primexx Posted February 16, 2013 Share Posted February 16, 2013 I've recently been getting a perculiar kind of spam, I'm having a little trouble figuring out why it's avoiding the spam filter. My email setup: I'm using google apps. I have records for SPF (the generic google one), DKIM (unique), and DMARC. My DMARC policy is using default values (but p=quarantine), which uses relaxed alignment mode for both SPF and DKIM as well as letting mail through if either passes (to avoid f/p of forwarding servers). Basically, this new spam claims to come from my own domain, which it obviously isn't. Now usually this wouldn't be a problem since it should fail both SPF and DKIM. But it looks like this breed is passing (or at least not failing) SPF for some reason. I'm referring specifically to "Received-SPF" and "Authentication-Results", which makes it look like they're using a Gmail account to originate the spam, but the Gmail account itself obviously can't spoof email addresses on my domain. Later down it appears that they are, in fact, using a third party sender, but how does it pass SPF? I'm quite confused about this header, could anyone with more experience in this area shed some light as to what's actually happening? Is there any change I can make to the DMARC policy to filter this out? Thanks! Delivered-To: alice@example.comReceived: by 10.223.161.66 with SMTP id q2csp29576fax; Sat, 16 Feb 2013 13:11:56 -0800 (PST)X-Received: by 10.220.116.5 with SMTP id k5mr9087041vcq.55.1361049116195; Sat, 16 Feb 2013 13:11:56 -0800 (PST)Return-Path: <objectivemhg130@gmail.com>Received: from 201-212-133-238.cab.prima.net.ar (201-212-133-238.cab.prima.net.ar. [201.212.133.238]) by mx.google.com with ESMTP id a1si13647855vdk.21.2013.02.16.13.11.54; Sat, 16 Feb 2013 13:11:56 -0800 (PST)Received-SPF: neutral (google.com: 201.212.133.238 is neither permitted nor denied by domain of objectivemhg130@gmail.com) client-ip=201.212.133.238;Authentication-Results: mx.google.com; spf=neutral (google.com: 201.212.133.238 is neither permitted nor denied by domain of objectivemhg130@gmail.com) smtp.mail=objectivemhg130@gmail.comMessage-ID: <511FF607.702010@example.com>Date: Sat, 16 Feb 2013 18:25:48 -0300From: <e6ff223ab782a3d4@example.com>,<alice@example.com>,<alice.deletethis@example.com>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6MIME-Version: 1.0To: <e6ff223ab782a3d4@example.com>,<alice@example.com>,<alice.deletethis@example.com>Subject: Take a spare three-hour work week in our clinic and get 580 dollars.Content-Type: text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: 7bit[/CODE] Link to comment Share on other sites More sharing options...
TAZMINATOR Posted February 16, 2013 Share Posted February 16, 2013 It might be this address: objectivemhg130@gmail.com and/ore6ff223ab782a3d4@example.com[/CODE] Which you got this today or yesterday... then next email you will get same address with random numbers such as 145, 160, 134... which is why you still get spam in your inbox. If you want to block them... block them with any words you might find in the body or subject line... such as viagra, so you can add them to your blacklist. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 16, 2013 Veteran Share Posted February 16, 2013 I don't know what the default settings are but you may want to look at this http://www.google.com/support/enterprise/static/postini/docs/admin/en/admin_ee_cu/secur_rpf.html Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 17, 2013 MVC Share Posted February 17, 2013 gmail spf is not very locked down, if you check that IP against it - if you check any IP against it comes up as neutral 201.212.133.238 may send in the name of the domain. SPF check start.Domain: gmail.com [*]Getting SPF (TXT) record. [*]Found SPF record. [*]SPF policy record data: v=spf1 redirect=_spf.google.com [*]Evaluating SPF policy: v=spf1 redirect=_spf.google.com [*]Policy parsed OK, no warnings. [*]Evaluating SPF policy string. Following the "redirect" modifier.Argument domain-spec: _spf.google.com Domain argument after macro expansion:_spf.google.com SPF check start.Domain: _spf.google.com Getting SPF (TXT) record. Found SPF record. SPF policy record data:v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all Evaluating SPF policy:v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all Policy parsed OK, no warnings. Evaluating SPF policy string.Evaluating SPF mechanism "include".Prefix: Pass. Argument domain-spec: _netblocks.google.com Domain argument after macro expansion:_netblocks.google.com SPF check start.Domain: _netblocks.google.com Getting SPF (TXT) record. Found SPF record. SPF policy record data:v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all Evaluating SPF policy:v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all Policy parsed OK, no warnings. Evaluating SPF policy string.Evaluating SPF mechanism "ip4".Prefix: Pass. Argument network-spec: 216.239.32.0 Argument ip4-cidr-length: 19 Evaluating SPF mechanism "ip4".Prefix: Pass. Argument network-spec: 64.233.160.0 Argument ip4-cidr-length: 19 Evaluating SPF mechanism "ip4".Prefix: Pass. Argument network-spec: 66.249.80.0 Argument ip4-cidr-length: 20 Evaluating SPF mechanism "ip4".Prefix: Pass. Argument network-spec: 72.14.192.0 Argument ip4-cidr-length: 18 Evaluating SPF mechanism "ip4".Prefix: Pass. Argument network-spec: 209.85.128.0 Argument ip4-cidr-length: 17 Evaluating SPF mechanism "ip4".Prefix: Pass. Argument network-spec: 66.102.0.0 Argument ip4-cidr-length: 20 Evaluating SPF mechanism "ip4".Prefix: Pass. Argument network-spec: 74.125.0.0 Argument ip4-cidr-length: 16 Evaluating SPF mechanism "ip4".Prefix: Pass. Argument network-spec: 64.18.0.0 Argument ip4-cidr-length: 20 Evaluating SPF mechanism "ip4".Prefix: Pass. Argument network-spec: 207.126.144.0 Argument ip4-cidr-length: 20 Evaluating SPF mechanism "ip4".Prefix: Pass. Argument network-spec: 173.194.0.0 Argument ip4-cidr-length: 16 Evaluating SPF mechanism "all".Prefix: Neutral. SPF mechanism "all" matched with prefix Neutral. Finished evaluating SPF policy. SPF policy evaluation finished with SPF Neutral. Evaluating SPF mechanism "include".Prefix: Pass. Argument domain-spec: _netblocks2.google.com Domain argument after macro expansion:_netblocks2.google.com SPF check start.Domain: _netblocks2.google.com Getting SPF (TXT) record. Found SPF record. SPF policy record data:v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all Evaluating SPF policy:v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all Policy parsed OK, no warnings. Evaluating SPF policy string.IP6 mechanism evaluation is not implemented. IP6 mechanism evaluation is not implemented. IP6 mechanism evaluation is not implemented. IP6 mechanism evaluation is not implemented. IP6 mechanism evaluation is not implemented. IP6 mechanism evaluation is not implemented. Evaluating SPF mechanism "all".Prefix: Neutral. SPF mechanism "all" matched with prefix Neutral. Finished evaluating SPF policy. SPF policy evaluation finished with SPF Neutral. Evaluating SPF mechanism "include".Prefix: Pass. Argument domain-spec: _netblocks3.google.com Domain argument after macro expansion:_netblocks3.google.com SPF check start.Domain: _netblocks3.google.com Getting SPF (TXT) record. Found SPF record. SPF policy record data:v=spf1 ?all Evaluating SPF policy:v=spf1 ?all Policy parsed OK, no warnings. Evaluating SPF policy string.Evaluating SPF mechanism "all".Prefix: Neutral. SPF mechanism "all" matched with prefix Neutral. Finished evaluating SPF policy. SPF policy evaluation finished with SPF Neutral. Evaluating SPF mechanism "all".Prefix: Neutral. SPF mechanism "all" matched with prefix Neutral. Finished evaluating SPF policy. SPF policy evaluation finished with SPF Neutral. Returned from redirection. [*]Finished evaluating SPF policy. [*]SPF policy evaluation finished with SPF Neutral. So did a test with just random ****.. 1.2.3.4 may send in the name of the domain. http://vamsoft.com/s...f-policy-tester You can use this is well http://www.kitterman...f/validate.html, you can pretty much test anything with a gmail.com domain and you get neutral.. if you notice their record v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all So since using ?, they never fail anything - so what is the point of the policy?? ;) They really should have a - for their policy. Each mechanism can be combined with one of four qualifiers: + for a PASS result. This can be omitted; e.g., +mx is the same as mx. ? for a NEUTRAL result interpreted like NONE (no policy). ~ (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged. - (minus) for FAIL, the mail should be rejected (see below). primexx 1 Share Link to comment Share on other sites More sharing options...
primexx Posted February 17, 2013 Author Share Posted February 17, 2013 Ah, thanks budman! So basically I'm hooped unless I duplicate and alter google's record? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 18, 2013 MVC Share Posted February 18, 2013 your hopeless using spf to filter on - its going to be neutral.. But sure there is something else you could filter on.. is the spam all coming from that IP? Got to be some key words to block.. Can you just report as spam, normally gmail updates their filtering. Link to comment Share on other sites More sharing options...
primexx Posted February 18, 2013 Author Share Posted February 18, 2013 yea i do mark it as spam in gmail. i was wondering why the spf record isn't filtering it out, and you answered my question perfectly. thanks! Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 18, 2013 MVC Share Posted February 18, 2013 Glad I could help -- you will notice quite a few domains create spf, but they are pretty useless because they are set like gmail - nothing fails ;) Link to comment Share on other sites More sharing options...
Recommended Posts