![Yandex mail dmarc](https://kumkoniak.com/37.jpg)
Spf=pass (: domain of designates 37.140.190.181 as permitted sender) (p=NONE sp=NONE dis=NONE) om= Yr3cW+9T圓VZEi2TzqRzOU3UNNhds+UHa8o6/LK3N7NN91INYevsNnrfMBSUvqm6HmMiĪJ7dHkkwqqKX7XNkIvKNVjyq8FhnVfMiow8N/PCsVqtTly+q825p5kOl3hxqbLMsi3ixĪ元MGC84U/m8+dvivNege5yDby/Dfp6uY6jHJL/hOVmmUwT1/y2F+5SD/ifuS4EX2gI7ĪRC-Authentication-Results: i=1 mx. ĭkim=pass header.s=mail header.b=T2n/cJmZ PPdsJVsvHDl3nIWqVSASAXaTPELSAXYETQ/zuluD+wrR2n7MXNt8QQ8cUqt7Zae8Wkq2 :date:message-id:subject:from:to:dkim-signature:dkim-signatureīh=AOjHaT+yDXpmJsW3LSDugt7u95YQzsSxsGi10r66W3Y= ī=Edjq07PU+c0nie1ia60SrVoI219rb8q/OnUJMtf0tJrFPktG29Pqs4fx7E3DsNvH6l H=content-language:content-transfer-encoding:mime-version:user-agent VtZTfThoUeuzBPmHVVnnE+W8lcLoqTG2/jr4C4E4VNDHrjUCsDecNNfGYf5/BajX45n0ĪRC-Message-Signature: i=1 a=rsa-sha256 c=relaxed/relaxed d= s=arc-20160816 ZtHKTCTNne0+NhMRYg2iSL0uQZkkpeUNNKgkRavCJRKgnjtMOuLqtx0uNLfZex34XcBl M1O014IAXh+y+ykx2EEyhyWir1y+SWItjS2ukNN19t9GwY91hjFtd+0T2OQDvC44qjpW Google shows a card that everything is buzzing:ĭelivered-To: by 10.31.164.6 with SMTP id n6csp2248696vke To the latter, we fasten our mailbox from Yandex, open the window for sending a letter,Ĭhange the sender address to the one we need (in our case, send the message somewhere.Īt Google Mail (like any other), the message arrived normally. The essence is very simple, Yandex allows you to log in under one address, and send it from any other address where Yandex rules are specified by DMARC and SPF, and the letter is signed with a valid DKIM signature .įor implementation, we need a mailbox on Yandex and a third-party mail client (my choice fell on open and functional Thunderbird). The implementation and reaction of Yandex under the cut.Īttention! The vulnerability reproducing algorithm below is provided for educational purposes only! The vulnerability is currently working, the letter passes all the checks and is delivered anywhere (including GMAIL). This is affected not only by Mail users, but also by organizations that use Yandex.PDD and Yandex.Connect as a mailer with their domain (for example, this is the well-known and everywhere advertised "mail" GeekBrains), and this is already much more serious. The threat itself is that the letters, in terms of DMARC and SPF, are completely valid. Hello GT! I read the MikhailNsk post, and my brain moved me to 2016, where I accidentally stumbled upon a problem with spoofing of Yandex.Mail addresses.
![Yandex mail dmarc](https://kumkoniak.com/37.jpg)