is originated at the spoofed server, so this has nothing to do with configuring your email client or setting account passwords.
cybertao Jan 13, 2016 7:44 PM EDT	I used to farm out email for clients to Gmail just because I felt they could provided better security and filtering than me. I did this by redirecting email from my server to the relevant Gmail account. But because my server was unauthenticated (without SPF and DKIM configured) Gmail occasionally spammed email sent from an unauthenticated email server that bounced off my unauthenticated email server. I've since upskilled and provide complete service myself with authentication. The alternative was for my clients to pay for Gmail business accounts with domain direction. In the process of learning about authentication and reading email headers I became aware of how many poorly configured servers there are in the wild. Some corporate servers will reject email from an unauthenticated server outright - which is lazy filtering as such email could come from unmaintained legitimate servers, but understandable all the same. Some block all email from China!

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!