Gmail accepts forged YouTube emails

This morning I woke up to an official-looking email from YouTube in my inbox, addressed to an address that isn't mine.

Long ago this sort of thing would happen if someone sent an email with forged headers[1] (e.g. to fish for logins), but the advent of DKIM and DMARC has relegated header forging to ancient history. I was greatly surprised to see that the forged email had passed Gmail's DKIM/DMARC checks.

A selection of the email's headers (full email) shows that it was accepted as coming from youtube.com, despite being received from robtoledoyour.com. I'm not familiar enough with the details of email authentication to say why this passed, but it seems pretty clear that something has gone wrong.

Delivered-To: jmillikin@gmail.com
Received: by 2002:a19:6d05:0:0:0:0:0 with SMTP id i5csp3611067lfc;
        Tue, 31 May 2022 10:35:25 -0700 (PDT)
From: YouTube <no-reply@youtube.com>
To: alltimecaptaincool2019@gmail.com
Date: Fri, 26 Nov 2021 22:16:25 -0800
[...]
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@robtoledoyour.com header.s=prime header.b=On+Vo8dl;
       dkim=pass header.i=@youtube.com header.s=20210112 header.b=xGMHx3cn;
       arc=pass (i=1 spf=pass spfdomain=scoutcamp.bounces.google.com dkim=pass dkdomain=youtube.com dmarc=pass fromdomain=youtube.com);
       spf=pass (google.com: domain of postalerts@robtoledoyour.com designates 2a01:7c8:bb01:51a::7 as permitted sender) smtp.mailfrom=postalerts@robtoledoyour.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=youtube.com
Return-Path: <postalerts@robtoledoyour.com>
Received: from 7n.robtoledoyour.com (7n.robtoledoyour.com. [2a01:7c8:bb01:51a::7])

Whoever is behind this has been active since at least August 2021 – I found references to that from: address on Twitter and Reddit:

[2021-08-19] https://old.reddit.com/r/indiasocial/comments/p7jby3/is_this_some_new_kind_of_spam_or_a_glitch/ (archive)
[2022-03-17] https://twitter.com/CTF/status/1504458796206374918 (archive)
[2022-03-18] https://twitter.com/jurasick/status/1504812649967767556 (archive)
[2022-03-18] https://twitter.com/JayChandran_/status/1504819850044092419 (archive)

The robtoledoyour.com domain is registered to an address in India. I find this notable, given that the first report of a alltimecaptaincool2019@gmail.com email impersonated Amazon.in and was posted in Reddit's /r/indiasocial forum. Also, the YouTube-style email mentions India-specific regulation. Finally, the domain was registered one month before the report on Reddit.

Snapshots of WHOIS and DNS

$ whois robtoledoyour.com
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
[...]

Domain Name: ROBTOLEDOYOUR.COM
Registry Domain ID: 2626055284_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.name.com
Registrar URL: http://www.name.com
Updated Date: 2021-07-12T06:25:22Z
Creation Date: 2021-07-12T06:25:22Z
Registrar Registration Expiration Date: 2022-07-12T06:25:22Z
Registrar: Name.com, Inc.
Registrar IANA ID: 625
Reseller:
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Natarajan K kannan
Registrant Organization:
Registrant Street: 79-1/43-1,Matha sannathi street
Registrant City: Tirunelveli
Registrant State/Province: TN
Registrant Postal Code: 627006
Registrant Country: IN
Registrant Phone: Non-Public Data
Registrant Email: https://www.name.com/contact-domain-whois/robtoledoyour.com/registrant
Registry Admin ID: Not Available From Registry
Admin Name: Natarajan K kannan
Admin Organization:
Admin Street: 79-1/43-1,Matha sannathi street
Admin City: Tirunelveli
Admin State/Province: TN
Admin Postal Code: 627006
Admin Country: IN
Admin Phone: Non-Public Data
Admin Email: https://www.name.com/contact-domain-whois/robtoledoyour.com/admin
Registry Tech ID: Not Available From Registry
Tech Name: Natarajan K kannan
Tech Organization:
Tech Street: 79-1/43-1,Matha sannathi street
Tech City: Tirunelveli
Tech State/Province: TN
Tech Postal Code: 627006
Tech Country: IN
Tech Phone: Non-Public Data
Tech Email: https://www.name.com/contact-domain-whois/robtoledoyour.com/tech
Name Server: ns1dns.name.com
Name Server: ns2fwz.name.com
Name Server: ns3bfm.name.com
Name Server: ns4clq.name.com
DNSSEC: unSigned
Registrar Abuse Contact Email: abuse@name.com
Registrar Abuse Contact Phone: +1.7203101849
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2022-05-31T22:52:19Z <<<

$ dig robtoledoyour.com MX
[...]
;; ANSWER SECTION:
robtoledoyour.com.	300	IN	MX	10 mail.redrool.com.

;; Query time: 134 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jun 01 08:18:51 JST 2022
;; MSG SIZE  rcvd: 75

The MX domain mail.redrool.com is registered by NameCheap, doesn't have public WHOIS data, and was registered in 2013. If I had to speculate, I'd say this domain is unrelated and is merely being taken advantage of as an open relay.

$ whois redrool.com
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
[...]

Domain name: redrool.com
Registry Domain ID: 1827884879_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-07-29T08:50:59.21Z
Creation Date: 2013-09-17T10:28:13.00Z
Registrar Registration Expiration Date: 2022-09-17T10:28:13.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.9854014545
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Redacted for Privacy
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant Street: Kalkofnsvegur 2
Registrant City: Reykjavik
Registrant State/Province: Capital Region
Registrant Postal Code: 101
Registrant Country: IS
Registrant Phone: +354.4212434
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: a95454e67a0c42f988e530f0aeaa91d5.protect@withheldforprivacy.com
Registry Admin ID:
Admin Name: Redacted for Privacy
Admin Organization: Privacy service provided by Withheld for Privacy ehf
Admin Street: Kalkofnsvegur 2
Admin City: Reykjavik
Admin State/Province: Capital Region
Admin Postal Code: 101
Admin Country: IS
Admin Phone: +354.4212434
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: a95454e67a0c42f988e530f0aeaa91d5.protect@withheldforprivacy.com
Registry Tech ID:
Tech Name: Redacted for Privacy
Tech Organization: Privacy service provided by Withheld for Privacy ehf
Tech Street: Kalkofnsvegur 2
Tech City: Reykjavik
Tech State/Province: Capital Region
Tech Postal Code: 101
Tech Country: IS
Tech Phone: +354.4212434
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: a95454e67a0c42f988e530f0aeaa91d5.protect@withheldforprivacy.com
Name Server: ara.ns.cloudflare.com
Name Server: george.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2022-05-31T18:17:35.20Z <<<

Email was designed without any sort of security or authentication. I remember reading an IRC story, now lost, in which a student emails their professor from deadguy@yourhouse with the message "Help! I'm dead and I'm in your house!".