Spoofing and SPF
Mark Sapiro
mark at msapiro.net
Fri Sep 9 19:35:04 UTC 2016
On 09/09/2016 05:15 AM, Trond M. Markussen wrote:
>
>
> We have set up rules where the combination of FROM_CUSTOMERDOMAIN
> (customerdomain.no) and SPF_FAIL (or softfail) gives a hich score to
> filter out spoofed spam emails.
How are you defining FROM_CUSTOMERDOMAIN? if you are basing it on the
From: header, you won't necessarily detect an SPF failure on spoofed
From: domains. SPF is based in the sending server (envelope from), not
the From: domain.
If you control outgoing mail from the domain, you could DKIM sign it and
then base your test on a valid DKIM signature from the domain, but this
depends on no mail passing through an email list or other process that
will make a transformation that breaks the signature on its way from the
originating server to you.
In other words, you can do things such as are done in DMARC
<http://www.dmarc.org/> without necessarily publishing a DMARC policy,
but see <https://wiki.list.org/DEV/DMARC> for some of the negatives of
DMARC.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list