On 10/6/2015 1:38 PM, Alex wrote:
Hi,
I've received a handful of messages that appear to be facebook
notifications, but fail SPF. They otherwise look completely legit -
links to profiles, only URLs to facebook.com and CDN caching sites,
and even appears to have been routed through facebook's outgoing mail.
All of that could be faked, but it would mean the payload is in the
actual facebook profiles themselves. Has anyone else found this to be
the case?
http://pastebin.com/jE8G5LXJ
Thanks,
Alex
I would say that because it passes DKIM with a signature from
facebookmail.com, it's likely legitimate and they just suck at SPF
(wouldn't be the first time a multi-billion dollar company can't get
anti-forgery right). The rDNS of cox.net seems odd for a CDN, but
there's not really any standard and I don't know offhand if that's the
hostname format they use or not.