Spoofing and SPF

[Trond M. Markussen]

Hi,

 

We have set up rules where the combination of FROM_CUSTOMERDOMAIN
(customerdomain.no) and SPF_FAIL (or softfail) gives a hich score to filter
out spoofed spam emails.

 

However, some of these pass the SPF test for some reason. Any suggestions as
to why and how to avoid these would be greatly appreciated..!

 

Regards,

 

Trond M. Markussen

 

 

 

Return-Path: <g>

Received: from stt-cha-ms1.vipowernet.net (mail.vipowernet.net
[65.112.145.72])

     by filtermx.media24.no (8.13.8/8.13.8) with ESMTP id u749VHwZ031985

     for <bill at customerdomain.no>; Thu, 4 Aug 2016 11:31:18 +0200

X-Default-Received-SPF: pass (skip=loggedin (res=PASS))
x-ip-name=185.27.134.51;

Date: Thu, 4 Aug 2016 05:31:39 -0400

Return-Path: bob at customerdomain.no

To: bill@ customerdomain.no

From: "Bob Client," <bob at customerdomain.no>

Reply-To: Bob Client <chair at owaprasident.ml>

Subject: =?iso-8859-1?Q?bankoverf=F8ring?=

Message-ID:
<c6dc9823992875aab8fda889a52c7c12 at cosiendocosiendo.byethost9.com>

X-Priority: 3

X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]

MIME-Version: 1.0

Content-Transfer-Encoding: 8bit

Content-Type: text/plain; charset="iso-8859-1"

X-Authenticated-User: abbuncome at vipowernet.net  

From: srs0+950v+7+customerdomain.no=bob at vipowernet.net [Add to Whitelist |
Add to Blacklist] 

 

To: bill at customerdomain.no 

Subject: bankoverføring 

Size: 1.2Kb 

 

 

Score Matching Rule Description 

cached not   

 score=1.754   

6 required   

0.50 BOTNET_SERVERWORDS Hostname contains server-like substrings 

-0.01 BOTNET_SOHO Relay might be a SOHO mail server 

0.01 FROM_CUSTOMERDOMAIN   

1.50 LOTS_OF_MONEY   

-1.25 RP_MATCHES_RCVD   

-0.00 SPF_PASS SPF: sender matches SPF record 

1.00 XM_PHPMAILER_FORGED   

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160909/b3fc2f6f/attachment.html>