[Assp-test] How did this pass SPF?

Fri, 22 Sep 2023 11:41:45 -0700

I received a spam mail spoofing Intuit. While I have Intuit whitelisted I don't understand how it passed SPF check.
Sep-22-23 11:15:20 06519-09846 [Worker_1] [TLS-in] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com info: enhanced Originated IP detection found IP's: 81.17.120.4 Sep-22-23 11:15:20 06519-09846 [Worker_1] [TLS-in] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com info: detected IP's on the mail routing way: 81.17.120.4 Sep-22-23 11:15:20 06519-09846 [Worker_1] [TLS-in] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com info: detected source IP: 81.17.120.4 Sep-22-23 11:15:20 [Worker_1] dmil...@amfes.com matches dmil...@amfes.com in LocalAddresses_Flat Sep-22-23 11:15:20 06519-09846 [Worker_1] [TLS-in] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com info: domain intuit.com has published a DMARC record Sep-22-23 11:15:20 06519-09846 [Worker_1] [TLS-in] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com blockspf Regex: blockstrictSPFRe 'intuit.com' Sep-22-23 11:15:20 06519-09846 [Worker_1] [TLS-in] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com [scoring] SPF: none ip=81.17.120.110 mailfrom=no_re...@quickbooks.intuit.com helo=bst63.us Sep-22-23 11:15:20 06519-09846 [Worker_1] [TLS-in] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com warning: got SPF-result 'none' for a strictly checked domain - check your DNS server and/or strictSPFRe , blockstrictSPFRe or clear the SPFCache Sep-22-23 11:15:20 06519-09846 [Worker_1] [TLS-in] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com [Plugin] calling plugin ASSP_AFC Sep-22-23 11:15:20 06519-09846 [Worker_1] [TLS-in] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com whitelisted (no bad attachments) Sep-22-23 11:15:20 06519-09846 [Worker_1] [TLS-in] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com [Plugin] calling plugin ASSP_Razor Sep-22-23 11:15:21 06519-09846 [Worker_1] [TLS-in] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com [Plugin] calling plugin ASSP_DCC Sep-22-23 11:15:25 06519-09846 [Worker_1] [TLS-in] [MessageOK] 81.17.120.110 <no_re...@quickbooks.intuit.com> to: dmil...@amfes.com message ok - (whiteListedDomains 'intuit.com') - [You have successfully invited a new company admin to your QuickBooks online account] -> notspam/9846--134226.eml 

--
Daniel

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test














    











					Reply via email to