spf-discuss
[Top] [All Lists]

Re: [spf-discuss] not sure how this is happening[Scanned]

2006-01-27 06:31:15

On Fri, Jan 27, 2006 at 11:03:29AM -0000, Chris Martin wrote:

"v=spf1 a mx -all"

Our border MX server is: mailgate.scottishanglo.co.uk (with IP address
80.176.216.242).

In general SPF is workiing well, but recently one of our users has been
receiving spam, apparently from himself. Looking at the mail headers
shows that the person sending is external. The essential part of the
header is shown below:

Having an SPF record has _nothing_ to do with inbound verification.

As you can see, the sender has given named the sending server with our
IP address. Somehow, this is then passed by our gateway SPF checking
program (MailEssentials 11).

Does this program verify "mail from" and "helo" ?  If so, it is doing
a lousy job.

Not neccessarily. Many SPF implementations will not check HELO if a
non-empty MAIL FROM is present (including Mail::SPF::Query).

The connecting server, 58.225.123.38, should be matched against your
SPF record.

For HELO verification:

Server 58.225.123.38 says HELO 80.176.216.242
There is no domain 80.176.216.242 (there isn't even a top level domain
242) so there will be no SPF record present.  SPF verification is not
possible.  SPF stops processing this domain.

This HELO should be rejected right away, as domain 80.176.216.242 does
not exist as A record nor as MX record.

Indeed. But that has nothing to do with SPF.

Server 58.225.123.38 says MAIL FROM:<user(_at_)analox(_dot_)net>
There is a TXT record for analox.net, so process it, see if it is
an SPF record:
"v=spf1 "  yes it is
"a"        compare 58.225.123.38 against A(analox.net) -> no match
"mx"       compare 58.225.123.38 against MX(analox.net)
           -> get MX(analox.net)
           -> result(s): mailgate.scottishanglo.co.uk.
           -> get A(mailgate.scottishanglo.co.uk)
           -> result(s): 80.176.216.242 -> no match
"all"      compare 58.225.123.38 against "all"  ->  MATCH
           -> apply policy "-"
           -> reject message

So, even without the proper HELO verification this message should
have been caught as a forgery by SPF.

I may have missed something here, but I don't recall that the OP mentioned
<user(_at_)analox(_dot_)net> in MAIL FROM. In fact, I very much doubt that it 
was
used in the transmission of this mail. The vast majority of imposters is
using someone else's domain name.

Regards, Arjen

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com