so the following SPF record in 'SPFoverride' will solve the problem.
efax.com=>v=spf1 ip4:66.52.2.3 ....to be extended...... -all
192.162.216.96
195.167.194.84
200.51.203.41
202.58.137.202
202.79.205.113
202.177.203.65
204.11.168.2
204.11.168.20
204.11.172.69
204.11.173.246
207.213.246.143
208.49.251.113
208.51.39.1
209.209.139.2
210.210.22.9
212.118.246.177
213.152.245.76
216.13.249.131
216.13.249.132
216.13.249.133
216.13.249.144
216.24.224.70
216.52.100.161
216.153.150.1
216.183.120.133
216.254.198.131
218.208.11.225
218.213.238.53
219.88.121.17
61.31.207.1
62.219.50.131
64.61.26.100
64.66.104.50
66.42.33.10
66.53.70.2
66.150.62.65
66.179.42.117
66.179.120.62
67.96.32.129
69.54.200.226
70.42.26.193
80.85.67.131
put 'ip4:' in front of each IP and extend the record (like sown above)
Notice, that these are no MX hosts of efax.com - so 'v=spf1 mx/24 a/24
-all' will not work!
Don't forget to put '@efax.com' in to 'blockstrictSPFRe' and to enable
'validateSPF' !
If an IP outside the list of IP's will try to send an email with a sender
'anyu...@efax.com' - assp will block it.
Keep in mind, there could be only one SPF record for one domain, but there
is no limit for the record length.
Thomas
Von: "Daniel L. Miller" <dmil...@amfes.com>
An: assp-test@lists.sourceforge.net,
Datum: 17.08.2012 16:40
Betreff: Re: [Assp-test] Block spoofed addresses
On 8/17/2012 1:44 AM, Colin wrote:
> You're not the only one.
>
> As of the last day or two we've seen a number of fake efax.com messages
> getting through.
>
> Does anyone have a legitimate subscription to efax.com so that we can
> compare headers and see if there is an obvious regex for this?
>
> I first spotted this because a client was running a dnsbl using abuseat
> on their Exchange box and that blocked the messages but we have had
> problems with abuseat blocking legitimate mail so don't use it. All
> suspect messages seem to have the subject "Corporate eFax message X
> pages" so I'll add the first three words as a regex and see how it goes.
>
This is what a "real" efax looks like.
Return-Path: <mess...@inbound.efax.com>
Delivered-To: <f...@amfes.com>
Received: from mail.amfes.com
by bubba.amfeslan.local (Dovecot) with LMTP id
PVD+KpR8LVAqFAAA4TDHRA
for <f...@amfes.com>; Thu, 16 Aug 2012 16:04:52 -0700
Received: from mail.amfes.com (lax2.efax.com [66.52.2.3])
(using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256
bits))
(No client certificate requested)
by Postfix-ASSP.amfeslan.local (Postfix) with ESMTPS id
60BFD404065E
for <faxrecei...@amfes.com>; Thu, 16 Aug 2012 16:04:52
-0700 (PDT)
Received: from lax2.efax.com ([66.52.2.3] helo=lax2.efax.com) by
mail.amfes.com with SMTP (2.2.2); 16 Aug 2012 16:04:52
-0700
Received: from media4.lax2.colo.j2noc.com (media4.lax2.colo.j2noc.com
[10.11.50.107])
by lax2.efax.com (Postfix) with ESMTP id EC48D10422
for <dmil...@amfes.com>; Thu, 16 Aug 2012 23:04:51 +0000
(GMT)
Received: by media4.lax2.colo.j2noc.com (Postfix, from userid 0)
id DB8ED1370F2; Thu, 16 Aug 2012 23:04:51 +0000 (GMT)
MIME-Version: 1.0
Date: Thu, 16 Aug 2012 23:04:37 +0000
To: dmil...@amfes.com
CC:
From: "eFax Corporate" <mess...@inbound.efax.com>
Subject:
=?utf-8?Q?=20Corporate=20eFax=20message=20from=20"unknown"=20-=201=20page(s)?=
Message-ID:
<lax2_did14-1345158243-7023125279-29-18865.1345158...@media4.lax2.colo.j2noc.com>
Content-Type: Multipart/Mixed;boundary="Boundary-00=_T7P340MWKGMMYJ0CCJD0"
X-J2-Header-Version: 1.0
X-J2-Phone-Number: 17023125279
X-J2-Customerkey: 42193434
X-J2-Servicekey: 76679357
X-J2-Message-Type: FAX
X-J2-Caller-Id:
X-J2-Message-Duration: 32
X-J2-Message-Size: 23442
X-J2-Message-Format: pdf
X-J2-Message-Date: 08/16/2012 23:04:37 GMT
X-J2-Accounttype: Regular
X-J2-Fax-Pages: 1
X-J2-Fax-Mode: ECM
X-J2-Fax-Csid-Remote: unknown
X-J2-Fax-Bps: 14400
X-Assp-Version: 2.2.2(12228) on mail.amfes.com
X-Assp-Server-TLS: yes
X-Assp-Re-NoProcessingDomain: efax.com
X-Assp-Recipient: recipient dmil...@amfes.com replaced with
faxrecei...@amfes.com
X-Assp-NoProcessing: YES - (noProcessingDomain 'efax.com')
X-Assp-ID: mail.amfes.com 58292-03712
X-Assp-Original-Subject:
=?utf-8?Q?=20Corporate=20eFax=20message=20from=20"unknown"=20-=201=20page(s)?=
--Boundary-00=_T7P340MWKGMMYJ0CCJD0
Content-Type:
Multipart/Alternative;boundary="Boundary-00=_Z7P340MWKGMMYJ0CCJD0"
--Boundary-00=_Z7P340MWKGMMYJ0CCJD0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
You have received a 1 page fax at 2012-08-16 16:04:37 PDT.=0D=0A=0D=0A* T=
he reference number for this fax is
lax2_did14-1345158243-7023125279-29.=0D=0A=
=0D=0APlease visi
--
Daniel
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
