SV: SV: Spoofing and SPF
Trond M. Markussen
markussen at media24.no
Mon Sep 12 13:59:02 UTC 2016
So in other words the SPF check is based on the envelope sender as seen here
Return-Path: SRS0+950V+7+pbl.no=arild at vipowernet.net and not the from: From:
"Bob Client," <bob at customerdomain.no> ?
In other words, SPF does not prevent spoofing in these cases?
I should probably explain our setup better though; we have a meta rule in
effect that will give a score of 10 if triggered. This meta rule is applied
if the following two rules are triggered: FROM_CUSTOMERDOMAIN and SPF_FAIL
CUSTOMERDOMAIN is the client that only wants to allow e-mails from their own
domain if the sender is listed in their SPF record.
This seems to filter out 99% of spoofed emails from their domain, but some
keep getting through - and in these cases the FROM_CUSTOMERDOMAIN rule is
triggered, but not SPF_FAIL/SPF_SOFTFAIL.
0.00 HTML_MESSAGE HTML included in message
0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
1.89 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence
level above 50%
0.92 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.05 RDNS_NONE Delivered to trusted network by a host with no rDNS
1.50 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
[mailto:mailscanner-bounces+markussen=media24.no at lists.mailscanner.info] På
vegne av Mark Sapiro
Sendt: 12. september 2016 14:53
Til: MailScanner Discussion
Emne: Re: SV: Spoofing and SPF
On September 12, 2016 1:50:29 AM PDT, "Trond M. Markussen"
<markussen at media24.no> wrote:
>Yes, FROM_CUSTOMERDOMAIN is based on from: but in these cases that rule
>was triggered. However, the emails seem to have passed the SPF check
>even though the senders were not listed in the SPF record for that
That's because SPF is not based on the domain of From:. It is based on the
domain of the envelope sender which is not necessarily the From: domain.
Mark Sapiro <mark at msapiro.net>
Sent from my Not_an_iThing with standards compliant, open source software.
MailScanner mailing list
mailscanner at lists.mailscanner.info
More information about the MailScanner