SV: SV: Spoofing and SPF
Mark Sapiro
mark at msapiro.net
Tue Sep 13 01:26:30 UTC 2016
On 09/12/2016 06:59 AM, Trond M. Markussen wrote:
>
> So in other words the SPF check is based on the envelope sender as seen here
> Return-Path: SRS0+950V+7+pbl.no=arild at vipowernet.net and not the from: From:
> "Bob Client," <bob at customerdomain.no> ?
>
> In other words, SPF does not prevent spoofing in these cases?
That's correct. SPF was never intended to prevent spoofing of From:. It
is designed to detect whether the owner of a domain says the server
that's attempting to send the mail with envelope from that domain is
allowed to do so. It works strictly on the SMTP MAIL FROM (envelope
from), not anything in the headers or body of the message.
> I should probably explain our setup better though; we have a meta rule in
> effect that will give a score of 10 if triggered. This meta rule is applied
> if the following two rules are triggered: FROM_CUSTOMERDOMAIN and SPF_FAIL
> (or SPF_SOFTFAIL)
>
> CUSTOMERDOMAIN is the client that only wants to allow e-mails from their own
> domain if the sender is listed in their SPF record.
>
> This seems to filter out 99% of spoofed emails from their domain, but some
> keep getting through - and in these cases the FROM_CUSTOMERDOMAIN rule is
> triggered, but not SPF_FAIL/SPF_SOFTFAIL.
Because simple spoofed From: mails often also spoof the envelope sender
to match or maybe the envelope sender just doesn't publish SPF, but they
don't always as in your example.
You need to also check that the From: domain is aligned (a DMARC[1]
term) with the envelope sender domain.
Your customer may wish to publish a DMARC p=reject police for it's
domain, however I hesitate to recommend DMARC because of the havoc that
has been created by it's misuse[2].
In your case you could just create another rule ENVFROM__CUSTOMERDOMAIN
that would test the Return-Path header and then your failure meta-rule
could be something logically equivalent to FROM_CUSTOMERDOMAIN and (not
ENVFROM__CUSTOMERDOMAIN or SPF_FAIL or SPF_SOFTFAIL).
[1] <http://www.dmarc.org/>
[2] <https://wiki.list.org/DEV/DMARC>
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list