Categories: Email Delivery Questions :

How is spoofed email getting past SPF?

Showing 1-33 of 33 messages
How is spoofed email getting past SPF? sjmp 5/2/12 9:31 AM
SPF is enabled - how does an email get through

180.94.157.12 - w/ hyperlinks to view/pay bill going back to http://easycompvha.com.br/oLd0wBqV/index.html


How does this crap which is the most obvious spam get through?
Re: How is spoofed email getting past SPF? sjmp 5/2/12 9:49 AM

Below is header - can you please explain how I received this email? I was not on the To list - either in the email or in the header. But it was successfully delivered to me. 


Received: from psmtp.com (74.125.149.50) by MAIL.gr.com

 (192.168.2.34) with Microsoft SMTP Server id 14.1.355.2; Wed, 2 May 2012

 07:44:05 -0400

Received-SPF: none (google.com: wAccoun...@verizonwireless.com does not designate permitted sender hosts) client-ip=180.94.157.12;

Received: from nz157l12.bb18094.ctm.net ([180.94.157.12]) by

 na3sys009amx210.postini.com ([74.125.148.11]) with SMTP;            Wed, 02 May 2012

 04:44:04 PDT

Received: from [207.31.74.55] (helo=ktjzhhqbjwrp.syvzkorw.biz)       by

 nz157l12.bb18094.ctm.net with esmtpa (Exim 4.69)             (envelope-from )     id

 1MMKJQ-2919ki-MI            for jben@ gr.com; Wed, 2 May 2012 19:46:05

 +0800

Date: Wed, 2 May 2012 19:46:05 +0800

From: "Accoun...@verizonwireless.com" <wAccoun...@verizonwireless.com>

X-Mailer: The Bat! (v2.00.6) Personal

X-Priority: 3 (Normal)

To: <jben@ gr.com >, <jdar@ gr.com >,

                <nmy@ gr.com >

CC: <rf@ gr.comm>, <tim@ gr.com>

Subject: Your Bill Is Now Available

MIME-Version: 1.0

Content-Type: text/html; charset="utf-8"

Content-Transfer-Encoding: 7BIT

X-pstn-neptune: 16/15/0.94/100

X-pstn-levels: (S:54.07093/99.90000 CV:99.9000 FC:95.5390 LC:93.6803 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )

X-pstn-dkim: 0 skipped:not-enabled

Message-ID: <2615178024851990087553411799664@psmtp.com>

Return-Path: wAccoun...@verizonwireless.com

X-MS-Exchange-Organization-AuthSource: MAIL02. gr.com

X-MS-Exchange-Organization-AuthAs: Anonymous

Re: How is spoofed email getting past SPF? FrankM Forums-TC 5/2/12 9:50 AM
Have to ask, since no header was provided. Did the email actually go through Postini?  Did you run the header through the Postini header tool? 
Re: How is spoofed email getting past SPF? FrankM Forums-TC 5/2/12 11:46 AM
Did you enter this header into the Postini header analyzer? The user settings are not listed, most likely due to being sent BCC and SPF only works for registered users. I'll assume the catch-22 is, that Postini needs to see the user to apply the SPF filtering. I would verify this with support. 
Re: How is spoofed email getting past SPF? sjmp 5/2/12 12:03 PM
But it was delivered to everyone in the TO and CC as well. All of them were delivered. 
Re: How is spoofed email getting past SPF? sjmp 5/2/12 12:10 PM
the header tool does not tell me anything that is useful in correcting the problem. I need Postini to recognize that verizonwireless and the sending ip are not the same. That should be pretty basic spam filtering. SPF is enabled so how does this crap still get through. All of the hyperlink in the message are directed to another site.... this is as basic as it gets. 

And if all the spam needs to do is add all recipients to BCC to bypass SPF? 

How did it get to all other users on TO and CC - they are registered. Doesnt matter should never get passed my first point. IP of origination is not valid for domain of sending email address. Thats it.. forged email, drop as spam. 
Re: How is spoofed email getting past SPF? FrankM Forums-TC 5/2/12 1:47 PM
You asked why did you get the message, that's what I answered. What are the settings for SPF that you have set? I agree that all email should be subject to the SPF filtering rules and not just registered users. 

In checking the MX for gr.com, there are no Postini MX records listed. 

1 aspmx.l.google.com. [TTL=3600] IP=209.85.225.27 (No Glue) [TTL=293] [US]
5 alt1.aspmx.l.google.com. [TTL=3600] IP=173.194.76.27 (No Glue) [TTL=293] [US]
5 alt2.aspmx.l.google.com. [TTL=3600] IP=173.194.73.27 (No Glue) [TTL=293] [US]
10 aspmx2.googlemail.com. [TTL=3600] IP=74.125.43.27 (No Glue) [TTL=1526] [US]
10 aspmx3.googlemail.com. [TTL=3600] IP=74.125.127.27 (No Glue) [TTL=1526] [US]
20 aspmx4.googlemail.com. [TTL=3600] IP=173.194.78.27 (No Glue) [TTL=1902] [US]
20 aspmx5.googlemail.com. [TTL=3600] IP=74.125.157.27 (No Glue) [TTL=1902] [US]
Re: How is spoofed email getting past SPF? sjmp 5/3/12 7:44 AM
Are you serious frank. I am not posting our domain name on a public forum. Just answer the questions. 

Registered users got the emails.
SPF is set for Reject/Fail. Disable/Soft

This email is a Fail - should of been rejected. At least quarantined. It was delivered. 

from Header "Received-SPF: none (google.comwAccoun...@verizonwireless.com does not designate permitted sender hosts) client-ip=180.94.157.12"


Re: How is spoofed email getting past SPF? FrankM Forums-TC 5/3/12 8:35 AM
Why the messages were delivered when SPF was set to hard fail, is a question you may need to ask support. Support will need the headers of messages that did not meet the SPF filter settings. SPF filtering will only apply to registered users and by all means, these registered users should not have received the message. 
Re: How is spoofed email getting past SPF? sjmp 5/3/12 12:06 PM
All 6 registered users received it. How do I contact support? Again - I will not be able to post headers on public domain
Thanks,
Re: How is spoofed email getting past SPF? sjmp 5/3/12 1:52 PM

Received: from psmtp.com (74.125.149.116) by mail.mydomain.com

 (192.168.2.34) with Microsoft SMTP Server id 14.1.355.2; Thu, 3 May 2012

 15:57:32 -0400

Received-SPF: none (google.com: abma...@adicon.net does not designate permitted sender hosts) client-ip=124.124.212.172;

Received: from localhost ([124.124.212.172]) by na3sys009amx232.postini.com

 ([74.125.148.10]) with SMTP;              Thu, 03 May 2012 12:57:31 PDT

Date: Fri, 4 May 2012 01:35:20 +0000

From: LinkedIn Email Confirmation <emailc...@linksys.com>

To: "me@" <mydomain.com m...@mydomain.com>

Message-ID: <8644380471.6375885.5486302884195.JavaMail.app@sto2-spa25.prod>

Subject: Please confirm your email address

X-Llinksys-Class: ACCT-ADMIN

X-Llinksys-Template: email_confirm

X-Llinksys-fbl: m-Hello_7MqCuWRWxTh6GsAX_xOgodGn4fqEJ73iNDvqC0oVzeNeZDa3Q5I

MIME-Version: 1.0

Content-Type: text/html; charset="UTF-8"

Another Header of Email that postini passed through


Content-Transfer-Encoding: 7bit

X-pstn-levels: (S:90.73234/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )

X-pstn-dkim: 0 skipped:not-enabled

X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c

X-pstn-addresses: from <emailc...@linksys.com> [673/27]

Return-Path: abma...@adicon.net

X-MS-Exchange-Organization-AuthSource: mail.mydomain.com

X-MS-Exchange-Organization-AuthAs: Anonymous

Re: How is spoofed email getting past SPF? FrankM Forums-TC 5/4/12 3:45 PM
By chance, is  linksys.com an approved sender in the Org level approved senders?
Re: How is spoofed email getting past SPF? jconner 7/2/12 2:08 PM
I have had the same issue, I would make sure that your email enabled groups are covered by Postini as an alias.  Also I would make sure Postini is configured to reject email to all unknown users, it will help reduce the amount of these that go through by helping it detect Directory Harvest Attacks.  I still occasionally get these to go through.
Re: How is spoofed email getting past SPF? FrankM Forums-TC 7/2/12 3:14 PM
Don't forget spooling is delayed by at least a minimum 15 mins, unless you manually spool. The only messages that are spooled are deliverable messages. Quarantine messages are not spooled and sent directly to quarantine. 

During spooling, messages are processed according to these guidelines:

*
Messages that successfully passed through mail policies, junk mail filters, and virus scanning are spooled.
*
Junk mail and virus-infected messages are not spooled--they are quarantined according to the normal filtering mechanism. Quarantined messages are accessible even if your mail server is down.
*
The Blatant Spam Blocking filter rejects blatant spam messages as usual.
Re: How is spoofed email getting past SPF? Gerald Cox 1/22/13 6:30 AM
sjmp, I feel your pain. I regularly get emails that should be caught by SPF. Here is an example:

Microsoft Mail Internet Headers Version 2.0
Received: from psmtp.com ([10.0.6.1]) by mail.mydomain.com with Microsoft SMTPSVC(5.0.2195.7381);
Tue, 22 Jan 2013 09:14:07 -0500
Received-SPF: none (google.com: some...@palmerteam.com does not designate permitted sender hosts) client-ip=93.89.225.41;
Received: from 93-89-225-41.fbs.com.tr ([93.89.225.41]) by exprod7mx201.postini.com ([64.18.6.10]) with SMTP;
Tue, 22 Jan 2013 08:14:06 CST
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

The email is received as if it comes from google.com but it's tested for SPF as if it comes from palmerteam.com. Why is this?
Re: How is spoofed email getting past SPF? FrankM Forums-TC 1/22/13 7:32 AM
That is because palmerteam.com does not publish an SPF TXT record and RFC 4408 guidelines say to treat these domains as NONE. Neither Google or Postini allow for any routing for this disposition and Postini only provides dispositions for "SoftFail" and "HardFail". 
Re: How is spoofed email getting past SPF? Gerald Cox 1/22/13 7:36 AM
I see that in the message header but why is palmerteam.com tested for SPF when the listed from address is: wmt-n...@google.com. Shouldn't the google.com MX SPF records be tested for the sending IP of this email?
Re: How is spoofed email getting past SPF? FrankM Forums-TC 1/22/13 8:16 AM
I assumed this was a redacted NDR from Google notifications. Is this the actual header from the message you received from Postini? 
Gerald Cox 1/22/13 8:41 AM <This message has been deleted.>
Gerald Cox 1/22/13 8:42 AM <This message has been deleted.>
Re: How is spoofed email getting past SPF? Gerald Cox 1/22/13 8:43 AM
This header information is from one of the messages I have received today. Thus far, I've received 5 of them with this text:

Thank you for taking the time to contact us.
Within two weeks we should be able to provide you with a decision in regard to your question, and we want you to know that we will be giving your question our fullest consideration.
We would like to thank you again for your time and consideration and will be in touch with you as soon as we have some definitive information for you.
Also you can track your request by visiting our SPAMLINK.
Yours very truly, Lizbeth Mckinley.
Re: How is spoofed email getting past SPF? FrankM Forums-TC 1/22/13 9:08 AM
I'm still not clear where this is coming from. Post the complete header, redacted as needed to show the sender, return path, subject, etc, including the Postini x-pstn headers. 
Re: How is spoofed email getting past SPF? Gerald Cox 1/22/13 9:25 AM
Here is the header info from one of the emails:

Microsoft Mail Internet Headers Version 2.0
Received: from psmtp.com ([x.x.x.x]) by mail.mydomain.com with Microsoft SMTPSVC(5.0.2195.7381);
Tue, 22 Jan 2013 09:14:07 -0500
Received-SPF: none (google.com: bpal...@palmerteam.com does not designate permitted sender hosts) client-ip=93.89.225.41;
Received: from 93-89-225-41.fbs.com.tr ([93.89.225.41]) by exprod7mx201.postini.com ([64.18.6.10]) with SMTP;
Tue, 22 Jan 2013 08:14:06 CST
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
Date: Tue, 22 Jan 2013 16:21:34 -0800 (PST)
Subject: Consideration
Content-Type: text/html; charset=utf-8
Content-transfer-encoding: 7bit
X-pstn-levels:     (S: 0.03486/98.86938 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-dkim: 1 skipped:not-enabled
X-pstn-cm-addresses: from <wmt-n...@google.com> (approved)
X-pstn-settings: 5 (2.0000:2.0000) s cv gt3 gt2 gt1 r p m c 
X-pstn-addresses: from <wmt-n...@google.com> forward (user good) [1263/56] 
X-OriginalArrivalTime: 22 Jan 2013 14:14:08.0029 (UTC) FILETIME=[BE0D64D0:01CDF8AA]

Re: How is spoofed email getting past SPF? FrankM Forums-TC 1/22/13 9:52 AM
Looks like a spoofed google.com address. I would forward this to support and temporarily delete google.com address an approved sender. Add the google.com domain, as an inbound-sender-specific domain entry in your RPF settings. 
Re: How is spoofed email getting past SPF? Gerald Cox 1/22/13 10:26 AM
I removed the Approved Sender address a little while ago, unfortunately, they're still getting through. I've been sending them to sp...@postini.com.
Re: How is spoofed email getting past SPF? Gerald Cox 1/22/13 1:18 PM
Ironically, Positini now quarantines my Adwords alerts but lets these fake google.com emails through. :(
Re: How is spoofed email getting past SPF? FrankM Forums-TC 1/22/13 3:13 PM
How do you have SPF set up? I'll assume you know, SPF only scans for registered users only. 
Re: How is spoofed email getting past SPF? Gerald Cox 1/22/13 7:15 PM
SPF is enabled and set to quarantine on fails. The header I posted shows that SPF is checked. It passes because there is no SPF set for palmerteam.com

Received-SPF: none (google.combpal...@palmerteam.com does not designate permitted sender hosts) client-ip=93.89.225.41;

Although, the from address lists as wmt-n...@google.com.
Re: How is spoofed email getting past SPF? FrankM Forums-TC 1/22/13 11:03 PM
The problem with the Postini or even Gmail's SPF check and common among MTA's, is that it does not give an option to quarantine, if SPF is not published or otherwise unavailable. I have had many conversations with support about this topic. I feel we should have the option to at least quarantine messages, especially if the SMTP HELO/EHLO check_host fails. Another option, would be to create a header content filter on the header line, Received-SPF: none. 
Re: How is spoofed email getting past SPF? Gerald Cox 1/23/13 11:55 PM
That doesn't seem to be the issue here. My biggest beef with Postini's implementation of SPF is that I cannot have SPF fail on a mismatch on the "From" header. 
Re: How is spoofed email getting past SPF? Bill @ iscvt.org 1/21/14 1:23 PM
It seems that this is still a problem (1 yr later!) because I'm having the same problem.  SPAM is coming to my user's inboxes with a spoofed From: address (our own domain in fact).  The problem is that Postini is checking SPF based on the Return-Path: which is a domain that doesn't publish a SPF record so the SPF check comes back as "none" and the mail is delivered.

Below is the header...

Bill
--
Received: from psmtp.com (64.18.1.105) by isc-06.obfuscateddomain.com (192.168.11.15)
 with Microsoft SMTP Server id 8.1.436.0; Tue, 21 Jan 2014 13:31:58 -0500
Received-SPF: none (google.com: "Voice Mail_7"@wearitpurple.org does not designate permitted sender hosts) client-ip=176.227.143.182;
Received: from 176-227-143-182.ip.skylogicnet.com ([176.227.143.182]) by
 exprod6mx205.postini.com ([64.18.5.14]) with SMTP; Tue, 21 Jan 2014 10:31:56
 PST
Received: from docs281.obfuscateddomain.com (10.0.0.25) by obfuscateddomain.com (10.0.0.177) with
 Microsoft SMTP Server (TLS) id CI17OV60; Tue, 21 Jan 2014 18:31:56 +0000
Received: from docs0651.obfuscateddomain.com (10.19.10.63) by smtp.obfuscateddomain.com (10.0.0.2)
 with Microsoft SMTP Server id 189ED55C; Tue, 21 Jan 2014 18:31:56 +0000
Date: Tue, 21 Jan 2014 18:31:56 +0000
From: Administrator <do...@obfuscateddomain.com>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: <8GL8XYWHS7DEH9X9R0L3WE2X0XG7VKYJ059DR4@obfuscateddomain.com>
X-Priority: 3 (Normal)
Message-ID: <KKIZVGV5FW8U1POIA6ZCQDSNC76VXM2VZKASQ2@obfuscateddomain.com>
To: <spamm...@obfuscateddomain.com>
Subject: New Voice message  
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_007_OH6RDT8H9VNQCOUEKF3ZQIQSC9IS76Q5K5HM0IQV9998LICZOY2KOA7_"
X-pstn-neptune: 5/5/1.00/100
X-pstn-levels: (S:58.49833/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-dkim: 0 skipped:not-enabled
X-pstn-settings: 2 (0.5000:0.5000) s cv gt4 gt3 gt2 gt1 r p m c 
X-pstn-addresses: from <do...@obfuscateddomain.com> [224/9] 
Return-Path: "Voice Mail_7"@wearitpurple.org

Re: How is spoofed email getting past SPF? FrankM Forums-TC 1/22/14 7:06 AM
Postini (Google) does not allow you to set a parameter to force a none SPF to either quarantine or block, as this is per RFC 4408. We have move our clients over to another leading provider, that allows tighter controls on how SPF is handled. 

Otherwise, until you transition (or not) to the new Google Apps version, IP Lock is the best way in Postini, to eliminate spoofing of your domain. FYI. The new Google Apps does not have this feature and reverts back to handling SPF as per RFC 4408. 


Re: How is spoofed email getting past SPF? Bill @ iscvt.org 1/22/14 7:32 AM
Thanks Frank...  I'll have a look at IP lock.

Out of curiosity, to which "leading provider" are you tending to move your clients?


Bill
More topics »