read RFC 7208 section 2.2 to 2.4
https://tools.ietf.org/html/rfc7208#section-2.2
The SPF is done for the envelope sender (mail from:) - not for any sender
published in the MIME header.
How ever, assp has an option to do an additionally SPF check for the From:
MIME header (DoSPFinHeader).
NOTICE: using this check, is NOT RFC compliant !!!
Thomas
Von: "Haris Alatas" <ha...@crack.gr>
An: assp-user@lists.sourceforge.net
Datum: 07.06.2018 12:02
Betreff: [Assp-user] Epic SPF failure on SCAM mail!
Hello list. I have this header file and I am looking it like an idiot
not knowing what to do to fix it:
Return-Path: <f...@bridgeportdocks.com>
Delivered-To: geo...@myclient.gr
Received: from virgo.mycompany.gr
by virgo.myip.gr with LMTP id UIhrFgjxC1sGYAAAO5TXtA
for <geo...@mycient.gr>; Mon, 28 May 2018 15:07:36 +0300
Return-path: <f...@bridgeportdocks.com>
Envelope-to: geo...@myclient.gr
Delivery-date: Mon, 28 May 2018 15:07:36 +0300
Received: from [127.0.0.1] (port=51207
helo=p3plwbeout02-04.prod.phx3.secureserver.net)
by virgo.mycompany.gr with esmtps
(TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
(Exim 4.89_1)
(envelope-from <f...@bridgeportdocks.com>)
id 1fNGw3-000BbH-0P
for geo...@myclient.gr; Mon, 28 May 2018 15:07:36 +0300
X-Assp-ID: virgo.mycompany.gr id-09254-03731
X-Assp-Session: 7F7E6942D068 (mail 1)
X-Assp-Envelope-From: f...@bridgeportdocks.com
X-Assp-Intended-For: geo...@myclient.gr
X-Assp-Original-Subject: PENDING INVOICES!
X-Assp-Version: 2.5.6(17281) on virgo.mycompany.gr
X-Assp-Client-TLS: yes
X-Assp-Server-TLS: yes
X-Assp-Message-Score: -2 (SSL-TLS-connection-OK)
X-Assp-IP-Score: -2 (SSL-TLS-connection-OK)
X-Assp-Delay: not delayed (72.167.218.97 in noDelay ); 28 May 2018
15:07:34 +0300
X-Assp-Received-SPF: none (cache) ip=72.167.218.97
mailfrom=f...@bridgeportdocks.com
helo=p3plwbeout02-04.prod.phx3.secureserver.net
X-Original-Authentication-Results: virgo.mycompany.gr; spf=none
X-Assp-Message-Score: 10 (SPF none)
X-Assp-IP-Score: 10 (SPF none)
X-Assp-Re-bombSubjectRe: PB 7: for PENDING INVOICES!
X-Assp-Message-Score: 7 (BombSubjectRe 'PENDING INVOICES!')
X-Assp-IP-Score: 7 (BombSubjectRe 'PENDING INVOICES!')
X-Assp-Spam-Level: ****
Received: from p3plsmtp02-04-2.prod.phx3.secureserver.net ([72.167.218.97]
helo=p3plwbeout02-04.prod.phx3.secureserver.net) by
virgo.mycompany.gr with SMTPS(TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256)
(2.5.6); 28 May 2018 15:07:33 +0300
Received: from p3plgemwbe02-04.prod.phx3.secureserver.net
([72.167.218.14])
by :WBEOUT: with SMTP
id NGvUf20GqMf6rNGvUfms8y; Mon, 28 May 2018 05:07:00 -0700
X-SID: NGvUf20GqMf6r
Received: (qmail 30320 invoked by uid 99); 28 May 2018 12:07:00 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 105.112.33.37
User-Agent: Workspace Webmail 6.9.12
Message-Id:
<20180528050656.7edd7821772e7dc5cc96ba463f3c961d.7b6508b5f4....@email02.godaddy.com>
From: "Brad Neil" <bradn...@thesender.com>
X-Sender: f...@bridgeportdocks.com
Reply-To: "Brad Neil" <salesdiirec...@outlook.com>
To:
Subject: PENDING INVOICES!
Date: Mon, 28 May 2018 05:06:56 -0700
As you can see SPF check done on the mailfrom=f...@bridgeportdocks.com
domain and not on the From: "Brad Neil" <bradn...@thesender.com> which
is the right SPF record.
This yielded zero SPF record for bridgeportdocks.com which was wrong
because thesender.com had a very good -all SPF record!
Why did this happened? How can I prevent it in the future?
Also is there a check to score mails that are spoofed like this?
Different mailfrom and From headers.
Best regards
Haris Alatas
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
