SPF Testing and Spoofing

Junior Member
Posts: 37
Joined: Sat Mar 15, 2008 12:13 pm

SPF Testing and Spoofing

Postby ccsliinc » Fri Sep 30, 2016 12:07 pm

Hello,

This is an email that was filtered through ewall. We have our SPF check on amongst other filters. Why did this email pass testing? It was sent through an account dagrinch@outtatownas.com out of godaddy, but when the recipient received the mail the from address was a local employees email with the x-sender as the fake email. Also the reply to was different which further causes issues. So where was the problem with this message, why wasn't it filtered properly?

EWall Log
Code: Select all
2016-09-29 13:35:37   2326   125   Stop event filters
2016-09-29 13:35:37   2326   219   Connected to mail1.*********.com:25
2016-09-29 13:35:37   2326   312   <-- 220 EX1.*********.local Microsoft ESMTP MAIL Service ready at Thu, 29 Sep 2016 13:35:37 -0400
2016-09-29 13:35:37   2326   406   --> EHLO p3plwbeout21-06.prod.phx3.secureserver.net
2016-09-29 13:35:37   2326   500   <-- 250-EX1.*********.local Hello [70.35.204.155]
2016-09-29 13:35:37   2326   500   <-- 250-SIZE 36700160
2016-09-29 13:35:37   2326   500   <-- 250-ENHANCEDSTATUSCODES
2016-09-29 13:35:37   2326   500   <-- 250-8BITMIME
2016-09-29 13:35:37   2326   500   <-- 250 OK
2016-09-29 13:35:37   2326   594   --> MAIL FROM:<dagrinch@outtatownas.com> SIZE=1166
2016-09-29 13:35:37   2326   687   +Filter: "SPF Test"
2016-09-29 13:35:37   2326   765   SPF result: NONE
2016-09-29 13:35:37   2326   765   +Filter: "Block bad senders"
2016-09-29 13:35:37   2326   765   <-- 250 2.1.0 Sender OK
2016-09-29 13:35:37   2326   859   --> RCPT TO:<madel@************.com>
2016-09-29 13:35:38   2326   984   +Filter: "Block harvesters"
2016-09-29 13:35:38   2326   984   +Filter: "Whitelist Recipients", skip for this listener
2016-09-29 13:35:38   2326   984   +Filter: "Open relay prevention"
2016-09-29 13:35:38   2326   984   <-- 250 2.1.5 Recipient OK
2016-09-29 13:35:38   2326   1078   --> DATA
2016-09-29 13:35:38   2326   1078   <-- 354 OK, send.
2016-09-29 13:35:38   2326   1172   Message size: 1.14 KB
2016-09-29 13:35:38   2326   1172   Subject: RE: Available
2016-09-29 13:35:38   2326   1172   +Filter: "Message Sniffer"
2016-09-29 13:35:38   2326   1219   Message Sniffer result: 0
2016-09-29 13:35:38   2326   1219   +Filter: "SURBL Test"
2016-09-29 13:35:38   2326   1219   +Filter: "Attachment filter"
2016-09-29 13:35:38   2326   1219   +Filter: "Archive filter"
2016-09-29 13:35:38   2326   1219   +Filter: "AVG 2011-2013"
2016-09-29 13:35:38   2326   1297   Mail server accepted data transfer
2016-09-29 13:35:38   2326   1594   <-- 250 2.6.0 <20160929103535.55fda8f0c8708382ebd8dfd184556f32.74721fa24b.wbe@email21.godaddy.com> [InternalId=36966783516858, Host
2016-09-29 13:36:19   2326   41906   !Error: client timeout: 40 sec
2016-09-29 13:36:19   2326   41953   Disconnect


Message Header
Code: Select all
Received: from EX1.**********.local (10.43.1.242) by
 EX1.**********.local (10.43.1.242) with Microsoft SMTP Server (TLS) id
 15.0.1178.4; Thu, 29 Sep 2016 13:35:39 -0400
Received: from p3plwbeout21-06.prod.phx3.secureserver.net (70.35.204.155) by
 EX1.**********.local (10.43.1.242) with Microsoft SMTP Server id
 15.0.1178.4 via Frontend Transport; Thu, 29 Sep 2016 13:35:38 -0400
Received: from localhost ([68.178.252.7])
   by p3plwbeout21-06.prod.phx3.secureserver.net with bizsmtp
   id pVbd1t0020ALNZg01VbdCt; Thu, 29 Sep 2016 10:35:37 -0700
X-SID: pVbd1t0020ALNZg01
Received: (qmail 24478 invoked by uid 99); 29 Sep 2016 17:35:37 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 196.53.53.213
User-Agent: Workspace Webmail 6.5.0
Message-ID: <20160929103535.55fda8f0c8708382ebd8dfd184556f32.74721fa24b.wbe@email21.godaddy.com>
From: Jeffrey Hirs <jhirs@**********.com>
X-Sender: dagrinch@outtatownas.com
Reply-To: Jeffrey Hirs <jhirs@yopmail.com>
To: <madel@**********.com>
Subject: RE: Available
Date: Thu, 29 Sep 2016 10:35:35 -0700
MIME-Version: 1.0
Return-Path: dagrinch@outtatownas.com
X-MS-Exchange-Organization-AuthSource: EX1.**********.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-Network-Message-Id: 9791a154-234b-4c2d-583f-08d3e88f0772
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: SPF Testing and Spoofing

Postby Alexander Telegin » Mon Oct 10, 2016 2:54 am

SPF only works for domains that don't want to be spoofed and publish SPF (Sender Policy Framework) record. Obviously, domain outtatownas.com has no SPF record.

Junior Member
Posts: 37
Joined: Sat Mar 15, 2008 12:13 pm

Re: SPF Testing and Spoofing

Postby ccsliinc » Thu Oct 13, 2016 2:03 pm

What i am asking is how to avoid this. Why is it testing the x-sender and not the from address? Is there a way to fix this as this is becoming a much larger issue. The sender and the reply to are different but it looks as though the message comes internally.

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: SPF Testing and Spoofing

Postby Alexander Telegin » Wed Oct 19, 2016 9:35 pm

The problem is that original SPF filter works at OnSender event. The message data is not available at that time. You could try to import SPF test (OnMessage) filter and use it instead. Go to Filters -> New from Repository -> Import -> navigate to /api folder and import SPF OnMessage filter.

Junior Member
Posts: 37
Joined: Sat Mar 15, 2008 12:13 pm

Re: SPF Testing and Spoofing

Postby ccsliinc » Thu Oct 20, 2016 11:19 pm

Thank you. I will try this.

Return to Filters and scripts

Who is online

Users browsing this forum: No registered users and 0 guests