Jump to content


Photo

SPF and Spoofing also based on the From

spoofing fpf from

  • Please log in to reply
No replies to this topic

#1 Rui Marques

Rui Marques
  • Members
  • 3 posts

Posted 07 October 2019 - 09:55 AM

Hi recently had a case that some messages were not blocked automatically by the BESS.
The main issue was that 3 rules that could be applied were not, because the rules are based on the header "Envelope From".
In this case I had messages with this header.

From:fatura.w8fq@domain1.pt
To:agency@private.domain.com
Subject:agency@private.domain.com Envio de Fatura Eletronica: - Meo CH7JH - 30/09/2019 10:33:58
Date:2019-09-30 10:24PM
Message ID:xxxxxxx
IP:185.181.209.217 (contadores19.ripserver.com.de)
Envelope:www-data@acore40.openstacklocal
I have Spoofing, SPF, and Link Protection rules active.
The main problem was that;
1 - SPF rule is based on the "Envelope From" that in this particular case the "acore40.openstacklocal" domain does not have a published SPF record.
As in this case the rules does not cross-check the "From" internet domain, the rule is not applied.
2 - Spoofing, the rule only applies if the sender in the "Envelope From" or the "From" matches the domain1.pt, if this does not match the spoofing rule is not applied.
3 - Link Protection, inside the email body is a direct link to execute PHP malicious code. The system was not able to block the messages.
It was added 3 email fingerprints that were not able to block incoming messages.
The main issue is that the domain1.pt is a legitime domain, and since the rules are only based on the Envelope From, the information on the From is not crossed-checked.
All fake messages send from one ip addres without SPF record published, or the domain name does not correspond to the Envelope From domain the spoofing rule will not apply.
Spoofing and SPF rules shoul also be based by the From internet domain






Also tagged with one or more of these keywords: spoofing, fpf, from