asked on
GMAIL Spoofing
GMAil and Spam. A company I am working with has started to get reports of SPAM being sent from an email address that belongs to them. It is spoofing I guess? I have gone through the process of setting up all of the SPF entries and DMARC. However, it has started again. Is there a tolerance level or something that needs to set? I am at a loss on how to stop the SPOOFING. any help will be appreciated.
Did you use -all instead of ~all?
Post the full Gmail message (Use the function "Show Original") here also. It will give you some info too.
ASKER
Received: by 2002:ac8:d0:0:b0:3a7:fc4b:
Thu, 22 Dec 2022 07:40:15 -0800 (PST)
X-Received: by 2002:a17:90b:b03:b0:219:b7
Thu, 22 Dec 2022 07:40:15 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1671723615; cv=pass;
d=google.com; s=arc-20160816;
b=XQ7pIyb4eyd6nVOOKF98I0VV
mmhnQWyWwCnw5neJzq+u3rlSBD
s7P5nqiI6ZMXkHNfS2O5as/y2g
bsBb6j6rB+TIdFzZfNfDMfnkaQ
KWpiHcoWt/VqzPyjW7UAp+hnTa
F0Yw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=references:to:cc:in-repl
:from:dkim-signature:deliv
bh=phpDbWWaPkCB0VM96eEIsPU
b=igVGqfQZYwkB7VREE9TcJLYG
n8M5YKhIujsqgwgqiees5ZoXPz
N8L2y4fw/XtGG4F1cFIeADM5ux
eVsTJkjbGGt4/ukSOg5gHJljRs
lJjb2P2sLWH8RFtGCH78dIX/Fo
Tkow==
ARC-Authentication-Results
dkim=pass header.i=@icloud.com header.s=1a1hai header.b=s6kWYwlr;
arc=pass (i=1 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
spf=pass (google.com: domain of info+caf_=anne=thegardener
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
Return-Path: <info+caf_=anne=thegardene
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.google.com with SMTPS id a12-20020a17090abe0c00b002
for <anne@thegardenersworkshop
(Google Transport Security);
Thu, 22 Dec 2022 07:40:15 -0800 (PST)
Received-SPF: pass (google.com: domain of info+caf_=anne=thegardener
Authentication-Results: mx.google.com;
dkim=pass header.i=@icloud.com header.s=1a1hai header.b=s6kWYwlr;
arc=pass (i=1 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
spf=pass (google.com: domain of info+caf_=anne=thegardener
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=references:to:cc:in-repl
:from:dkim-signature:deliv
:subject:date:message-id:r
bh=phpDbWWaPkCB0VM96eEIsPU
b=IflXR7Pl1UJQR9DBL2h0yTsY
8Z/Wjj/tddNmjULQsoASwjeFTJ
P8JCd8ZMBtFyLmN8Ph8JO+CQzb
V+aelZPbQBAVlZO1cXJH2rRXJC
RBi22OI2QeNDUqPD4cwq7mk46c
kwVA==
X-Gm-Message-State: AFqh2kqqNBv40oZW7+1ii5cAbX
X-Received: by 2002:a17:90a:9b8b:b0:223:f
Thu, 22 Dec 2022 07:40:14 -0800 (PST)
X-Forwarded-To: anne@thegardenersworkshop.
X-Forwarded-For: info@thegardenersworkshop.
Delivered-To: info@thegardenersworkshop.
Received: by 2002:a05:6a20:a89c:b0:b2:3
Thu, 22 Dec 2022 07:40:11 -0800 (PST)
X-Google-Smtp-Source: AMrXdXsfW1Ye1QYVNkCf01lFXP
X-Received: by 2002:a17:90a:64c7:b0:218:f
Thu, 22 Dec 2022 07:40:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671723610; cv=none;
d=google.com; s=arc-20160816;
b=TEfqepxr1LdBdk24nQCm2pxu
8SefuOS/G3/oNSI32HnGKfgj/3
6rv/l8LAmWUqaPGRJjjFFGk98z
40ganX3keeIOWfPNG3sxmbk5eE
COhviEDsvjQgqpJuKkvt4D85d9
oGlQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=references:to:cc:in-repl
:from:dkim-signature;
bh=phpDbWWaPkCB0VM96eEIsPU
b=oOj+JHqevoVqsoTrOg9Udx6T
5Zijw0ujGDnbabQTMyeZ9u3WND
0UxI89wDmALc+TFw1TJ9QzKUG/
iNaowJlpYyTmlUqXleR7NCtvC3
koWAUjmhTHdNtKpumRQkyd3Xnp
1pdA==
ARC-Authentication-Results
dkim=pass header.i=@icloud.com header.s=1a1hai header.b=s6kWYwlr;
spf=pass (google.com: domain of kaymer27@icloud.com designates 17.58.6.52 as permitted sender) smtp.mailfrom=kaymer27@icl
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
Return-Path: <kaymer27@icloud.com>
Received: from pv50p00im-tydg10011801.me.
by mx.google.com with ESMTPS id nv8-20020a17090b1b4800b002
for <info@thegardenersworkshop
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA
Thu, 22 Dec 2022 07:40:10 -0800 (PST)
Received-SPF: pass (google.com: domain of kaymer27@icloud.com designates 17.58.6.52 as permitted sender) client-ip=17.58.6.52;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1671723610; bh=phpDbWWaPkCB0VM96eEIsPU
NGFWs3OLb0Uh2hI+nNlMebQnK3
J8iBU4UKOUnz1AEjK8xDtgKaD4
jF4TpbYkm10+pqn/b2WJ4C6muK
5GXX+AmrRwSTfR8Ot3+wAQD+cn
RQrAOFWI7pDZg==
Received: from smtpclient.apple (pv50p00im-dlb-asmtp-mailm
From: "Kathi D." <kaymer27@icloud.com>
Message-Id: <A3DB3C7E-573C-4C69-84E2-F
Content-Type: multipart/alternative; boundary="Apple-Mail=_94BE
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Subject: Re: 2nd attempt for Kaymer SPAM SPAM SPAM
Date: Thu, 22 Dec 2022 07:40:07 -0800
In-Reply-To: <42ef155d71b475ec1a57de4b4
Cc: linda lim <60790@gmail.com>
To: Ace <info@thegardenersworkshop
References: <42ef155d71b475ec1a57de4b4
X-Mailer: Apple Mail (2.3696.120.41.1.1)
X-Proofpoint-GUID: wqN3WwjPZ_7KbXr2oUHNj_F3n_
X-Proofpoint-ORIG-GUID: wqN3WwjPZ_7KbXr2oUHNj_F3n_
X-Proofpoint-Virus-Version
X-Proofpoint-Spam-Details:
--Apple-Mail=_94BEDD3A-4A4
Content-Transfer-Encoding:
Content-Type: text/plain; charset=us-ascii
Oh, this is a good one- the guys will love this! Ha ha ha ha
> On Dec 22, 2022, at 4:33 AM, Ace <info@thegardenersworkshop
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> <http://sandbox.meinpaket.de/5crIlEOYQmu.dbm?fN0343ccTK9jcxPRJcycWQcGc76=
0ch1WDcbbb4H>
>=20
> <http://sandbox.meinpaket.de/5crIlEOYQmu.dbm?fN0343ccTK9jcxPRJcycWQcGc76=
0ch1WDcbbb4H>
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
--Apple-Mail=_94BEDD3A-4A4
Content-Transfer-Encoding:
Content-Type: text/html; charset=us-ascii
<html><head><meta http-equiv=3D"Content-Type
=3Dus-ascii"></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode=
: space; line-break: after-white-space;" class=3D"">Oh, this is a good one-=
the guys will love this! Ha ha ha ha<br class=3D""><div><br class=3D=
""><blockquote type=3D"cite" class=3D""><div class=3D"">On Dec 22, 2022, at=
4:33 AM, Ace <<a href=3D"mailto:info@thegar
"">info@thegardenersworksh
erchange-newline"><div class=3D""><table border=3D"0" cellpadding=3D"0" cel=
lspacing=3D"0" width=3D"100%" style=3D"caret-color: rgb(0, 0, 0); font-fami=
ly: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: norm=
al; font-weight: 400; letter-spacing: normal; text-align: start; text-inden=
t: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webk=
it-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decor=
ation: none; border-collapse: collapse;" class=3D""><tbody class=3D""><tr c=
lass=3D""><td colspan=3D"3" height=3D"1" style=3D"line-height: 1px;" class=
=3D""><br class=3D""></td><td class=3D""><table border=3D"0" cellpadding=3D=
"0" cellspacing=3D"0" width=3D"100%" style=3D"border-collapse: collapse;" c=
lass=3D""><tbody class=3D""><tr class=3D""><td colspan=3D"4" height=3D"9" s=
tyle=3D"line-height: 9px;" class=3D""><br class=3D""></td></tr><tr class=3D=
""><td align=3D"left" class=3D""><br class=3D""></td><td width=3D"15" style=
=3D"display: block; width: 15px;" class=3D""><br class=3D""></td></tr><tr c=
lass=3D""><td width=3D"15" style=3D"display: block; width: 15px;" class=3D"=
"><br class=3D""></td><td class=3D""><table border=3D"0" cellpadding=3D"0" =
cellspacing=3D"0" width=3D"100%" style=3D"border-collapse: collapse;" class=
=3D""><tbody class=3D""><tr class=3D""><td height=3D"28" style=3D"line-heig=
ht: 28px;" class=3D""><br class=3D""></td></tr><tr class=3D""><td class=3D"=
"><table align=3D"center" border=3D"0" cellpadding=3D"0" cellspacing=3D"0" =
class=3D"ib_t" style=3D"border-collapse: collapse;"><tbody class=3D""><tr c=
lass=3D""><td align=3D"center" class=3D""><a href=3D"http://sandbox.meinpak=
et.de/5crIlEOYQmu.dbm?fN03
or: rgb(59, 89, 152); text-decoration: none;" class=3D""><h1 class=3D""><sp=
an style=3D"color: rgb(184, 49, 47);" class=3D""></span></h1></a
=3D""><a href=3D"http://sandbox.meinpaket.de/5crIlEOYQmu.dbm?fN0343ccTK9jcx=
PRJcycWQcGc760ch1WDcbbb4H"
n: none;" class=3D""><img src=3D"https://res.cloudinary.com/dkvrw3gud/image=
/upload/v1671712166/Captur
und-image: url("https://res.cloudinary.com/dkvrw3gud/image/upload/v167=
1712166/Capture321_i6krwj.
solid black; background-repeat: no-repeat no-repeat;" class=3D""><br class=
=3D""></div></a></h1></td>
height=3D"28" style=3D"line-height: 28px;" class=3D""><br class=3D""></td>=
</tr><tr class=3D""><td class=3D""><br class=3D""></td></tr><tr class=3D"">=
<td height=3D"28" style=3D"line-height: 28px;" class=3D""><br class=3D""></=
td></tr><tr class=3D""><td class=3D""><table align=3D"center" border=3D"0" =
cellpadding=3D"0" cellspacing=3D"0" class=3D"ib_t" style=3D"border-collapse=
: collapse;"><tbody class=3D""><tr class=3D""><td align=3D"center" class=3D=
""><br class=3D""></td></tr></tbo
ight=3D"28" style=3D"line-height: 28px;" class=3D""><br class=3D""></td></t=
r><tr class=3D""><td class=3D""><br class=3D""></td></tr><tr class=3D""><td=
height=3D"28" style=3D"line-height: 28px;" class=3D""><br class=3D""></td>=
</tr><tr class=3D""><td class=3D""><br class=3D""></td></tr><tr class=3D"">=
<td height=3D"16" style=3D"line-height: 16px;" class=3D""><br class=3D""></=
td></tr></tbody></table></
h: 15px;" class=3D""><br class=3D""></td></tr><tr class=3D""><td width=3D"1=
5" style=3D"display: block; width: 15px;" class=3D""><br class=3D""></td><t=
d class=3D""><table align=3D"left" border=3D"0" cellpadding=3D"0" cellspaci=
ng=3D"0" width=3D"100%" style=3D"border-collapse: collapse;" class=3D""><tb=
ody class=3D""><tr style=3D"border-top-width:
border-top-color: rgb(229, 229, 229);" class=3D""><td height=3D"19" style=
=3D"line-height: 19px;" class=3D""></td></tr><tr class=3D""><td style=3D"fo=
nt-family: "Helvetica Neue", Helvetica, "Lucida Grande"=
, tahoma, verdana, arial, sans-serif; font-size: 11px; color: rgb(170, 170,=
170); line-height: 16px;" class=3D""><br class=3D""></td><td width=3D"15" =
style=3D"display: block; width: 15px;" class=3D""><br class=3D""></td></tr>=
<tr class=3D""><td width=3D"15" style=3D"display: block; width: 15px;" clas=
s=3D""><br class=3D""></td><td class=3D""><table border=3D"0" cellpadding=
=3D"0" cellspacing=3D"0" width=3D"100%" style=3D"border-collapse: collapse;=
" class=3D""><tbody class=3D""><tr class=3D""><td style=3D"font-family: &qu=
ot;Helvetica Neue", Helvetica, "Lucida Grande", tahoma, verd=
ana, arial, sans-serif; font-size: 11px; color: rgb(170, 170, 170); line-he=
ight: 16px;" class=3D""><br class=3D""></td><td width=3D"15" style=3D"displ=
ay: block; width: 15px;" class=3D""><br class=3D""></td></tr><tr class=3D""=
><td colspan=3D"3" height=3D"20" style=3D"line-height: 20px;" class=3D""><b=
r class=3D""></td></tr></tbo
</tbody></table></td></tr>
ket.de/5crIlEOYQmu.dbm?fN0
height=3D"1" style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; f=
ont-size: 12px; font-style: normal; font-variant-caps: normal; font-weight:=
400; letter-spacing: normal; text-align: start; text-indent: 0px; text-tra=
nsform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-w=
idth: 0px; background-color: rgb(255, 255, 255); text-decoration: none;" cl=
ass=3D""><span style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight=
: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-tr=
ansform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-=
width: 0px; background-color: rgb(255, 255, 255); text-decoration: none; fl=
oat: none; display: inline !important;" class=3D""></span></div></
e></div><br class=3D""></body></html>
--Apple-Mail=_94BEDD3A-4A4
Received-SPF: pass (google.com: domain of kaymer27@icloud.com designates 17.58.6.52 as permitted sender) client-ip=17.58.6.52;
From the header walkbacks to the source MTA, it appears to me that "kaymer27@icloud.com" has an infected machine. The SPF checks show the originating MTA as legitimate.
As said above, it's legitimate email, no spoofing involved. If you don't trust it, reset the iCloud account's password (as you said, it belongs to you). After that, add back ONLY ONE device back at a time (probably an iPhone).
Leave it for a week. Nothing happening, add back the Macbook, another week, add back the iMac etc.
If you add back something and the spam starts pouring in again, that last device added, should be nuked and be FULLY re-installed CLEANLY.
ASKER
Delivered-To: anne@thegardenersworkshop.
Received: by 2002:ac8:d0:0:b0:3a7:fc4b:
Thu, 22 Dec 2022 10:04:34 -0800 (PST)
X-Google-Smtp-Source: AMrXdXsdQzvrnKAoAUUA1z/R1v
X-Received: by 2002:a05:6a21:32a1:b0:aa:6
Thu, 22 Dec 2022 10:04:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671732274; cv=none;
d=google.com; s=arc-20160816;
b=M1THm8ErI2JPwrL4ysByNp27
6vqLqCSkW8MKPaignMhfQNQevr
kvwCtwpgNMm5FKSn4a7JVYpKX5
qrgt6w8rUC0+x6dtjt4JItPKVz
qi9Ukm5V0RU2OCi1rEeMSJb1xT
T4mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:message-id:subject:da
:content-transfer-encoding
bh=28LeFaOHufWj/FOzhQBmKcR
b=NoTq2fJ7bjnRUam6cwq9jQxo
PjFHvwugRZ3fdz6j+3ix1Z1sOY
84Zb9EAPkXZyRQq6XFZoSUzf6Y
rmm8kT5G5rbMlB38DLkMTt02gA
Vy6sLhv1ATLrpnXJneVqFDvKaG
Xqsw==
ARC-Authentication-Results
dkim=pass header.i=@icloud.com header.s=1a1hai header.b=mZZqnrh1;
spf=pass (google.com: domain of ivoryace@icloud.com designates 17.57.155.18 as permitted sender) smtp.mailfrom=ivoryace@icl
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
Return-Path: <ivoryace@icloud.com>
Received: from qs51p00im-qukt01080101.me.
by mx.google.com with ESMTPS id i64-20020a638743000000b004
for <anne@thegardenersworkshop
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA
Thu, 22 Dec 2022 10:04:34 -0800 (PST)
Received-SPF: pass (google.com: domain of ivoryace@icloud.com designates 17.57.155.18 as permitted sender) client-ip=17.57.155.18;
Authentication-Results: mx.google.com;
dkim=pass header.i=@icloud.com header.s=1a1hai header.b=mZZqnrh1;
spf=pass (google.com: domain of ivoryace@icloud.com designates 17.57.155.18 as permitted sender) smtp.mailfrom=ivoryace@icl
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1671732273; bh=28LeFaOHufWj/FOzhQBmKcR
puSzP/hmINhuy9vyqfmHW4e65r
b4rfueR8zmyx/NqaEJJOoVMJxK
ZPwXSMXxIPK48kJmvbvhWPGjBI
xT33virZe7L4jNm2JwIwZThxLQ
xtncIQ/epIlUQ==
Received: from smtpclient.apple (qs51p00im-dlb-asmtp-mailm
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding:
From: Ivory Mccartney <ivoryace@icloud.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 22 Dec 2022 13:04:22 -0500
Subject: Shoes
Message-Id: <6799BAC3-369B-45DA-83D6-C
To: anne@thegardenersworkshop.
X-Mailer: iPhone Mail (20B101)
X-Proofpoint-GUID: EmZw7z5Z-4kaiZh-tIMiNWMa-v
X-Proofpoint-ORIG-GUID: EmZw7z5Z-4kaiZh-tIMiNWMa-v
X-Proofpoint-Virus-Version
X-Proofpoint-Spam-Details:
I ordered Jordan 4s for my son for Christmas I do have a receipt as well
Sent from my iPhone
Wow so many iCloud accounts hacked? That seems a bit implausible. Are those accounts all used on ONE PC/Laptop/Mac? If so, that device is obviously hacked.
ASKER
ASKER
Received: by 2002:ac8:d0:0:b0:3a7:fc4b:
Sun, 25 Dec 2022 07:07:49 -0800 (PST)
X-Received: by 2002:a05:6a21:6da5:b0:b0:4
Sun, 25 Dec 2022 07:07:49 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1671980869; cv=pass;
d=google.com; s=arc-20160816;
b=afRKKRHPLYhD+q8Ji3InqwJB
DF8PwiBZLAFNNDmQCBViRlU2x5
yxab51MGYAh1u/u4qYGIkRANlX
U1W4+DeTG/hUQQyY32V5SlX23b
7I+ruWToksj57aOneDaiUjGhql
uY9A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:message-id:subject:da
:content-transfer-encoding
bh=xGA+6ggf/0TWwNbdO+K1DRd
b=olXDsYhZDBViaPFRIZ9veq7p
2XM9EMdhjBnQ2SDTtjgDTHNHvR
cqdkjHwYjS7X4oJM3qpd49VViL
7XQs7HdaHDt/4FYZhnx8pYpJkI
vZrYoojQ62B2dMY64uagDfHyKh
yv5g==
ARC-Authentication-Results
dkim=pass header.i=@icloud.com header.s=1a1hai header.b=efQBsG+q;
arc=pass (i=1 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
spf=pass (google.com: domain of info+caf_=anne=thegardener
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
Return-Path: <info+caf_=anne=thegardene
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.google.com with SMTPS id s4-20020a056a00194400b0057
for <anne@thegardenersworkshop
(Google Transport Security);
Sun, 25 Dec 2022 07:07:49 -0800 (PST)
Received-SPF: pass (google.com: domain of info+caf_=anne=thegardener
Authentication-Results: mx.google.com;
dkim=pass header.i=@icloud.com header.s=1a1hai header.b=efQBsG+q;
arc=pass (i=1 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
spf=pass (google.com: domain of info+caf_=anne=thegardener
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=to:message-id:subject:da
:content-transfer-encoding
:x-gm-message-state:from:t
bh=xGA+6ggf/0TWwNbdO+K1DRd
b=sSLrmQwYtW8JxYYgtUiRr1sP
RoBWVIWyr9DY6VHTwUnr70RmxC
UQuJbE3LYi0UKQ2ug7wLQIwM3e
0UzzG7NYnF4TirMHC8bYDWBLcu
n618Xs+DWyZGRB+lcXasMc8Lt9
eyNQ==
X-Gm-Message-State: AFqh2koqwRAK/POnHmqQaAuTr2
X-Received: by 2002:a65:4cc9:0:b0:476:c39
Sun, 25 Dec 2022 07:07:48 -0800 (PST)
X-Forwarded-To: anne@thegardenersworkshop.
X-Forwarded-For: info@thegardenersworkshop.
Delivered-To: info@thegardenersworkshop.
Received: by 2002:a05:6a20:a89c:b0:b2:3
Sun, 25 Dec 2022 07:07:47 -0800 (PST)
X-Google-Smtp-Source: AMrXdXu7zhRVWk6yJ7jxxMwns/
X-Received: by 2002:a05:6a00:1c85:b0:569:
Sun, 25 Dec 2022 07:07:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671980867; cv=none;
d=google.com; s=arc-20160816;
b=HTQIPekjTacqWPki+2LrKyCJ
Qtc8Tb60J1Ono4/KeVB2hkkgmx
7r91H/x9NXCCUzI5pQPS7mTnQ4
zT/MQX21U1nE26NSLjDKoq5nNQ
zYNLjvQMUyxz5HNCG/k9owT3tD
lMrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:message-id:subject:da
:content-transfer-encoding
bh=xGA+6ggf/0TWwNbdO+K1DRd
b=mbe9/wD0Fo7N+fG7f42Wr79j
6ZFloqlXFVV4KNEsaPxgEFht5v
4jX0jE+XmSlhTY8Kqb44Hvn6/Y
rn13qPBpHcUulPPmgRjZABLiSy
urmG0mIN7BZssucyWP7nqnA8z7
+NAQ==
ARC-Authentication-Results
dkim=pass header.i=@icloud.com header.s=1a1hai header.b=efQBsG+q;
spf=pass (google.com: domain of fisherkaine09@icloud.com designates 17.58.38.44 as permitted sender) smtp.mailfrom=fisherkaine0
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
Return-Path: <fisherkaine09@icloud.com>
Received: from ms11p00im-qufo17291501.me.
by mx.google.com with ESMTPS id c4-20020a056a000ac400b0056
for <info@thegardenersworkshop
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA
Sun, 25 Dec 2022 07:07:47 -0800 (PST)
Received-SPF: pass (google.com: domain of fisherkaine09@icloud.com designates 17.58.38.44 as permitted sender) client-ip=17.58.38.44;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1671980866; bh=xGA+6ggf/0TWwNbdO+K1DRd
NT6oHIeAtNoaw5wdjAtYVftgLJ
QYvVlDh1U8lb4xB9dEEutaZ4eY
2wX+V/zuzMi++XnsXb2wFRPzvk
1uAyGaRA7bswgfphzl3FvHRCVL
xbPZAitv4/r+A==
Received: from smtpclient.apple (ms11p00im-dlb-asmtpmailme
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding:
From: Kaine Fisher <fisherkaine09@icloud.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 25 Dec 2022 15:07:33 +0000
Subject: package
Message-Id: <D6747EA7-3C02-4F7D-AD4F-7
To: info@thegardenersworkshop.
X-Mailer: iPhone Mail (20B110)
X-Proofpoint-GUID: EkM7y9r4Tmszw6ZxhgeQ1ImVYr
X-Proofpoint-ORIG-GUID: EkM7y9r4Tmszw6ZxhgeQ1ImVYr
X-Proofpoint-Virus-Version
X-Proofpoint-Spam-Details:
Kaine=20
Sent from my iPhone
are you serious right now bro=F0=9F=98=92=F0=9F=98=9
In this situation I'd examine the email logs from the outgoing MTA carefully to see if the email is in fact emanating from their network. Subverting a machine is easy, and once subverted it's nearly certain that it will be used to send spam.
SPF, DKIM and DMARC will be helpful in "a few years" when they become widely adopted and are enforced at the receiving MTAs, but at this time they are merely advisory.
The only way to know for sure is to examine a full trace of all the headers in one of the offending messages. It will be helpful if you can post that here. Expurgate IP addresses and domain names as necessary but do so consistently so we can follow the trace from the origination to the destination.