trojan81
asked on
mail SPF question
SPF question
Given the SPF entry below for ficticious domain ABC.com
v=spf1 ip4:50.50.50.0/24 ip4:50.102.50.0/24 ip4:50.62.161.12 include:spf.protection.out look.com include:amazonses.com -all
An attacker spoofs an email from john@abc.com and sends it to bob@abc.com. Inspected the headers show this:
1 * 192.3.21.34 smtp-relay.gmail.com ESMTPS 3/19/2019 6:21:22 PM Not blacklisted
2 1 Second mail-io1-f102.google.com SMTP 3/19/2019 6:21:23 PM
3 0 seconds mail-io1-f102.google.com 209.85.166.102 CO1NAM03FT012.mail.protect ion.outloo k.com 10.152.80.99 Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_CB C_SHA) 3/19/2019 6:21:23 PM Is on a blacklist
4 1 Second CO1NAM03FT012.eop-NAM03.pr od.protect ion.outloo k.com SN6PR0102CA0028.outlook.of fice365.co m Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_CB C_SHA384) 3/19/2019 6:21:24 PM
5 1 Second SN6PR0102CA0028.prod.excha ngelabs.co m BYAPR01MB4919.prod.exchang elabs.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) 3/19/2019 6:21:25 PM
6 * 192.3.21.34 smtp-relay.gmail.com ESMTPS 3/19/2019 6:21:22 PM Not blacklisted
7 1 Second mail-io1-f102.google.com SMTP 3/19/2019 6:21:23 PM
8 0 seconds mail-io1-f102.google.com 209.85.166.102 CO1NAM03FT012.mail.protect ion.outloo k.com 10.152.80.99 Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_CB C_SHA) 3/19/2019 6:21:23 PM Is on a blacklist
9 1 Second CO1NAM03FT012.eop-NAM03.pr od.protect ion.outloo k.com SN6PR0102CA0028.outlook.of fice365.co m Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_CB C_SHA384) 3/19/2019 6:21:24 PM
10 1 Second SN6PR0102CA0028.prod.excha ngelabs.co m BYAPR01MB4919.prod.exchang elabs.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) 3/19/2019 6:21:25 PM
11 2 seconds BYAPR01MB4919.prod.exchang elabs.com BYAPR01MB4918.prod.exchang elabs.com HTTPS 3/19/2019 6:21:27 PM
QUESTION: Should the mail have been rejected as it failed the SPF check?
Given the SPF entry below for ficticious domain ABC.com
v=spf1 ip4:50.50.50.0/24 ip4:50.102.50.0/24 ip4:50.62.161.12 include:spf.protection.out
An attacker spoofs an email from john@abc.com and sends it to bob@abc.com. Inspected the headers show this:
1 * 192.3.21.34 smtp-relay.gmail.com ESMTPS 3/19/2019 6:21:22 PM Not blacklisted
2 1 Second mail-io1-f102.google.com SMTP 3/19/2019 6:21:23 PM
3 0 seconds mail-io1-f102.google.com 209.85.166.102 CO1NAM03FT012.mail.protect
4 1 Second CO1NAM03FT012.eop-NAM03.pr
5 1 Second SN6PR0102CA0028.prod.excha
6 * 192.3.21.34 smtp-relay.gmail.com ESMTPS 3/19/2019 6:21:22 PM Not blacklisted
7 1 Second mail-io1-f102.google.com SMTP 3/19/2019 6:21:23 PM
8 0 seconds mail-io1-f102.google.com 209.85.166.102 CO1NAM03FT012.mail.protect
9 1 Second CO1NAM03FT012.eop-NAM03.pr
10 1 Second SN6PR0102CA0028.prod.excha
11 2 seconds BYAPR01MB4919.prod.exchang
QUESTION: Should the mail have been rejected as it failed the SPF check?
ASKER
Jose,
What tells you that it won't be rejected?
What tells you that it won't be rejected?
ASKER
and you are right. it didn't get rejected. it was received but I don't know yet if it went to the spam/junk folder. would like to know how you made that determination that it would not get rejected
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
spf acts on the envelope sender, so the headers are irrelevant unless they match.
Thd behavior of spf is a decision of each sysadmin. Some domains do not implemfnt spf filtering at all. Most domains use dmarc for hints regarding how to treat Spf
Also note that spf was actually designed ad an antispam solution. And it would indeed be very efficient anx wokld haved likely killed spam in the early days if it had been actually implemented worldwide
History showed that the combination of microsoft trying to push their poor senderid alternatived and lazy sysadmins over 3 decades killed that possibility
Thd behavior of spf is a decision of each sysadmin. Some domains do not implemfnt spf filtering at all. Most domains use dmarc for hints regarding how to treat Spf
Also note that spf was actually designed ad an antispam solution. And it would indeed be very efficient anx wokld haved likely killed spam in the early days if it had been actually implemented worldwide
History showed that the combination of microsoft trying to push their poor senderid alternatived and lazy sysadmins over 3 decades killed that possibility
No, it won't get rejected it will be just received and saved into the spam/junk folder