read RFC 7208 section 2.2 to 2.4
https://tools.ietf.org/html/rfc7208#section-2.2
The SPF is done for the envelope sender (mail from:) - not for any sender
published in the MIME header.
How ever, assp has an option to do an additionally SPF check for the From:
MIME header (DoSPFinHeader).
NOTICE: using this check, is NOT RFC compliant !!!
Thomas
Von: "Haris Alatas" <[email protected]>
An: [email protected]
Datum: 07.06.2018 12:02
Betreff: [Assp-user] Epic SPF failure on SCAM mail!
Hello list. I have this header file and I am looking it like an idiot
not knowing what to do to fix it:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from virgo.mycompany.gr
by virgo.myip.gr with LMTP id UIhrFgjxC1sGYAAAO5TXtA
for <[email protected]>; Mon, 28 May 2018 15:07:36 +0300
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 28 May 2018 15:07:36 +0300
Received: from [127.0.0.1] (port=51207
helo=p3plwbeout02-04.prod.phx3.secureserver.net)
by virgo.mycompany.gr with esmtps
(TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
(Exim 4.89_1)
(envelope-from <[email protected]>)
id 1fNGw3-000BbH-0P
for [email protected]; Mon, 28 May 2018 15:07:36 +0300
X-Assp-ID: virgo.mycompany.gr id-09254-03731
X-Assp-Session: 7F7E6942D068 (mail 1)
X-Assp-Envelope-From: [email protected]
X-Assp-Intended-For: [email protected]
X-Assp-Original-Subject: PENDING INVOICES!
X-Assp-Version: 2.5.6(17281) on virgo.mycompany.gr
X-Assp-Client-TLS: yes
X-Assp-Server-TLS: yes
X-Assp-Message-Score: -2 (SSL-TLS-connection-OK)
X-Assp-IP-Score: -2 (SSL-TLS-connection-OK)
X-Assp-Delay: not delayed (72.167.218.97 in noDelay ); 28 May 2018
15:07:34 +0300
X-Assp-Received-SPF: none (cache) ip=72.167.218.97
[email protected]
helo=p3plwbeout02-04.prod.phx3.secureserver.net
X-Original-Authentication-Results: virgo.mycompany.gr; spf=none
X-Assp-Message-Score: 10 (SPF none)
X-Assp-IP-Score: 10 (SPF none)
X-Assp-Re-bombSubjectRe: PB 7: for PENDING INVOICES!
X-Assp-Message-Score: 7 (BombSubjectRe 'PENDING INVOICES!')
X-Assp-IP-Score: 7 (BombSubjectRe 'PENDING INVOICES!')
X-Assp-Spam-Level: ****
Received: from p3plsmtp02-04-2.prod.phx3.secureserver.net ([72.167.218.97]
helo=p3plwbeout02-04.prod.phx3.secureserver.net) by
virgo.mycompany.gr with SMTPS(TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256)
(2.5.6); 28 May 2018 15:07:33 +0300
Received: from p3plgemwbe02-04.prod.phx3.secureserver.net
([72.167.218.14])
by :WBEOUT: with SMTP
id NGvUf20GqMf6rNGvUfms8y; Mon, 28 May 2018 05:07:00 -0700
X-SID: NGvUf20GqMf6r
Received: (qmail 30320 invoked by uid 99); 28 May 2018 12:07:00 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 105.112.33.37
User-Agent: Workspace Webmail 6.9.12
Message-Id:
<20180528050656.7edd7821772e7dc5cc96ba463f3c961d.7b6508b5f4....@email02.godaddy.com>
From: "Brad Neil" <[email protected]>
X-Sender: [email protected]
Reply-To: "Brad Neil" <[email protected]>
To:
Subject: PENDING INVOICES!
Date: Mon, 28 May 2018 05:06:56 -0700
As you can see SPF check done on the [email protected]
domain and not on the From: "Brad Neil" <[email protected]> which
is the right SPF record.
This yielded zero SPF record for bridgeportdocks.com which was wrong
because thesender.com had a very good -all SPF record!
Why did this happened? How can I prevent it in the future?
Also is there a check to score mails that are spoofed like this?
Different mailfrom and From headers.
Best regards
Haris Alatas
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
