Possible Phishing emails

Hi,

We’ve had quite a few emails that report to be from Cloudflare, they’re passing mail security, but they look “off”.

Is it common for real cloudflare employees to cold email lists of people (who don’t use Cloudflare) in an organisation to drum up business?

Do cloudflare employees use salesloft.com to try to book meetings with people they’ve never dealt with before?

There’s definitely something wrong with these emails, I just haven’t narrowed down whether this is someone faking Cloudflare emails or whether there’s some extremely problematic marketing practices yet.

Has anyone had any similar experience of this?

I have an update on this one and it’s not looking any less problematic.

The emails have properly passed DMARC checks and cloudflare’s setting is “p=reject”, so it appears that the dodgy emails we’ve received have actually come from cloudflare.
This is a problem because most of the incoming mail is sent to invalid addresses that are clearly being guessed at, and it looks very much like an attacker is probing for our address format.

This makes me think that the two most likely possibilities are:

  1. Cloudflare have a breach and someone is abusing their system to spam
    or
  2. Cloudflare business development staff are up to some naughty practices when it comes to finding new contacts

I hope I’m wrong, I hope there’s another explanation, but as it stands right now it looks very, very bad.

What domain name is in the RFC 5322 From header?

HeaderFrom:cloudflare.com

Since that domain has no SPF, the only way for it to pass DMARC would be for it to have a valid DKIM signature. Can you share the DKIM selector used in the signature?

Updating this reply to reflect that the SPF record lookup using the DNS Hero Android app were not accurately reported.

1 Like

I’m guessing this is what you’re looking for?

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=cloudflare.com; s=google09082023; t=1710418608; x=1711023408; darn=(domain-removed!);

Interesting comparison with an email I’m confident is real:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=em1.cloudflare.com;
s=scph0124; t=1710437350; [email protected];

Yes. The value following the s= is the DKIM selector. That record does exist at the time you shared it. The name suggests that it was created in the second half of last year. Whether it was in reference to August or September is unclear since YYYYMMDD was not used.

I appreciate you indulging my curiosity.

Hello @T-PT,

Could you share a screenshot of the email you are receiving and the sender address it is coming from?

Thanks!

1 Like

I appreciate you taking the time to respond.

Does it tell you anything meaningful?

Hi @bujangnim

The sender email is: {redacted}

There is a picture and phone number in the signature, would you like me to blank those out before posting an image?

Without knowing more context, all I can state conclusively is that there is a DKIM record published for that selector. Cloudflare staff will be better equipped to offer any official response.

ok, thank you for taking the time to respond.

2 Likes

@bujangnim

Here’s a screenshot of the content of the email - I’ve skipped photo and business signature for now, but I can update again if you need further information.

1 Like

I’m just double checking, I think cloudflare.com does have SPF

1 Like

The DNS Hero app on my Android did not find any TXT records for cloudflare.com. I did not check further. There is clearly an issue with the result returned by that app, as using dig txt from a proper Linux host did obtain the accurate result that you just shared.

2 Likes

We’ll see what else comes from this thread, thanks for checking anyway :slight_smile:

2 Likes

Hi @T-PT sorry for the issues. I’ve reached out to verify the authenticity of the email you received. My apologies.

2 Likes

Hi @cloonan
Thanks very much for that :slight_smile:

1 Like

Another update:
I have now received a follow up email from the original sender, I’ve asked some more questions to understand what is going on here.

So as it stands, it appears that the emails are really from Cloudflare, but my ongoing concern at this point is the list of addresses that the email was sent to, along with the similarity to tactics used by scammers and sources of the names that have been used.

I do appreciate the prompt follow up to my query though.

1 Like