SV: SV: Spoofing and SPF

Trond M. Markussen markussen at media24.no
Mon Sep 12 13:59:02 UTC 2016 

Hi,

So in other words the SPF check is based on the envelope sender as seen here
Return-Path: SRS0+950V+7+pbl.no=arild at vipowernet.net and not the from: From:
"Bob Client," <bob at customerdomain.no> ? 

In other words, SPF does not prevent spoofing in these cases?

I should probably explain our setup better though; we have a meta rule in
effect that will give a score of 10 if triggered. This meta rule is applied
if the following two rules are triggered: FROM_CUSTOMERDOMAIN and SPF_FAIL
(or SPF_SOFTFAIL)

CUSTOMERDOMAIN is the client that only wants to allow e-mails from their own
domain if the sender is listed in their SPF record.

This seems to filter out 99% of spoofed emails from their domain, but some
keep getting through - and in these cases the FROM_CUSTOMERDOMAIN rule is
triggered, but not SPF_FAIL/SPF_SOFTFAIL. 

0.01 	FROM_CUSTOMERDOMAIN	 
0.00 	FSL_BULK_SIG	 
1.50 	HELO_MISC_IP	 
0.00	HTML_MESSAGE	HTML included in message
10.00 	LOCAL_SPF_SOFTFAIL_FROM_CUSTOMERDOMAIN 
0.50	RAZOR2_CF_RANGE_51_100	Razor2 gives confidence level above 50%
1.89	RAZOR2_CF_RANGE_E8_51_100	Razor2 gives engine 8 confidence
level above 50%
0.92	RAZOR2_CHECK	Listed in Razor2 (http://razor.sf.net/)
1.05	RDNS_NONE	Delivered to trusted network by a host with no rDNS
1.50	SPF_SOFTFAIL	SPF: sender does not match SPF record (softfail)

Regards,

Trond M.

-----Opprinnelig melding-----
Fra: MailScanner
[mailto:mailscanner-bounces+markussen=media24.no at lists.mailscanner.info] På
vegne av Mark Sapiro
Sendt: 12. september 2016 14:53
Til: MailScanner Discussion
Emne: Re: SV: Spoofing and SPF

On September 12, 2016 1:50:29 AM PDT, "Trond M. Markussen"
<markussen at media24.no> wrote:
>Yes, FROM_CUSTOMERDOMAIN is based on from: but in these cases that rule 
>was triggered. However, the emails seem to have passed  the SPF check 
>even though the senders were not listed in the SPF record for that 
>domain.


That's because SPF is not based on the domain of From:. It is based on the
domain of the envelope sender which is not necessarily the From: domain.



--
Mark Sapiro <mark at msapiro.net>
Sent from my Not_an_iThing with standards compliant, open source software.


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

More information about the MailScanner mailing list