Help Analyzing Email Header

By primexx
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

primexx

Posted
Posted

I've recently been getting a perculiar kind of spam, I'm having a little trouble figuring out why it's avoiding the spam filter.

My email setup: I'm using google apps. I have records for SPF (the generic google one), DKIM (unique), and DMARC. My DMARC policy is using default values (but p=quarantine), which uses relaxed alignment mode for both SPF and DKIM as well as letting mail through if either passes (to avoid f/p of forwarding servers).

Basically, this new spam claims to come from my own domain, which it obviously isn't. Now usually this wouldn't be a problem since it should fail both SPF and DKIM. But it looks like this breed is passing (or at least not failing) SPF for some reason. I'm referring specifically to "Received-SPF" and "Authentication-Results", which makes it look like they're using a Gmail account to originate the spam, but the Gmail account itself obviously can't spoof email addresses on my domain. Later down it appears that they are, in fact, using a third party sender, but how does it pass SPF?

I'm quite confused about this header, could anyone with more experience in this area shed some light as to what's actually happening? Is there any change I can make to the DMARC policy to filter this out?

Thanks!


Delivered-To: [email protected]
Received: by 10.223.161.66 with SMTP id q2csp29576fax;
		Sat, 16 Feb 2013 13:11:56 -0800 (PST)
X-Received: by 10.220.116.5 with SMTP id k5mr9087041vcq.55.1361049116195;
		Sat, 16 Feb 2013 13:11:56 -0800 (PST)
Return-Path: <[email protected]>
Received: from 201-212-133-238.cab.prima.net.ar (201-212-133-238.cab.prima.net.ar. [201.212.133.238])
		by mx.google.com with ESMTP id a1si13647855vdk.21.2013.02.16.13.11.54;
		Sat, 16 Feb 2013 13:11:56 -0800 (PST)
Received-SPF: neutral (google.com: 201.212.133.238 is neither permitted nor denied by domain of [email protected]) client-ip=201.212.133.238;
Authentication-Results: mx.google.com;
	   spf=neutral (google.com: 201.212.133.238 is neither permitted nor denied by domain of [email protected]) [email protected]
Message-ID: <[email protected]>
Date: Sat, 16 Feb 2013 18:25:48 -0300
From: <[email protected]>,
<[email protected]>,
<[email protected]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <[email protected]>,
<[email protected]>,
<[email protected]>
Subject: Take a spare three-hour work week in our clinic and get 580 dollars.
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
[/CODE]

Link to comment
https://www.neowin.net/forum/topic/1136888-help-analyzing-email-header/
Share on other sites
Grand Master

TAZMINATOR

Posted
Posted

It might be this address:


[email protected]  and/or
[email protected]
[/CODE]

Which you got this today or yesterday... then next email you will get same address with random numbers such as 145, 160, 134... which is why you still get spam in your inbox. If you want to block them... block them with any words you might find in the body or subject line... such as viagra, so you can add them to your blacklist.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

gmail spf is not very locked down, if you check that IP against it - if you check any IP against it comes up as neutral

201.212.133.238 may send in the name of the domain.

  • SPF check start.
    • Domain: gmail.com

    [*]Getting SPF (TXT) record.

    [*]Found SPF record.

    [*]SPF policy record data:

    • v=spf1 redirect=_spf.google.com

    [*]Evaluating SPF policy:

    • v=spf1 redirect=_spf.google.com

    [*]Policy parsed OK, no warnings.

    [*]Evaluating SPF policy string.

    • Following the "redirect" modifier.
      • Argument domain-spec: _spf.google.com

      • Domain argument after macro expansion:
        • _spf.google.com

      • SPF check start.
        • Domain: _spf.google.com

      • Getting SPF (TXT) record.

      • Found SPF record.

      • SPF policy record data:
        • v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all

      • Evaluating SPF policy:
        • v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all

      • Policy parsed OK, no warnings.

      • Evaluating SPF policy string.
        • Evaluating SPF mechanism "include".
          • Prefix: Pass.

          • Argument domain-spec: _netblocks.google.com

          • Domain argument after macro expansion:
            • _netblocks.google.com

          • SPF check start.
            • Domain: _netblocks.google.com

          • Getting SPF (TXT) record.

          • Found SPF record.

          • SPF policy record data:
            • v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all

          • Evaluating SPF policy:
            • v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all

          • Policy parsed OK, no warnings.

          • Evaluating SPF policy string.
            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 216.239.32.0

              • Argument ip4-cidr-length: 19

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 64.233.160.0

              • Argument ip4-cidr-length: 19

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 66.249.80.0

              • Argument ip4-cidr-length: 20

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 72.14.192.0

              • Argument ip4-cidr-length: 18

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 209.85.128.0

              • Argument ip4-cidr-length: 17

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 66.102.0.0

              • Argument ip4-cidr-length: 20

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 74.125.0.0

              • Argument ip4-cidr-length: 16

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 64.18.0.0

              • Argument ip4-cidr-length: 20

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 207.126.144.0

              • Argument ip4-cidr-length: 20

            • Evaluating SPF mechanism "ip4".
              • Prefix: Pass.

              • Argument network-spec: 173.194.0.0

              • Argument ip4-cidr-length: 16

            • Evaluating SPF mechanism "all".
              • Prefix: Neutral.

            • SPF mechanism "all" matched with prefix Neutral.

          • Finished evaluating SPF policy.

          • SPF policy evaluation finished with SPF Neutral.

        • Evaluating SPF mechanism "include".
          • Prefix: Pass.

          • Argument domain-spec: _netblocks2.google.com

          • Domain argument after macro expansion:
            • _netblocks2.google.com

          • SPF check start.
            • Domain: _netblocks2.google.com

          • Getting SPF (TXT) record.

          • Found SPF record.

          • SPF policy record data:
            • v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all

          • Evaluating SPF policy:
            • v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all

          • Policy parsed OK, no warnings.

          • Evaluating SPF policy string.
            • IP6 mechanism evaluation is not implemented.

            • IP6 mechanism evaluation is not implemented.

            • IP6 mechanism evaluation is not implemented.

            • IP6 mechanism evaluation is not implemented.

            • IP6 mechanism evaluation is not implemented.

            • IP6 mechanism evaluation is not implemented.

            • Evaluating SPF mechanism "all".
              • Prefix: Neutral.

            • SPF mechanism "all" matched with prefix Neutral.

          • Finished evaluating SPF policy.

          • SPF policy evaluation finished with SPF Neutral.

        • Evaluating SPF mechanism "include".
          • Prefix: Pass.

          • Argument domain-spec: _netblocks3.google.com

          • Domain argument after macro expansion:
            • _netblocks3.google.com

          • SPF check start.
            • Domain: _netblocks3.google.com

          • Getting SPF (TXT) record.

          • Found SPF record.

          • SPF policy record data:
            • v=spf1 ?all

          • Evaluating SPF policy:
            • v=spf1 ?all

          • Policy parsed OK, no warnings.

          • Evaluating SPF policy string.
            • Evaluating SPF mechanism "all".
              • Prefix: Neutral.

            • SPF mechanism "all" matched with prefix Neutral.

          • Finished evaluating SPF policy.

          • SPF policy evaluation finished with SPF Neutral.

        • Evaluating SPF mechanism "all".
          • Prefix: Neutral.

        • SPF mechanism "all" matched with prefix Neutral.

      • Finished evaluating SPF policy.

      • SPF policy evaluation finished with SPF Neutral.

    • Returned from redirection.

    [*]Finished evaluating SPF policy.

    [*]SPF policy evaluation finished with SPF Neutral.

So did a test with just random ****.. 1.2.3.4 may send in the name of the domain.

http://vamsoft.com/s...f-policy-tester

You can use this is well http://www.kitterman...f/validate.html, you can pretty much test anything with a gmail.com domain and you get neutral..

if you notice their record

v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all

So since using ?, they never fail anything - so what is the point of the policy?? ;) They really should have a - for their policy.

Each mechanism can be combined with one of four qualifiers:

  • + for a PASS result. This can be omitted; e.g., +mx is the same as mx.
  • ? for a NEUTRAL result interpreted like NONE (no policy).
  • ~ (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged.
  • - (minus) for FAIL, the mail should be rejected (see below).

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

your hopeless using spf to filter on - its going to be neutral.. But sure there is something else you could filter on.. is the spam all coming from that IP? Got to be some key words to block.. Can you just report as spam, normally gmail updates their filtering.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft hides these secret Windows 11 performance boost settings available on every PC

      By ExPat · Posted

      Looking forward to the test results.
    • Audacious 4.6.1

      By Copernic · Posted

      Audacious 4.6.1 by Razvan Serea Audacious is a lightweight, open-source audio player that emphasizes simplicity, performance, and sound quality. Designed for Linux, Windows, and macOS, it supports a wide range of audio formats, internet radio streaming, and playlist management. Users can customize the interface with Winamp-style skins or modern themes, making it flexible for different preferences. Audacious also includes an equalizer, advanced audio effects, and a plugin system for extending functionality. Its low resource usage makes it especially suitable for older computers or users who value efficiency without sacrificing playback quality. Audacious key features: High audio quality – delivers clean, gapless playback with minimal distortion. Wide format support – plays MP3, FLAC, Ogg Vorbis, AAC, WAV, WMA, and more. Internet radio streaming – supports Shoutcast, Icecast, and other online streams. Winamp skin support – classic, nostalgic look for users who prefer the old-school style. Modern GTK-based interface – clean, simple UI with a more modern feel. Customizable themes – change appearance through skins and themes. Advanced playlist management – organize, save, and edit playlists with ease. Equalizer – fine-tune audio output with a built-in graphical equalizer. Audio effects – built-in DSP options like crossfade, replay gain, and more. Plugin system – extend functionality with additional components. File metadata support – displays and organizes music based on tags. Drag-and-drop support – quickly add songs or playlists. Global hotkey support – control playback without switching windows. Bit-perfect output modes – bypass system mixers for pure audio output. ReplayGain support – normalizes track loudness automatically. Cue sheet support – play entire albums from a single audio file with .cue. MPRIS2 integration – integrates with Linux desktop environments for media controls. Advanced resampling options – adjust playback quality with different resampler settings. Gapless playback – seamless transition between tracks encoded properly. Crossfade plugin – blend one song into the next smoothly. Last.fm scrobbling plugin – track listening history online. Remote control support – control Audacious via command-line or scripts. Lyrics plugin – display song lyrics if available. Alarm / timer plugin – start or stop playback at set times. SOX resampler plugin – high-quality resampling for audiophiles. Spectrum analyzer / visualization plugins – visual feedback while playing music. Headphone crossfeed effect – simulates speaker listening for headphones. Customizable buffer size – tweak latency and playback smoothness. Audacious 4.6.1 changelog: Use XDG cache dir to store temporary files (#1817) Accept embedded lyrics in more cases (#1818) Bump .so and plugin ABI versions retrospectively (#1819) Include Georgian translation (#1820) Fix build on systems using musl instead of glibc (#1823) Download: Audacious 4.6.1 | 48.2 MB (Open Source) Download: Portable Audacious 4.6.1 | 69.8 MB View: Audacious Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Politically funny images of the World

      By +DoctorD · Posted

    • Can't access the forum on mobile

      By Steven P. · Posted

      I really wonder if this has to do with the built in VPN or "private DNS" of browsers that trip up legal requirements like cookie consent and Cloudflare (to avoid all the botnet attacks we get). And BTW some botnets still manage to get past Cloudflare, we are constantly having to tweak it to block malicious traffic that ultimately cause a DDoS.
    • Microsoft hides these secret Windows 11 performance boost settings available on every PC

      By Eyevou · Posted

      CPPC states can also be messed around with in most UEFI settings but aren't as robust as the ones that the Windows Scheduler can provide! Make sure you look into what your motherboard also has before customizing for the Windows Scheduler.

  • Recent Achievements

    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later
    • One Month Later
      agatameier earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      518
    2. 2
      +Edouard
      199
    3. 3
      PsYcHoKiLLa
      147
    4. 4
      ATLien_0
      93
    5. 5
      Steven P.
      78
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!