Help Analyzing Email Header

By primexx
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

primexx

Posted
Posted

I've recently been getting a perculiar kind of spam, I'm having a little trouble figuring out why it's avoiding the spam filter.

My email setup: I'm using google apps. I have records for SPF (the generic google one), DKIM (unique), and DMARC. My DMARC policy is using default values (but p=quarantine), which uses relaxed alignment mode for both SPF and DKIM as well as letting mail through if either passes (to avoid f/p of forwarding servers).

Basically, this new spam claims to come from my own domain, which it obviously isn't. Now usually this wouldn't be a problem since it should fail both SPF and DKIM. But it looks like this breed is passing (or at least not failing) SPF for some reason. I'm referring specifically to "Received-SPF" and "Authentication-Results", which makes it look like they're using a Gmail account to originate the spam, but the Gmail account itself obviously can't spoof email addresses on my domain. Later down it appears that they are, in fact, using a third party sender, but how does it pass SPF?

I'm quite confused about this header, could anyone with more experience in this area shed some light as to what's actually happening? Is there any change I can make to the DMARC policy to filter this out?

Thanks!


Delivered-To: [email protected]
Received: by 10.223.161.66 with SMTP id q2csp29576fax;
		Sat, 16 Feb 2013 13:11:56 -0800 (PST)
X-Received: by 10.220.116.5 with SMTP id k5mr9087041vcq.55.1361049116195;
		Sat, 16 Feb 2013 13:11:56 -0800 (PST)
Return-Path: <[email protected]>
Received: from 201-212-133-238.cab.prima.net.ar (201-212-133-238.cab.prima.net.ar. [201.212.133.238])
		by mx.google.com with ESMTP id a1si13647855vdk.21.2013.02.16.13.11.54;
		Sat, 16 Feb 2013 13:11:56 -0800 (PST)
Received-SPF: neutral (google.com: 201.212.133.238 is neither permitted nor denied by domain of [email protected]) client-ip=201.212.133.238;
Authentication-Results: mx.google.com;
	   spf=neutral (google.com: 201.212.133.238 is neither permitted nor denied by domain of [email protected]) [email protected]
Message-ID: <[email protected]>
Date: Sat, 16 Feb 2013 18:25:48 -0300
From: <[email protected]>,
<[email protected]>,
<[email protected]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <[email protected]>,
<[email protected]>,
<[email protected]>
Subject: Take a spare three-hour work week in our clinic and get 580 dollars.
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
[/CODE]

Link to comment
https://www.neowin.net/forum/topic/1136888-help-analyzing-email-header/
Share on other sites
Grand Master

TAZMINATOR

Posted
Posted

It might be this address:


[email protected]  and/or
[email protected]
[/CODE]

Which you got this today or yesterday... then next email you will get same address with random numbers such as 145, 160, 134... which is why you still get spam in your inbox. If you want to block them... block them with any words you might find in the body or subject line... such as viagra, so you can add them to your blacklist.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

gmail spf is not very locked down, if you check that IP against it - if you check any IP against it comes up as neutral

201.212.133.238 may send in the name of the domain.

  • SPF check start.
    • Domain: gmail.com

    [*]Getting SPF (TXT) record.

    [*]Found SPF record.

    [*]SPF policy record data:

    • v=spf1 redirect=_spf.google.com

    [*]Evaluating SPF policy:

    • v=spf1 redirect=_spf.google.com

    [*]Policy parsed OK, no warnings.

    [*]Evaluating SPF policy string.

    • Following the "redirect" modifier.
      • Argument domain-spec: _spf.google.com

      • Domain argument after macro expansion:
        • _spf.google.com

      • SPF check start.
        • Domain: _spf.google.com

      • Getting SPF (TXT) record.

      • Found SPF record.

      • SPF policy record data:
        • v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all

      • Evaluating SPF policy:
        • v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all

      • Policy parsed OK, no warnings.

      • Evaluating SPF policy string.
        • Evaluating SPF mechanism "include".
          • Prefix: Pass.

          • Argument domain-spec: _netblocks.google.com

          • Domain argument after macro expansion:
            • _netblocks.google.com

          • SPF check start.
            • Domain: _netblocks.google.com

          • Getting SPF (TXT) record.

          • Found SPF record.

          • SPF policy record data:
            • v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all

          • Evaluating SPF policy:
            • v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all

          • Policy parsed OK, no warnings.

          • Evaluating SPF policy string.
            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 216.239.32.0

              • Argument ip4-cidr-length: 19

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 64.233.160.0

              • Argument ip4-cidr-length: 19

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 66.249.80.0

              • Argument ip4-cidr-length: 20

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 72.14.192.0

              • Argument ip4-cidr-length: 18

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 209.85.128.0

              • Argument ip4-cidr-length: 17

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 66.102.0.0

              • Argument ip4-cidr-length: 20

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 74.125.0.0

              • Argument ip4-cidr-length: 16

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 64.18.0.0

              • Argument ip4-cidr-length: 20

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 207.126.144.0

              • Argument ip4-cidr-length: 20

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 173.194.0.0

              • Argument ip4-cidr-length: 16

            • Evaluating SPF mechanism "all".
              • Prefix: Neutral.

            • SPF mechanism "all" matched with prefix Neutral.

          • Finished evaluating SPF policy.

          • SPF policy evaluation finished with SPF Neutral.

        • Evaluating SPF mechanism "include".
          • Prefix: Pass.

          • Argument domain-spec: _netblocks2.google.com

          • Domain argument after macro expansion:
            • _netblocks2.google.com

          • SPF check start.
            • Domain: _netblocks2.google.com

          • Getting SPF (TXT) record.

          • Found SPF record.

          • SPF policy record data:
            • v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all

          • Evaluating SPF policy:
            • v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all

          • Policy parsed OK, no warnings.

          • Evaluating SPF policy string.
            • IP6 mechanism evaluation is not implemented.

            • IP6 mechanism evaluation is not implemented.

            • IP6 mechanism evaluation is not implemented.

            • IP6 mechanism evaluation is not implemented.

            • IP6 mechanism evaluation is not implemented.

            • IP6 mechanism evaluation is not implemented.

            • Evaluating SPF mechanism "all".
              • Prefix: Neutral.

            • SPF mechanism "all" matched with prefix Neutral.

          • Finished evaluating SPF policy.

          • SPF policy evaluation finished with SPF Neutral.

        • Evaluating SPF mechanism "include".
          • Prefix: Pass.

          • Argument domain-spec: _netblocks3.google.com

          • Domain argument after macro expansion:
            • _netblocks3.google.com

          • SPF check start.
            • Domain: _netblocks3.google.com

          • Getting SPF (TXT) record.

          • Found SPF record.

          • SPF policy record data:
            • v=spf1 ?all

          • Evaluating SPF policy:
            • v=spf1 ?all

          • Policy parsed OK, no warnings.

          • Evaluating SPF policy string.
            • Evaluating SPF mechanism "all".
              • Prefix: Neutral.

            • SPF mechanism "all" matched with prefix Neutral.

          • Finished evaluating SPF policy.

          • SPF policy evaluation finished with SPF Neutral.

        • Evaluating SPF mechanism "all".
          • Prefix: Neutral.

        • SPF mechanism "all" matched with prefix Neutral.

      • Finished evaluating SPF policy.

      • SPF policy evaluation finished with SPF Neutral.

    • Returned from redirection.

    [*]Finished evaluating SPF policy.

    [*]SPF policy evaluation finished with SPF Neutral.

So did a test with just random ****.. 1.2.3.4 may send in the name of the domain.

http://vamsoft.com/s...f-policy-tester

You can use this is well http://www.kitterman...f/validate.html, you can pretty much test anything with a gmail.com domain and you get neutral..

if you notice their record

v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all

So since using ?, they never fail anything - so what is the point of the policy?? ;) They really should have a - for their policy.

Each mechanism can be combined with one of four qualifiers:

  • + for a PASS result. This can be omitted; e.g., +mx is the same as mx.
  • ? for a NEUTRAL result interpreted like NONE (no policy).
  • ~ (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged.
  • - (minus) for FAIL, the mail should be rejected (see below).

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

your hopeless using spf to filter on - its going to be neutral.. But sure there is something else you could filter on.. is the spam all coming from that IP? Got to be some key words to block.. Can you just report as spam, normally gmail updates their filtering.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Windows 11 gets useful new File Explorer features in the latest build

      By TarasBuria · Posted

      Windows 11 gets useful new File Explorer features in the latest build by Taras Buria Friday Windows 11 preview builds are finally here. After skipping one week, Microsoft is back to releasing preview builds for Windows Insiders to try. This time, Insiders in the Experimental Channel can download build 26300.8687. Its changelog does not contain anything major, but there is still useful new stuff, such as some new conveniences for File Explorer, Windows Update improvements, better Windows Search, a new search provider for the built-in GIF library, and more. Here is the changelog: [Windows Update] As announced in the Windows Update announcement blog, we are now bringing a new unified update experience to reduce the number of reboots you see per month. We are starting by coordinating driver, .NET, and firmware updates to align with the monthly quality update, reducing the update experience to a single monthly restart. See the blog for more information. [File Explorer] Middle-click to open a folder in a new tab is now supported in the Address Bar and the Home page for a more consistent and efficient tabbed navigation experience across File Explorer. Improved screen reader announcements for conflict resolution dialog ("Which files do you want to keep?") when moving/copying files. Made some more improvements to how File Explorer responds to increased text scaling. [Search] Finding apps is more forgiving. Search is better at handling typos, dropped letters, extra letters, and partial words for apps. Queries like “utlook” can still find Outlook. Settings results are improving. We’ve made ranking improvements to help more relevant settings appear higher in results. [Taskbar] Improved reliability of loading the system tray area of the taskbar. Fixed an issue where tooltips might unexpectedly appear on top of the Start menu icon in the taskbar when using the taskbar in an alternate position. Also fixed a few other visual polish issues when using the taskbar with small icons. [Windows setup] The digital safety of users and supporting families is central to how we think about the Windows experience. We're improving information on parental controls and their availability during Windows setup, so families can more easily understand available protections and make informed choices from the very beginning. [Input] Update: The emoji panel (Windows key + period (.)) now uses GIPHY as the GIF provider, delivering a smoother GIF browsing and sharing experience following the deprecation of Tenor. Fixed an issue that was causing the mouse cursor to potentially move in the wrong direction in recent Insider builds on secondary monitors when set to portrait mode. [Remote Recovery Management] Adding a recovery remote management plug-in for extending WinRE management capabilities for MDM providers [Audio] Fixed an issue resulting in audio not working for some Insiders after the latest flights. [Settings] Fixed an issue impacting the reliability of Settings > Apps > Installed Apps after the latest flights. [General Reliability] If you were experiencing freezes in the previous flight when interacting with search, Notepad, or certain other scenarios, that should be resolved now. [Other] When using dark mode, if you open "Run new task" from Task Manager, it will now show in dark mode too. As usual, changes above are rolling out gradually. You can find the release notes here in the official documentation.
    • Can't access the forum on mobile

      By _neutrino · Posted

      Im in Ohio, and my VPN endpoint is in Boston. If that helps, it does happen both on and off the VPN. and again only in Edge.
    • Visual Studio finally gets long-awaited feature that developers will love

      By Elliot B. · Posted

      It is such a shame. I used to really respect Neowin's articles.
    • Politically funny images of the World

      By +primortal · Posted

    • Microsoft about to radically change how often your Edge browser updates

      By +mram · Posted

      So.... slower fixes and slower security updates are preferred? I mean, there is no goldilocks zone here until it can literally update without ever needing a restart, and even then I'm sure someone would complain.

  • Recent Achievements

    • One Month Later
      Clizby earned a badge
      One Month Later
    • One Month Later
      Timaximus earned a badge
      One Month Later
    • Week One Done
      Timaximus earned a badge
      Week One Done
    • Rookie
      FBSPL went up a rank
      Rookie
    • First Post
      davidbazooked earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      490
    2. 2
      PsYcHoKiLLa
      168
    3. 3
      +Edouard
      163
    4. 4
      Steven P.
      85
    5. 5
      ATLien_0
      76
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!