In general SPF is workiing well, but recently one of our users has been
receiving spam, apparently from himself. Looking at the mail headers
shows that the person sending is external. The essential part of the
header is shown below:
Received: from 80.176.216.242 ([58.225.123.38]) by
mailgate.scottishanglo.co.uk with Microsoft SMTPSVC(5.0.2195.5329); Wed,
25 Jan 2006 01:23:09 +0000X-Originating-IP: 57.183.224.44 by
smtp.58.225.123.38; Wed, 25 Jan 2006 15:32:43 -0800
As you can see, the sender has given named the sending server with our
IP address.
The spammer has set his HELO command to your IP address, which is very
common amongst spammers (or virusses). Two things you can do to reject
these imposters:
1) An IP address in a HELO command is technically valid, provided it is
properly bracketed. So '80.176.216.242' is illegal , but
'[80.176.216.242]' is allowed.
2) Consider whether you want to receive messages from systems pretending
to be you (I don't). I will outright reject messages (independent from
SPF) if they send either my domain name or IP in the HELO command. No
exceptions. I don't like 'localhost' or '127.0.0.1' in a HELO command
either, by the way.
Somehow, this is then passed by our gateway SPF checking
program (MailEssentials 11).
SPF will not prevent spoofing an IP in a HELO, so this is correct. Only if
the spammer used a sender address from your domain, or used a hostname
protected with a matching SPF record, it could be rejected by SPF. But my
guess is that the spammer didn't use a sender address from your domain in
MAIL TO.
Any ideas how or why this is happening and how to prevent it would be
greatly appreciated.
See above.
Regards, Arjen
PS A question like this is more appropriate on 'spf-help' by the way.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com