Gmail accepts forged YouTube emails

This morning I woke up to an official-looking email from YouTube in my inbox, addressed to an address that isn't mine.

Long ago this sort of thing would happen if someone sent an email with forged headers[1] (e.g. to fish for logins), but the advent of DKIM and DMARC has relegated header forging to ancient history. I was greatly surprised to see that the forged email had passed Gmail's DKIM/DMARC checks.

A selection of the email's headers (full email) shows that it was accepted as coming from youtube.com, despite being received from robtoledoyour.com. I'm not familiar enough with the details of email authentication to say why this passed, but it seems pretty clear that something has gone wrong.

Delivered-To: jmillikin@gmail.com Received: by 2002:a19:6d05:0:0:0:0:0 with SMTP id i5csp3611067lfc; Tue, 31 May 2022 10:35:25 -0700 (PDT) From: YouTube <no-reply@youtube.com> To: alltimecaptaincool2019@gmail.com Date: Fri, 26 Nov 2021 22:16:25 -0800 [...] ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@robtoledoyour.com header.s=prime header.b=On+Vo8dl; dkim=pass header.i=@youtube.com header.s=20210112 header.b=xGMHx3cn; arc=pass (i=1 spf=pass spfdomain=scoutcamp.bounces.google.com dkim=pass dkdomain=youtube.com dmarc=pass fromdomain=youtube.com); spf=pass (google.com: domain of postalerts@robtoledoyour.com designates 2a01:7c8:bb01:51a::7 as permitted sender) smtp.mailfrom=postalerts@robtoledoyour.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=youtube.com Return-Path: <postalerts@robtoledoyour.com> Received: from 7n.robtoledoyour.com (7n.robtoledoyour.com. [2a01:7c8:bb01:51a::7])

Whoever is behind this has been active since at least August 2021 – I found references to that from: address on Twitter and Reddit:

The robtoledoyour.com domain is registered to an address in India. I find this notable, given that the first report of a alltimecaptaincool2019@gmail.com email impersonated Amazon.in and was posted in Reddit's /r/indiasocial forum. Also, the YouTube-style email mentions India-specific regulation. Finally, the domain was registered one month before the report on Reddit.

Snapshots of WHOIS and DNS

$ whois robtoledoyour.com % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object [...] Domain Name: ROBTOLEDOYOUR.COM Registry Domain ID: 2626055284_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.name.com Registrar URL: http://www.name.com Updated Date: 2021-07-12T06:25:22Z Creation Date: 2021-07-12T06:25:22Z Registrar Registration Expiration Date: 2022-07-12T06:25:22Z Registrar: Name.com, Inc. Registrar IANA ID: 625 Reseller: Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited Registry Registrant ID: Not Available From Registry Registrant Name: Natarajan K kannan Registrant Organization: Registrant Street: 79-1/43-1,Matha sannathi street Registrant City: Tirunelveli Registrant State/Province: TN Registrant Postal Code: 627006 Registrant Country: IN Registrant Phone: Non-Public Data Registrant Email: https://www.name.com/contact-domain-whois/robtoledoyour.com/registrant Registry Admin ID: Not Available From Registry Admin Name: Natarajan K kannan Admin Organization: Admin Street: 79-1/43-1,Matha sannathi street Admin City: Tirunelveli Admin State/Province: TN Admin Postal Code: 627006 Admin Country: IN Admin Phone: Non-Public Data Admin Email: https://www.name.com/contact-domain-whois/robtoledoyour.com/admin Registry Tech ID: Not Available From Registry Tech Name: Natarajan K kannan Tech Organization: Tech Street: 79-1/43-1,Matha sannathi street Tech City: Tirunelveli Tech State/Province: TN Tech Postal Code: 627006 Tech Country: IN Tech Phone: Non-Public Data Tech Email: https://www.name.com/contact-domain-whois/robtoledoyour.com/tech Name Server: ns1dns.name.com Name Server: ns2fwz.name.com Name Server: ns3bfm.name.com Name Server: ns4clq.name.com DNSSEC: unSigned Registrar Abuse Contact Email: abuse@name.com Registrar Abuse Contact Phone: +1.7203101849 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-05-31T22:52:19Z <<<

$ dig robtoledoyour.com MX [...] ;; ANSWER SECTION: robtoledoyour.com. 300 IN MX 10 mail.redrool.com. ;; Query time: 134 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Jun 01 08:18:51 JST 2022 ;; MSG SIZE rcvd: 75

The MX domain mail.redrool.com is registered by NameCheap, doesn't have public WHOIS data, and was registered in 2013. If I had to speculate, I'd say this domain is unrelated and is merely being taken advantage of as an open relay.

$ whois redrool.com % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object [...] Domain name: redrool.com Registry Domain ID: 1827884879_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2021-07-29T08:50:59.21Z Creation Date: 2013-09-17T10:28:13.00Z Registrar Registration Expiration Date: 2022-09-17T10:28:13.00Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: a95454e67a0c42f988e530f0aeaa91d5.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: a95454e67a0c42f988e530f0aeaa91d5.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: a95454e67a0c42f988e530f0aeaa91d5.protect@withheldforprivacy.com Name Server: ara.ns.cloudflare.com Name Server: george.ns.cloudflare.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-05-31T18:17:35.20Z <<<

  1. Email was designed without any sort of security or authentication. I remember reading an IRC story, now lost, in which a student emails their professor from deadguy@yourhouse with the message "Help! I'm dead and I'm in your house!".

Change Feed