Email Security - Review
I thought I had this all shut up nice and tight
Received email from garbage source - the usual click bait
Threw it at a few forensic tools and AI - here is the result - if you use any sort of email, you can usually get access to the header information by viewing the original message.
Here’s a structured breakdown of what your header is showing and what it means for sender identity and your mail security posture:
🕵️ Who is it really from?
- Claimed sender:
"braedach.com IT Admin" <your-smtp-email@domain.com>
This is suspicious because the visible “From” address (domain.com) does not match the authenticated sending domain (braedach.com). - Authenticated path:
- The message was sent through Mailgun infrastructure (
pc232-48.mailgun.net, IP143.55.232.48). - SPF (Sender Policy Framework) passed for
braedach.combecause Mailgun is authorized to send for that domain. - DKIM (DomainKeys Identified Mail) passed for
braedach.com. - However, DMARC (Domain-based Message Authentication, Reporting & Conformance) failed because the visible “From” domain (
domain.com) does not align with the authenticated domain (braedach.com).
- The message was sent through Mailgun infrastructure (
- Bottom line:
The email was actually sent via Mailgun on behalf ofbraedach.com, but the “From” header was spoofed to showdomain.com. That mismatch is why DMARC failed.
⚠️ Weaknesses / Red flags
- DMARC failure
- The sending domain (
domain.com) has no DMARC enforcement (p=NONE). - This allows attackers to spoof
domain.comwithout being rejected. - Gmail flagged this mismatch but still delivered the message.
- The sending domain (
- Misleading “From” address
- The real authenticated sender is
braedach.com(via Mailgun). - The visible “From” (
domain.com) is misleading. This is a classic phishing tactic.
- The real authenticated sender is
- Suspicious relay chain
- The header shows hops through
sav-orblco.comand IPs like91.92.242.113and178.16.53.136, which don’t align with eitherbraedach.comordomain.com. - This suggests the message may have originated from a compromised host or was relayed through shady infrastructure.
- The header shows hops through
- Urgent subject line
- “IMMEDIATE ACTION REQUIRED: Mailbox Notification Alert” is a common phishing lure.
✅ What this means for your security
- Your Gmail account itself wasn’t breached — Gmail correctly validated SPF/DKIM and flagged DMARC misalignment.
- The weakness lies in the sending domain (
domain.com) not enforcing DMARC. That allows bad actors to spoof it. - Since the message passed SPF/DKIM for
braedach.com, it’s possible that Mailgun was abused (via a compromised account or misconfigured relay) to send this phishing attempt.
🔒 Recommendations
- Do not click links or open attachments from this message.
- Report it as phishing in Gmail — this helps train filters.
- If you control
domain.comorbraedach.com:- Enforce DMARC with
p=rejectonce SPF/DKIM are aligned. - Audit Mailgun API keys and sending logs for abuse.
- Enforce DMARC with
- As a recipient, you don’t need to change your Gmail security settings — Gmail already caught the DMARC failure.
- Stay alert for similar “urgent mailbox” messages — they’re almost always phishing.
🌐 Email Flow (Simplified Diagram)
Here’s the journey of that suspicious message:
[Attacker system: 91.92.242.113]
│
▼
[Relay: mail.sav-orblco.com]
│
▼
[Mailgun server: pc232-48.mailgun.net (143.55.232.48)]
- SPF: PASS for braedach.com
- DKIM: PASS for braedach.com
- From header CLAIMS: domain.com (spoofed)
│
▼
[Gmail MX]
- SPF: PASS (braedach.com)
- DKIM: PASS (braedach.com)
- DMARC: FAIL (domain.com has no enforcement)
│
▼
[Your inbox: mybloody@email.address.tld]
Key point: The attacker injected a misleading “From: domain.com” header, but the actual authenticated sender was braedach.com via Mailgun. Gmail caught the DMARC misalignment but still delivered it because domain.com has no DMARC enforcement.
The email came from this host - so now you know.
Cybersecurity Search Engine | Criminal IP
✅ Summary
- The spoof worked because domain.com has no DMARC
- For your own domain (
braedach.com), is correctly configured - Using a dedicated subdomain for Mailgun (
mg.braedach.com) is best practice.
Reviewing all the above - again
#enoughsaid