SV: Spoofing and SPF
Trond M. Markussen
markussen at media24.no
Mon Sep 12 08:50:29 UTC 2016
Yes, FROM_CUSTOMERDOMAIN is based on from: but in these cases that rule was
triggered. However, the emails seem to have passed the SPF check even
though the senders were not listed in the SPF record for that domain.
Not sure about how, but this part could be a clue perhaps? "(skip=loggedin
(res=PASS)) "
X-Default-Received-SPF: pass (skip=loggedin (res=PASS))
x-ip-name=185.27.134.51;
Regards,
Trond M.
-----Opprinnelig melding-----
Fra: MailScanner
[mailto:mailscanner-bounces+markussen=media24.no at lists.mailscanner.info] På
vegne av Mark Sapiro
Sendt: 9. september 2016 21:35
Til: mailscanner at lists.mailscanner.info
Emne: Re: Spoofing and SPF
On 09/09/2016 05:15 AM, Trond M. Markussen wrote:
>
>
> We have set up rules where the combination of FROM_CUSTOMERDOMAIN
> (customerdomain.no) and SPF_FAIL (or softfail) gives a hich score to
> filter out spoofed spam emails.
How are you defining FROM_CUSTOMERDOMAIN? if you are basing it on the
From: header, you won't necessarily detect an SPF failure on spoofed
From: domains. SPF is based in the sending server (envelope from), not the
From: domain.
If you control outgoing mail from the domain, you could DKIM sign it and
then base your test on a valid DKIM signature from the domain, but this
depends on no mail passing through an email list or other process that will
make a transformation that breaks the signature on its way from the
originating server to you.
In other words, you can do things such as are done in DMARC
<http://www.dmarc.org/> without necessarily publishing a DMARC policy, but
see <https://wiki.list.org/DEV/DMARC> for some of the negatives of DMARC.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
More information about the MailScanner
mailing list