Re: [mailop] Effeciveness (or not) of SPF
On Sun, Dec 6, 2020 at 7:20 AM Hans-Martin Mosner via mailop < mailop@mailop.org> wrote: > In addition, manual checks against spam mails from hosts on > spam-supporting or indifferent network IP ranges shows that > spammers provide SPF records for their domains, of course, so properly > applied SPF is bound to have a significant > percentage of false negatives. > I wouldn't call these false negatives, because the objective of SPF is not to prevent spam entirely but simply to authenticate that the sending host is authorized to send for the given domain. In that regard, it's working and you're not seeing false negatives. You're simply receiving spam from spammers using actual spam domains over which they have control or domains without proper SPF configurations. SPF is helping prevent spammers from sending email from your domain and my domain and other folks' domains, however, when you and other mail server operators configure things correctly. Matt Harris|Infrastructure Lead Engineer 816-256-5446|Direct Looking for something? Helpdesk Portal|Email Support|Billing Portal We build and deliver end-to-end IT solutions. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Effeciveness (or not) of SPF
I think the two groups I am monitoring are not interested in horizontal expansion within their target banks, maybe due to the extreme network security of these institutions? Based on my experience, they keep these infected systems as sleepers, not using them for long periods of time. My guess, is that horizontal expansion is more important to organized ransomware operations? On Sun, 6 Dec 2020 20:03:51 +0100 Thomas Walter via mailop wrote: > On 06.12.20 19:27, Mary via mailop wrote: > > Now, having a large list of real email bodies, they re-use them for > > phishing. They re-send a previously legitimate email but with variations, > > like replacing attachments. > > They can also send mail directly from the inside - without any SPF > checks in place and quite often without any antispam or antivirus > measures as long as the email stays on the inside? And use the correct > user's address? > > At least that's what happened here in one incident. > > Regards, > Thomas Walter > > -- > Thomas Walter > Datenverarbeitungszentrale > > FH Münster > - University of Applied Sciences - > Corrensstr. 25, Raum B 112 > 48149 Münster > > Tel: +49 251 83 64 908 > Fax: +49 251 83 64 910 > www.fh-muenster.de/dvz/ > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Effeciveness (or not) of SPF
To be honest, I am just plain lucky in that respect. Because I have a senior position that allows me to enforce a few things like: 1) I teach a representative from the organization, who will go ahead and train users, about proper use of email, best practices, so on and so forth. 2) One of those "best practices", is to tell everyone to use a separate yahoo/gmail/whatever account for registering to mailing lists and other types of non-serious, non-business correspondence. 3) Teach them to use disposable email addresses (like https://www.guerrillamail.com/). So the real business email account stays squeaky clean and I don't have to worry about whatever garbage mail was blocked or not. Sure, postfix has significant logging and monitoring, in case something happens, at which point we do damage control and take evasive action by using the BOFH excuse board: http://bofh.bjash.com/ExcuseBoard.html :D On 6 Dec 2020 13:42:47 -0500 John Levine via mailop wrote: > Don't your users complain about all of the mail they're missing? The > false positive rate if you block on soft SPF fails is gigantic. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Effeciveness (or not) of SPF
On Sun, 2020-12-06 at 14:12 +0100, Hans-Martin Mosner via mailop wrote: > > In your experience, where does SPF really help? What are the use cases that I > don't see in my spam-blocker tunnel vision? SPF is most useful as a fallback mechanism for DMARC. DKIM checks fail at least occasionally for various reasons. You should have an accurate ~all SPF record to allow the majority of those to pass using SPF. Assuming your ESP allows you to use an aligned envelope sender domain, of course. I don't think SPF alone has even been useful for blocking. You can't control who forwards mail to you or which of your recipients forwards their mail elsewhere. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Effeciveness (or not) of SPF
On 06.12.20 19:27, Mary via mailop wrote: > Now, having a large list of real email bodies, they re-use them for phishing. > They re-send a previously legitimate email but with variations, like > replacing attachments. They can also send mail directly from the inside - without any SPF checks in place and quite often without any antispam or antivirus measures as long as the email stays on the inside? And use the correct user's address? At least that's what happened here in one incident. Regards, Thomas Walter -- Thomas Walter Datenverarbeitungszentrale FH Münster - University of Applied Sciences - Corrensstr. 25, Raum B 112 48149 Münster Tel: +49 251 83 64 908 Fax: +49 251 83 64 910 www.fh-muenster.de/dvz/ smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Effeciveness (or not) of SPF
In article you write: >On Sun 06/Dec/2020 16:32:13 +0100 Mary via mailop wrote: >> (but I don't agree with point 2. by Paul, I aggressively block SPF fails, >> even soft errors. If a company doesn't fix their SPF records >then I reject all their mail) Don't your users complain about all of the mail they're missing? The false positive rate if you block on soft SPF fails is gigantic. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Effeciveness (or not) of SPF
(long read, take a coffee with you...) I've been monitoring two very sophisticated groups that mostly target banks around Europe. Their operation starts by finding real people working at the targeted banks, next step is to give them a call and ask for their business email address. Their goal, is to eventually take over their PC and get access to their email client (via some kind of PDF infected with javascript, or other type of email attachment that exploits some kind of vulnerability). Apparently they are quite adept at getting information from people via social engineering, they will tell them various excuses that they sent emails that didn't go through and ask information about the employee's email client (they need this kind of information to prepare their injection exploit). Once they manage to run a remote access tool of some kind, they use that system to download entire bodies of email (not just addresses). Usually, they avoid reusing that system and keep it for future use. Now, having a large list of real email bodies, they re-use them for phishing. They re-send a previously legitimate email but with variations, like replacing attachments. Without SPF, the From address makes the fake email pretty legitimate, no matter what the body is all about. With SPF, these phishing groups, got a serious dent in their operations (well, except when some admins don't use SPF, maybe they also don't use masks during a COVID pandemic...) Anyway, at this point these phishing groups had to improvise, they started using hacked accounts with modifications to the From name, for example: "John Surname at SecureBank p...@securebank.com" The idea above, is to make the "name" part (between the double quotes) as long as possible, so that the real domain name (hacked.domain.cc) scrolls to the end and "disappears" by the email client, because there is not enough screen space to display the whole thing. A normal person will fall for that technique. SPF isn't perfect, of course it does not help block spam. The large amounts of spam I see from gmail.com can't be blocked by SPF... I'd appreciate your comments and your experience with similar incidents. On Sun, 6 Dec 2020 09:18:37 -0800 Dave Crocker via mailop wrote: > On 12/6/2020 7:32 AM, Mary via mailop wrote: > > 5. SPF provides a serious block to phishing attacks. > > Given the nature of phishing and, especially, its reliance on the > message body, rather than on header fields in the message -- nevermind > the SMTP return address -- it would be interesting to hear the basis for > you assessment. > > d/ > > -- > Dave Crocker > Brandenburg InternetWorking > bbiw.net > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Effeciveness (or not) of SPF
On Sun 06/Dec/2020 16:32:13 +0100 Mary via mailop wrote: (but I don't agree with point 2. by Paul, I aggressively block SPF fails, even soft errors. If a company doesn't fix their SPF records then I reject all their mail) Me too, except if the forwarder is in DNSWL. Best Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Effeciveness (or not) of SPF
On 12/6/2020 7:32 AM, Mary via mailop wrote: 5. SPF provides a serious block to phishing attacks. Given the nature of phishing and, especially, its reliance on the message body, rather than on header fields in the message -- nevermind the SMTP return address -- it would be interesting to hear the basis for you assessment. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Effeciveness (or not) of SPF
Dnia 6.12.2020 o godz. 14:12:25 Hans-Martin Mosner via mailop pisze: > night, what I've found is not a single spam mail was held due to SPF fail or > softfail results, but I learnt of several > forwarding hosts in use by our users that I was unaware of before, probably > because they do good inbound spam rejection > themselves. Because if you look at the very idea of SPF, it is not to protect from spam. It is not possible to protect from spam by indicating which IPs are allowed to send mail for a given domain, as spam is about the *contents* of the message, and not about where it is sent from. SPF is to protect from *impersonation*, ie. someone sending mail from a fake address belonging to another domain. In times when it was quite difficult to register a domain, the spammers actually often used fake sender addresses, thus a side effect of SPF could be some protection from spam. But in no way can SPF protect from spammers who register their own domains, which can be done now in easy and automated way. Of course SPF breaks forwarding and therefore is a bad idea, but I don't want now to go further on this topic. > So, there are much more false positives and false negatives than I'm > willing to accept. But obviously others have different experiences, > otherwise they would not publish SPF records and check them on mail > reception. In my opinion they publish SPF records mostly because Google (and other "big guys") require them to. You can have trouble with your mail being properly delivered to Gmail if you don't publish a SPF record. That's the reason why for example I published a SPF record for my domain after many, many years of staying away from SPF. But I don't SPF check *incoming* mail nor plan to (well, actually, SpamAssassin - which I use - does some SPF checks by default, so I can say that in fact *to some extent* I do SPF checks on incoming mails - but only to increase a little their spam score and not reject them outright). > In your experience, where does SPF really help? What are the use cases > that I don't see in my spam-blocker tunnel vision? In my opinion the only SPF record you should care about is a record that contains "-all" as the *only* item, ie. it indicates that this domain will never send any mail. Thus you can safely reject all mails claiming to be from this domain. There are *some* domains that publish such SPF records, but there is a small number of them, so I personally don't bother. For all other SPF records, I would say: just ignore them and use whatever criteria you used already for spam filtering. SPF won't improve the quality of your spam filtering. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Effeciveness (or not) of SPF
4. The more widespread SPF becomes, the more work spammers need to do. Small spam operations tend to go out of business rather quickly. The very "professional" ones all use proper SPF records. 5. SPF provides a serious block to phishing attacks. (but I don't agree with point 2. by Paul, I aggressively block SPF fails, even soft errors. If a company doesn't fix their SPF records then I reject all their mail) On Sun, 6 Dec 2020 14:03:44 + Paul Waring via mailop wrote: > On Sun, Dec 06, 2020 at 02:12:25PM +0100, Hans-Martin Mosner via mailop wrote: > > In your experience, where does SPF really help? What are the use cases that > > I don't see in my spam-blocker tunnel vision? ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Effeciveness (or not) of SPF
On Sun, Dec 06, 2020 at 02:12:25PM +0100, Hans-Martin Mosner via mailop wrote: > In your experience, where does SPF really help? What are the use cases that I > don't see in my spam-blocker tunnel vision? In my experience: 1. You must have an SPF record in order for the big mail providers to even think about accepting your mail (softfail seems sufficient). 2. It's not worth rejecting incoming mail simply because it fails SPF. There are too many badly configured servers out there - one example I see a lot is where a company has not added their web servers to their SPF record, but they send out transactional emails such as password resets. You end up not receiving mail or trying to convince the company that they should fix their SPF record (to which the response is the same as broken TLS - "problem must be on your end as it works for us"). 3. It does seem to be worthwhile having SpamAssassin take SPF failure into account, not as an absolute rejection but a factor which indicates that the mail might be spam. -- Paul Waring Freelance PHP developer https://www.phpdeveloper.org.uk ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Effeciveness (or not) of SPF
Hi folks, due to its negative effects on mail forwarding I've resisted touching SPF for a long time (I know mail users should not simply forward their mail, and the effects can be mitigated with SRS, but some users simply can't be bothered to configure multiple accounts and access them properly in their mail client). So this weekend, I've implemented an SPF check (with appropriate exceptions for the known forwarding hosts used by our users) into our spam blocking framework. This currently only puts mail on hold, doesn't outright reject it. After one night, what I've found is not a single spam mail was held due to SPF fail or softfail results, but I learnt of several forwarding hosts in use by our users that I was unaware of before, probably because they do good inbound spam rejection themselves. The SPF check in our case runs after all the other rules have been exhausted without giving a result, so apparently our current set of rules (blocking dynamic address ranges, known spam supporting ASNs, questionable DNS providers, cloud providers with some whitelisting exceptions) seems to be good enough to catch all or most of the junk. In addition, manual checks against spam mails from hosts on spam-supporting or indifferent network IP ranges shows that spammers provide SPF records for their domains, of course, so properly applied SPF is bound to have a significant percentage of false negatives. So, there are much more false positives and false negatives than I'm willing to accept. But obviously others have different experiences, otherwise they would not publish SPF records and check them on mail reception. In your experience, where does SPF really help? What are the use cases that I don't see in my spam-blocker tunnel vision? Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop