Ah; good eyes! That KAM_FACEBOOK rule is dangerous.
--Jered ----- On Oct 6, 2015, at 4:33 PM, David B Funk dbf...@engineering.uiowa.edu wrote: > On Tue, 6 Oct 2015, Alex wrote: > >> Hi, >> >> I've received a handful of messages that appear to be facebook >> notifications, but fail SPF. They otherwise look completely legit - >> links to profiles, only URLs to facebook.com and CDN caching sites, >> and even appears to have been routed through facebook's outgoing mail. >> >> All of that could be faked, but it would mean the payload is in the >> actual facebook profiles themselves. Has anyone else found this to be >> the case? >> >> http://pastebin.com/jE8G5LXJ >> >> Thanks, >> Alex > > That's because it's a forwarded message. That message was originally sent from > FB to "<tom.wil...@cox.net>" and it looks like he's got his '@cox.net' account > forwarded to "<tom.wil...@example.com>" (for what ever '@example.com' should > really be). > > So that explicit forward breaks the SPF chain, thus triggering that SPF fail. > The valid DKIM signature indicates that the message is legit. > > > -- > Dave Funk University of Iowa > <dbfunk (at) engineering.uiowa.edu> College of Engineering > 319/335-5751 FAX: 319/384-0549 1256 Seamans Center > Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 > #include <std_disclaimer.h> > Better is not better, 'standard' is better. B{