search

steemit / faucet

Steemit Account Creation Web Application
MIT License
23 stars 43 forks source link

Confusion if steemit's email is legit or not #367

Open Jolly-Pirate opened 6 years ago

Jolly-Pirate commented 6 years ago

Some users may be confused when receiving emails at protonmail.com (and probably other email services). Here's what one user said:

I may have received a phishing scam email for my account verification and have no way to tell if it is legitimate or not. It came from "noreply@steemit.com", but does not have the "via sendgrid.net" after it and Protonmail flagged it. However the timing seems legitimate because I have been waiting about 2 weeks and the confirmation link to finish setting up the account does have "sendgrid.net" in the address with numbers and letters before it and after it, so the link might be legitimate? Any help would be greatly appreciated.

The emails are going into the spam folder with a high score. Also there were reports of this message about the emails: This email has failed its domain's authentication requirements. It may be spoofed or improperly forwarded!

I checked the SPF record and it's lacking the sendgrid.net entry. v=spf1 ip4:167.89.30.199 include:servers.mcsv.net include:_spf.google.com include:spf.sendinblue.com mx ~all

The SPF record should be corrected to reduce the spam score.

https://sendgrid.com/docs/Glossary/spf.html

Here's an email header sample:

Return-Path: <bounces+3137752-c0b8-********=protonmail.com@sendgrid.net>
X-Original-To: ********@protonmail.com
Delivered-To: ********@protonmail.com
Received: from o1678930x199.outbound-mail.sendgrid.net
 (o1678930x199.outbound-mail.sendgrid.net [167.89.30.199]) (using TLSv1.2 with cipher
 ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by
 mail9i.protonmail.ch (Postfix) with ESMTPS id 655E92906 for <********@protonmail.com>; Thu,
  7 Jun 2018 23:23:07 +0000 (UTC)
Received: by filter0593p1iad2.sendgrid.net with SMTP id filter0593p1iad2-19901-5B19BE59-30
        2018-06-07 23:23:05.963142056 +0000 UTC
Received: from MzEzNzc1Mg (ec2-54-87-228-55.compute-1.amazonaws.com [54.87.228.55]) by
 ismtpd0033p1mdw1.sendgrid.net (SG) with HTTP id jlOnWONCTjmJGjl8lIPvOA Thu, 07 Jun 2018
 23:23:05.944 +0000 (UTC)
Authentication-Results: mail9i.protonmail.ch; dmarc=fail (p=none dis=none)
 header.from=steemit.com
Authentication-Results: mail9i.protonmail.ch; spf=pass
 smtp.mailfrom=bounces+3137752-c0b8-********=protonmail.com@sendgrid.net
Authentication-Results: mail9i.protonmail.ch; dkim=pass (1024-bit key)
 header.d=sendgrid.net header.i=@sendgrid.net header.b="C165oLBD"
Dkim-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.net;
  h=from:mime-version:to:content-type:subject; s=smtpapi;
  bh=cMhousMxJAxzxesLNVB73PEKogs=; b=C165oLBDuS5Fug3yCynX/YktLTyvX
 o4rRlBnM4+w7ZUoytJLMLCpmLmVruDG7b9JzLfnfCTbgnBXgy1bToGHc7dU/EaJO
 xk8R5l+Ks1SNDlVQeK+YVbQ6TYkBa0/2aGEE3TWPxhHQ3R16H8p+42NSfuztJXOz vecnWVxjePZLmQ=
Date: Thu, 07 Jun 2018 23:23:05 +0000 (UTC)
From: "Steemit" <noreply@steemit.com>
Mime-Version: 1.0
To: ********@protonmail.com
Message-Id: <jlOnWONCTjmJGjl8lIPvOA@ismtpd0033p1mdw1.sendgrid.net>
Content-Type: text/html
Subject: One last step to set up your account
X-Sg-Eid: K5z1v5PSizJFtDAoPOvFdUxysQzwJVYv4CK7VW7nF7jGVP8xVo74rZwrGgjUYPG7ewzxFhgYxTEDAF
 P9rwLm8Li4znexVr/ObHo541AE5+RibYNoTfM2k7+ckmBJtO+CA2UXReDyRdzhYnkrAxTaxyTEhDfu
 RASCAKzgLoB1Zwd0Lh3mk9v0IYB8UClavWLL1lj32VtkirzM6P/aw+IqkoZqmqv+6egp1vS+EMm1Z/ U=
X-Spam-Flag: YES
X-Spam-Status: Yes, score=5.8 required=4.0 tests=DKIM_SIGNED,DKIM_VALID,
 HDRS_LCASE_IMGONLY,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_ONLY_20,
 HTML_MESSAGE,HTTPS_HTTP_MISMATCH,SPF_PASS,T_DKIMWL_WL_MED,URIBL_GREY autolearn=no
 autolearn_force=no version=3.4.0
X-Spam-Report: *
  2.0 URIBL_GREY Contains an URL listed in the URIBL *
      [URIs: sendgrid.net] *
  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail *
      domains are different * -0.0 SPF_PASS SPF: sender matches SPF record *
  2.0 HTTPS_HTTP_MISMATCH BODY: No description available. *
  1.5 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words *
  0.0 HTML_MESSAGE BODY: HTML included in message *
  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily *
      valid * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature *
  0.0 HDRS_LCASE_IMGONLY Odd capitalization of message headers + *
      image-only HTML * -0.0 T_DKIMWL_WL_MED DKIMwl.org - Whitelisted Medium sender
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on maili.protonmail.ch
X-Pm-Origin: external
X-Pm-Content-Encryption: on-delivery
X-Pm-Transfer-Encryption: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Sendgrid is often used by spammers, ideally steemit.com should run its own email server with proper configuration (SPF, DMARC, DKIM).

Gandalf-the-Grey commented 6 years ago

The SPF record should be corrected to reduce the spam score.

There's an issue but it's somewhere else. SPF record is fine (you've checked wrong one). One of solution is to use whitelabeling within sendgrid.

Jolly-Pirate commented 6 years ago

That was the SPF record for steemit.com used in the email; what else is there?