------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=996 Summary: SPF checks work sometimes, but not always Product: Exim Version: 4.69 Platform: x86 OS/Version: Linux Status: NEW Severity: bug Priority: medium Component: Delivery in general AssignedTo: [email protected] ReportedBy: [email protected] CC: [email protected] First things first: bash$ exim -bV Exim version 4.69 #1 built 16-Mar-2009 14:44:43 Copyright (c) University of Cambridge 2006 Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (February 22, 2005) Support for: crypteq iconv() IPv6 PAM Perl OpenSSL Content_Scanning Old_Demime Experimental_SPF Experimental_SRS Experimental_DomainKeys Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz passwd Authenticators: cram_md5 dovecot plaintext spa Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir autoreply pipe smtp Size of off_t: 8 Configuration file is /etc/exim.conf Now, the weird behaviour I am seeing: By grep-ing in my cPanel's (v.11) exim_mainlog, I can see that the SPF checks I added for my company's domain (semantix.gr) are working: bash$ sudo grep -i spf /var/log/exim_mainlog | grep ttsiod 2010-06-03 05:48:54 H=(212.113.232.115) [212.113.232.115] F=<[email protected]> rejected RCPT <[email protected]>: SPF: 212.113.232.115 is not allowed to send mail from semantix.gr ... That is, someone tried to send mail with a forged "from" that supposedly came from my account at my company, but the SPF check stopped it in its tracks (the valid MX addresses are reported in the SPF part of the DNS record for "semantix.gr", and do not include "212.113.232.115"). However, some of these mails, with "forged froms" that supposedly originate from my company, DO pass exim's SPF checks: 2010-06-05 10:23:48 1OKuHr-00025w-TD H=cuscon77544.tstt.net.tt (cuscon79293.tstt.net.tt) [190.58.182.10] Warning: "SpamAssassin as semantix detected message as NOT spam (-1.1)" 2010-06-05 10:23:48 1OKuHr-00025w-TD <= [email protected] H=cuscon77544.tstt.net.tt (cuscon79293.tstt.net.tt) [190.58.182.10] P=smtp S=1334 2010-06-05 10:23:49 1OKuHr-00025w-TD => ttsiodras <[email protected]> R=virtual_user T=virtual_userdelivery 2010-06-05 10:23:49 1OKuHr-00025w-TD Completed Exim says in the log that the mail's "From" was "[email protected]" - but in fact, the actual spam I received has these headers, impersonating myself sending to myself, with "[email protected]" only referred in the "Return-path"... (does this mean that Exim uses "Return-path" instead of "From" during the SPF checks? If so, why? If it were using the "From" it would be clear that this is a fraudulent message...) Here are the actual headers of the message, as received in my Thunderbird: Return-path: <[email protected]> Envelope-to: [email protected] Delivery-date: Sat, 05 Jun 2010 10:23:49 -0400 Received: from cuscon77544.tstt.net.tt ([190.58.182.10] helo=cuscon79293.tstt.net.tt) by vz104.securenet-server.net with smtp (Exim 4.69) (envelope-from <[email protected]>) id 1OKuHr-00025w-TD for [email protected]; Sat, 05 Jun 2010 10:23:48 -0400 From: <[email protected]> To: <[email protected]> Subject: International Real Estate Consulting Company needs local representation MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.1 ... Any help/advise most welcome. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
