Rajesh,
SPF Definition:
"Sender Policy Framework (SPF)
SPF authenticates the envelope HELO and MAIL FROM identities by
comparing the sending mail server's IP address to the list of authorized
sending IP addresses published by the sender domain's owner in a
"v=spf1" DNS record. SPF has succeeded several older envelope sender
authentication protocols. Currently SPF is the only widely deployed
envelope authentication protocol. For more info about this see the
Statistics and Research pages.
Envelope sender authentication protocols like SPF are typically used
early during the SMTP transaction, before the bulk of the message (its
header and body) is transmitted. All of the following protocols require
that an entire message be received before it can be rejected, due to the
rules of the SMTP protocol. As a result, SPF continues to be an
essential front-line defense against sender address forgery when
deploying protection for the header fields and body. By rejecting
envelope forgeries early, not only network traffic can be saved but also
computing power for further protection measures, thus making the entire
process more efficient.
One of the anticipated features of a future version of SPF is a way for
domains to publish that they — or even just specific e-mail addresses of
theirs — always use some content authentication protocol (see below)
like DKIM, S/MIME, or PGP. This will allow receivers to automatically
discard unsigned messages from such domains or addresses."
--http://www.openspf.org/Related_Solutions
As an example of SPF checking I'll use your email header sent to the
qmailtoaster list that was sent to me as a list member, below:
<SPF Check>
Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64)
by pet105.whitehorsetc.com with SMTP; 30 Aug 2016 12:59:21 -0000
Received-SPF: pass (pet105.whitehorsetc.com: SPF record at
_spf.qmailtoaster.com designates 162.213.42.64 as permitted sender)
</SPF Check>
Note especially these two lines:
1) Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64)
and
2) pass (pet105.whitehorsetc.com: SPF record at _spf.qmailtoaster.com
designates 162.213.42.64 as permitted sender.
My original questions were "Are you saying that the spam sender is
spoofing the originating IP address?"
and
"Do you have an spf text record set up for domain_on_my_server.com?"
My first question was rhetorical. Your statement "but email is sent not
from within my server but from some other external server," indicates
the reason for my second question. An SPF record for "mycustomer.com"
SHOULD take care of this according to how SPF works. Do you have one (an
SPF text record) in the DNS settings for the spoofed domain
(mycustomer.com or domain_on_my_server.com).
Please let me know if I'm missing something. It must be clear to both of
us WHAT SPF is checking before we can communicate rationally about it,
and I'm not sure we're on the same page yet.
To find out if you have an SPF record for 'mycustomer.com' or
'domain_on_my_server.com' run the following command:
# dig txt mycustomer.com
There should be a line in the output that resembles this
mycustomer.com. 3600 IN TXT "v=spf1 mx
a:mail.mycustomer.com -all"
Eric
On 8/30/2016 6:57 AM, Rajesh M wrote:
eric
spf checks the envelope sender (reply to) and not the "mailfrom" email id
the spammer is sending an email with "mail from" as some user on my server
example c...@mycustomer.com to emplo...@mycustomer.com
but email is sent not from within my server but from some other external server.
the scammer however has the envelope-sender / reply to as his legitimate email
id and correctly configured. the qmailtoaster spf check is done not on the
mailfrom but on the reply-to and the email gets delivered safely to the inbox
of the employee.
now what happens is that the employee sees that the email is from the ceo and
immediately takes action which leads to a phishing scam.
i wish to block emails where the mailfrom domain is on my server but the scam
email is sent by a spammer from an external server posing as
c...@mycustomer.com ... in other words email spoofing.
thanks,
rajesh
----- Original Message -----
From: Eric [mailto:ebr...@whitehorsetc.com]
To: qmailtoaster-list@qmailtoaster.com
Sent: Sun, 28 Aug 2016 13:03:16 -0600
Subject:
Do you have an spf text record set up for domain_on_my_server.com?
SPF should check the 'a' and 'mx' record for the domain,
domain_on_my_server.com, against the sender IP address (the one that
actually connected to you server). Are you saying that the spam sender
is spoofing the originating IP address?
On 8/28/2016 7:14 AM, Rajesh M wrote:
hi
facing issue with email spoofing
example spammer sends an email with "mailfrom" as : user@domain_on_my_server.com
and the envelope sender is the spammer's email id which has spf records
correctly in place
and hence spf is not able to catch such spammers.
how do i handle this ?
thanks
rajesh
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
