0

I have postfix + spamassassin.

Spamassassin suppose to check the SPF of the sender, but I received following spam:

[email protected] = this is the email on my postfix

Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        astra4450.dedicatedpanel.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.4 required=5.0 tests=BAYES_00,
        HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_SBL,SPF_HELO_PASS,SPF_PASS,
        TO_IN_SUBJ,TVD_PH_BODY_ACCOUNTS_PRE,T_KAM_HTML_FONT_INVALID,URIBL_BLOCKED,
        URIBL_DBL_MALWARE,URIBL_PH_SURBL,URIBL_SBL,URIBL_SBL_A autolearn=no
        autolearn_force=no version=3.4.0
Delivered-To: [email protected]
Received: from mail.hostify.vn (mail.hostify.vn [150.95.110.152])
        by mx6.example.com (Postfix) with ESMTPS id A0C74100F20F14
        for <[email protected]>; Wed, 13 Dec 2023 03:26:58 +0200 (EET)
Received: from localhost (localhost [127.0.0.1])
        by mail.hostify.vn (Postfix) with ESMTP id 0FFB9166DF7
        for <[email protected]>; Wed, 13 Dec 2023 08:26:57 +0700 (+07)
Received: from mail.hostify.vn ([127.0.0.1])
        by localhost (mail.hostify.vn [127.0.0.1]) (amavisd-new, port 10032)
        with ESMTP id EaHftMvBvz9k for <[email protected]>;
        Wed, 13 Dec 2023 08:26:56 +0700 (+07)
Received: from localhost (localhost [127.0.0.1])
        by mail.hostify.vn (Postfix) with ESMTP id 9CEAE167AA0
        for <[email protected]>; Wed, 13 Dec 2023 08:26:56 +0700 (+07)
X-Virus-Scanned: amavisd-new at hostify.vn
Received: from mail.hostify.vn ([127.0.0.1])
        by localhost (mail.hostify.vn [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id Y2hw8khgynlj for <[email protected]>;
        Wed, 13 Dec 2023 08:26:56 +0700 (+07)
Received: from [88.209.206.208] (unknown [88.209.206.208])
        by mail.hostify.vn (Postfix) with ESMTPSA id 9CF741675DA
        for <[email protected]>; Wed, 13 Dec 2023 08:26:55 +0700 (+07)
From: Admin Helpdesk <[email protected]>
To: [email protected]
Subject: Password Verification For [email protected]
Date: 12 Dec 2023 17:26:54 -0800
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0012_CFC45DD6.E88DD181"

From what I can conclude, the SPF for [email protected] was correct and sender is "spoofed" in the header as [email protected]

However there is no way SPF for [email protected] to be correct.

Today I installed some tool called pypolicyd-spf, but as long as I was able to check, it also check only mail from: SMTP command and not email headers.

Am I missing something or may be using wrong tool for the job?

Improve this question

2 Answers 2

Reset to default
3

This is how SPF is supposed to work. From the Introduction of Sender Policy Framework (SPF) (RFC 7208, 1):

This document defines a protocol by which domain owners may authorize hosts to use their domain name in the "MAIL FROM" or "HELO" identity. Compliant domain holders publish Sender Policy Framework (SPF) records specifying which hosts are permitted to use their names, and compliant mail receivers use the published SPF records to test the authorization of sending Mail Transfer Agents (MTAs) using a given "HELO" or "MAIL FROM" identity during a mail transaction.

DMARC (RFC 7489) on the other hand enables the sender to publish policies on how they want receivers to handle messages where the From header is not aligned with either the envelope sender (MAIL FROM) passing SPF or a valid DKIM signature.

Improve this answer
-1

Lets suppose following:

helo spammer.com          << [1]
mail from: [email protected] << [2]
rcpt to: [email protected]
data
from: [email protected]    << [3]
to: [email protected]
subject: spam

spam
.

It turns out SPF should be check only on From: field from SMTP connection, e.g. [2].

Often this is same as Return-Path.

Sometimes SPF checks the helo domain [1].

However the from: header from the email [3] is never checked.

This means everybody can spoof the sender like this.

In order to mitigate your own domain, you can do DMARC and specify that both addresses must be the same.

In order to mitigate this for domains that you do not own, you can increase the following scores in /etc/mail/spamassassin/local.cf

score           SPF_FAIL            0 0 0 4.50
score           SPF_SOFTFAIL        0 0 0 3.50
score           SPF_HELO_FAIL       0 0 0 4.50
score           SPF_HELO_SOFTFAIL   0 0 0 3.50

score           HEADER_FROM_DIFFERENT_DOMAINS   0 0 0 4.50

Please note this is bit risky, because sometimes some domains are configured non 100% correctly.

Improve this answer
1
  • care to comment about -1 you place?
    – Nick
    Commented Jan 9 at 7:52

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .