[PLUG] Fw: DMARC Forensic Report for nuegia.net from IP 54.245.45.210

Jason Barbier jason at corrupted.io
Fri Dec 25 01:51:38 UTC 2020


this is normal and expected for most mail list software and has been the bane of most mail authentication schemes. It's not a misconfiguration perse on either side, just an artifact of the mail list bifurcating and spoofing messages. the only real way to stop it breaks most mail clients displaying users or involves abandoning DMARC.

---
Jason Barbier | E: jason at corrupted.io 
GPG: FD7D2D5F0A0FBE39 (https://keybase.io/kusuriya)

On Thu, Dec 24, 2020, at 5:41 PM, Tom wrote:
> Why do I get these whenever I email the PLUG mailing list? Is this a
> misconfiguration on my side or is PLUGML modifying my messages before
> forwarding them? And if so, why?
> 
> Begin forwarded message:
> 
> Date: Thu, 24 Dec 2020 12:10:39 +0100
> From: no-reply at mx112.antispamcloud.com
> To: postmaster at nuegia.net
> Subject: DMARC Forensic Report for nuegia.net from IP 54.245.45.210
> 
> 
> A message claiming to be from you has failed the published DMARC
> policy for your domain.
> 
>   Sender Domain: nuegia.net
>   Sender IP Address: 54.245.45.210
>   Received Date: Thu, 24 Dec 2020 12:10:39 +0100
>   SPF Alignment: no
>   DKIM Alignment: no
>   DMARC Results: Reject
> 
> ------ This is a copy of the headers that were received before the error
>        was detected.
> 
> X-DKIM-Failure: bodyhash_mismatch
> Received: from ec2-54-245-45-210.us-west-2.compute.amazonaws.com
> ([54.245.45.210] helo=ss2.netgate.net) by mx112.antispamcloud.com with
> esmtps (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.92)
> 	(envelope-from <brooks at ss2.netgate.net>)
> 	id 1ksOVz-000l1u-4E
> 	for kevin at netgate.net; Thu, 24 Dec 2020 12:10:39 +0100
> Received: from ss2.netgate.net (localhost [127.0.0.1])
> 	by ss2.netgate.net (8.14.4/8.14.4) with ESMTP id 0BOBAbR9013857
> 	for <kevin at netgate.net>; Thu, 24 Dec 2020 03:10:37 -0800
> Received: (from brooks at localhost)
> 	by ss2.netgate.net (8.14.4/8.14.4/Submit) id 0BOBAb5e013856
> 	for kevin at netgate.net; Thu, 24 Dec 2020 03:10:37 -0800
> Received: from mx55.netgate.net ([172.31.30.184])
> 	by ss2.netgate.net (8.14.4/8.14.4) with ESMTP id 0BOBAbrT013850
> 	for <brooks at ss2i.netgate.net>; Thu, 24 Dec 2020 03:10:37 -0800
> Received: from mx102.antispamcloud.com (mx102.antispamcloud.com
> [199.115.114.223]) by mx55.netgate.net (8.14.7/8.14.7) with ESMTP id
> 0BOBAavi023850 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384
> bits=256 verify=NO) for <brooks at netgate.net>; Thu, 24 Dec 2020 03:10:37
> -0800 (envelope-from plug-bounces at pdxlinux.org).$
> X-DKIM-Failure: bodyhash_mismatch
> Received: from mail-hosting-3e68.spiretech.net ([69.168.62.104]
> helo=plv1.spiretech.com) by mx102.antispamcloud.com with esmtps
> (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.92)
> 	(envelope-from <plug-bounces at pdxlinux.org>)
> 	id 1ksOVt-0006nE-Mt
> 	for brooks at netgate.net; Thu, 24 Dec 2020 12:10:36 +0100
> Received: from localhost.localdomain (localhost [IPv6:::1])
> 	by plv1.spiretech.com (Postfix) with ESMTP id 2415980215;
> 	Thu, 24 Dec 2020 03:10:31 -0800 (PST)
> Received: from mail.nuegia.net (nat4.nuegia.net [23.92.27.105])
> 	by plv1.spiretech.com (Postfix) with ESMTPS id 0FF9980208
> 	for <plug at pdxlinux.org>; Thu, 24 Dec 2020 03:10:29 -0800 (PST)
> Received: from mail.nuegia.net (localhost [127.0.0.1])
> 	by mail.nuegia.net (OpenSMTPD) with ESMTP id 24a1dc97
> 	for <plug at pdxlinux.org>; Thu, 24 Dec 2020 11:10:27 +0000 (UTC)
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=nuegia.net; h=date:from:to
> 	:subject:message-id:in-reply-to:references:mime-version
> 	:content-type:content-transfer-encoding; s=mail; bh=pRgWRSOryxr1
> 	9b8aiBd2jr05n/w=; b=mSXxlactp/arTaVxwZjidTgixvdr3Q0aPkH+PXjVxT0v
> 	jz0HsmPBBUgQI6iYF5kuTHg3fS5hti++uHqX1TLR3eP4U4vu8HF0fFrHfftk+xPb
> 	S6LkyUXNUZNC/NBKbYHnKRnXrlVNQppgZRqhw+c6wHYfJ3P1oSDT5X4ICuDNeJE=
> Received: by mail.nuegia.net (OpenSMTPD) with ESMTPSA id 1906cc03
> 	(TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <plug at pdxlinux.org>;
> 	Thu, 24 Dec 2020 11:10:27 +0000 (UTC)
> Date: Thu, 24 Dec 2020 03:10:56 -0800
> From: Tom <tgrom.automail at nuegia.net>
> To: plug at pdxlinux.org
> Message-ID: <20201224031056.30069b0e at viridi>
> In-Reply-To:
> <CAHP3WfP8xDN80EHwHOCiUF4LchhQNYKb5jSJJeCmN-DtayC-Wg at mail.gmail.com>
> References:
> <CAHP3WfMFNtio00Wg3FGFmRo5z-FPHDcYth_uKgRYU53U3mxeEw at mail.gmail.com>
> <CAHP3WfP8xDN80EHwHOCiUF4LchhQNYKb5jSJJeCmN-DtayC-Wg at mail.gmail.com>
> X-Mailer: Claws Mail 3.17.6 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
> MIME-Version: 1.0 Subject: Re: [PLUG] Transplanting hard-disk
> X-BeenThere: plug at pdxlinux.org X-Mailman-Version: 2.1.12
> Precedence: list
> List-Id: Portland Linux/Unix Group <plug.pdxlinux.org>
> List-Unsubscribe: <http://lists.pdxlinux.org/mailman/options/plug>,
> 	<mailto:plug-request at pdxlinux.org?subject=unsubscribe>
> List-Archive: <http://lists.pdxlinux.org/pipermail/plug/>
> List-Post: <mailto:plug at pdxlinux.org>
> List-Help: <mailto:plug-request at pdxlinux.org?subject=help>
> List-Subscribe: <http://lists.pdxlinux.org/mailman/listinfo/plug>,
> 	<mailto:plug-request at pdxlinux.org?subject=subscribe>
> Reply-To: Portland Linux/Unix Group <plug at pdxlinux.org>
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Sender: plug-bounces at pdxlinux.org
> Errors-To: plug-bounces at pdxlinux.org
> Received-SPF: pass (mx102.antispamcloud.com: domain of pdxlinux.org
> designates 69.168.62.104 as permitted sender) client-ip=69.168.62.104;
> envelope-from=plug-bounces at pdxlinux.org; helo=plv1.spiretech.com;
> X-SPF-Result: mx102.antispamcloud.com: domain of pdxlinux.org
> designates 69.168.62.104 as permitted sender Authentication-Results:
> mx102.antispamcloud.com; iprev=pass (mail-hosting-3e68.spiretech.net)
> smtp.remote-ip=69.168.62.104; spf=pass smtp.mailfrom=pdxlinux.org;
> dkim=fail (body hash mismatch; body probably modified in transit)
> header.d=nuegia.net header.s=mail header.a=rsa-sha1; dmarc=fail
> header.from=nuegia.net Authentication-Results:  antispamcloud.com;
> spf=pass smtp.mailfrom=plug-bounces at pdxlinux.org; dkim=fail
> (bodyhash_mismatch) header.i=nuegia.net X-Filter-Label: newsletter
> X-Spampanel-Class: whitelisted X-Spampanel-Evidence: sender
> X-Recommended-Action: accept X-Filter-ID:
> Mvzo4OR0dZXEDF/gcnlw0c9PLYPNpyCJvuaPDOxZBNKpSDasLI4SayDByyq9LIhVRJKuoL20070G
> U5Ufdh+41WqUuh2MpmQbQvmrab9RbAHqH6xvmyo++UsFY6JUjVh4mBaoteVtuQfnkWW3XxEZUTtt
> pKW1jdtuWrap2b4h4KR4pY9/Ban8pV4yw7LM9ErGJODXbtOodkPED+RkHjVGHy7wIauDoB9p4ebC
> FC/qxq8tw0hL0mAEI4c2NARlI6I6KOt9mdz/pjRGk7fzsBE+uKj++VRAqX9N0ON05K72PuqvbGmo
> zk+gG4zXXHZcl4at9qhi4rgqBXP7u6mIeufffCywjQN1lW5Sp8m+m/2CZjo1Q4t+rAddmDrIv02X
> Z0sl8CAwER6zpqPhM4GasqveQJxRsSJoJ2UrrHeEmCek+RxaHxFVU3m3CMiQH5K8kFsp8K+I8p+Q
> na8XwVJgUE8fgT3dKxLhoxcmaInYbR5vlqFVe074dXqAWzo6RsXJD4f21aOsarGPChhedL2Py5oH
> k54oEuFb796V1/nl3YbqwU+ITScdikVigRIwkNtIRoI+J7f3JxJt9iQrK8cKE992fR5zlNMdZHAl
> 3cpGA+Av+RyNCkhbyG2vGgW6F4uhZCHMYUtC9kH03Oz8gbFlBvdNkaeCUhod/n74btlsgnaj5V1G
> B1ZZJwDPwkCQIUzFzadM94L4bqRgAPQb4dHcFGgcKXHZalI6pJ7dO8ntALhxwyTD1DU24hhkY+2T
> vTwu1M3VgX1XHOjds6j/1ijYn+PXh9Y5o0LIto8FZOC6slkoEmAlBn36rhM5XLCU1zkJIUD9rljF
> aJN+iu+w0bBhcgScIYje8CvRi2eMgp44djpdeMohu1/rdU1t/SWu+yxj6TsAC0EPlxW5hnRXNupU
> fXdqOy7WcVfvwPW+1tEygn0RV91ko1rDhfCslEccRKBUKWQvszY/ywB7+QoRysdDEEutw8MzxHWq
> +DzXvdqOFJyZFEBrwytzyq4nhu0+m3/YUu4UL8nTD4tiNy4YZ/IztXsjEA==
> X-Report-Abuse-To: spam at quarantine4.antispamcloud.com X-Sender-Warning:
> ss2.netgate.net has no MX records X-DKIM-Status: none /  /
> ss2.netgate.net /  /  / X-DKIM-Status: fail / bodyhash_mismatch /
> nuegia.net / nuegia.net /  / mail
> 
> 
> 
> -- 
>  ________________________________________ 
> / NOWPRINT. NOWPRINT. Clemclone, back to \
> | the shadows again. - The Firesign      |
> \ Theater                                /
>  ---------------------------------------- 
> \
>  \
>    /\   /\   
>   //\\_//\\     ____
>   \_     _/    /   /
>    / * * \    /^^^]
>    \_\O/_/    [   ]
>     /   \_    [   /
>     \     \_  /  /
>      [ [ /  \/ _/
>     _[ [ \  /_/
> _______________________________________________
> PLUG: https://pdxlinux.org
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>



More information about the PLUG mailing list