This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF check with empty FROM

Hello, today we received a spoofed sender email which is strange since we have a proper SPF record in place.

Upon inspection I noticed the "From" header value was base64 encoded. Could it be that the SEA does not properly check the SPF record if the sender email is base64 encoded?

 

Thanks



This thread was automatically locked due to age.
  • SPF will only help against an MTA connection, not the DATA From.  In terms of spam, most spammers will generate their own valid spf records because it's literally 1 line in a shell.

    I would have a look at this kb .  adding you domain to the hosts would stop someone from sending mail to yourself from your own server.. and adding your domain to the senders tab as discribed will drop mail that originates with a public ip with a DATA from of your domain.

    The only thing to really consider is if you have a legitimate company spoofing mailings on your behalf that mails to your domain.  IE mail chimp or other bulk mailers.

    https://community.sophos.com/kb/en-us/118845

     

  • Thanks for the quick reply.

    From the SEA logs it appears the From was spoofed inside the Data part, as you suggested.

    Strangely the SEA logs report that the email didn't have any sender email, is it possible?

     

    Even from the full logs it appears so (third row?):

    2017-05-03 15:07:23 antispam postfix/smtpd[92551]: 82B547426_909D60BF: client=amw60.rev.netart.pl[85.128.205.60]
    2017-05-03 15:07:23 antispam postfix/cleanup[99078]: 82B547426_909D60BF: message-id=<2391400359675.20175313723@MyDomain.com>
    2017-05-03 15:07:23 antispam postfix/qmgr[27237]: 82B547426_909D60BF: from=<>, size=1652, nrcpt=1 (queue active)
    2017-05-03 15:07:23 antispam postfix/smtp[96636]: 82B547426_909D60BF: to=<MyUser@MyDomain.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.25, delays=0.06/0/0/0.19, dsn=2.0.0, status=sent (250 OK, sent 5909D60B_84558_3067_1 NOFORWARD)
    2017-05-03 15:07:23 antispam postfix/qmgr[27237]: 82B547426_909D60BF: removed
    2017-05-03 15:07:23 antispam milter[84558]: 5909D60B_84558_3067_1: Sandstorm header not found.
    2017-05-03 15:07:23 antispam milter[84558]: 5909D60B_84558_3067_1: X-Sophos headers have been stripped.
    2017-05-03 15:07:23 antispam milter[84558]: 5909D60B_84558_3067_1: HISTORIAN: Query results: 'ip=85.128.205.60,fs=0,da=22369541,mc=1,sc=0,hc=1,sp=0,fso=0,re=0,sd=0,hd=0'
    2017-05-03 15:24:01 antispam milter[84558]: 5909D9F1_84558_3141_1: Sandstorm header not found.
    2017-05-03 15:24:01 antispam postfix/backend/smtp[2055]: setting up TLS connection to INTERNAL.IP[INTERNAL.IP]:25
    2017-05-03 15:24:01 antispam postfix/backend/smtp[2055]: Trusted TLS connection established to INTERNAL.IP[INTERNAL.IP]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
    2017-05-03 15:24:01 antispam postfix/backend/smtpd[2833]: 635238824_909D9F1B: client=localhost.localdomain[127.0.0.1]
    2017-05-03 15:24:01 antispam postfix/backend/cleanup[96642]: 635238824_909D9F1B: message-id=<2391400359675.20175313723@MyDomain.com>
    2017-05-03 15:24:01 antispam postfix/backend/qmgr[15227]: 635238824_909D9F1B: from=<>, size=3324, nrcpt=1 (queue active)
    2017-05-03 15:24:01 antispam postfix/backend/smtp[2055]: 635238824_909D9F1B: to=<MyUser@MyDomain.com>, relay=INTERNAL.IP[INTERNAL.IP]:25, delay=0.54, delays=0.1/0/0.03/0.41, dsn=2.6.0, status=sent (250 2.6.0 <2391400359675.20175313723@MyDomain.com> [InternalId=973215] Queued mail for delivery)
    2017-05-03 15:24:01 antispam postfix/backend/qmgr[15227]: 635238824_909D9F1B: removed

     

    If that is true, how can I create a rule that matches that kind of messages?

    Even more interesting is: should the SEA by default mark as suspected or even quarantine an email without the sender?

     

    Thanks again

  • So, I have used this POC in which I will use a fake HELO FQDN, an empty "MAIL FROM" email and a spoofed "From" header in the DATA section.

    I am receiving tons of this kind of email from yesterday and all my colleagues think they are legittimate since Outlook shows the spoofed from

     

    $ telnet MY.SEA.FQDN 25
    Trying MY.SEA.IP ...
    Connected to MY.SEA.FQDN.
    Escape character is '^]'.
    220 MY.SEA.FQDN
    HELO myfakehelo
    250 MY.SEA.FQDN
    MAIL FROM:<>
    250 2.1.0 Ok
    RCPT TO:<massimo.forni@mydomain.legit>
    250 2.1.5 Ok
    DATA
    354 End data with <CR><LF>.<CR><LF>
    From: Massimo Forni <massimo.forni@mydomain.legit>
    To: Massimo Forni <massimo.forni@mydomain.legit>
    Date: Thu, 4 May 2017 14:52:00 +0200
    Subject: Test message no real from

    Hello,
    This is just a test messaget without the "MAIL FROM", but whith a spoofed DATA "From".
    Have fun.

    .
    250 2.0.0 Ok: queued as CB9F85AC5_90B240DF
    QUIT
    221 2.0.0 Bye
    Connection closed by foreign host.

     

     

    Shouldn't this trigger some rules? At least the fake FQDN HELO.... ?

    Thanks

  • In regards to the spoofed email address, just add mydomain.com to the blacklisted hosts and @mydomian.com to the blacklisted senders.  This will prevent any mta pretending (or that resolves to) your domain and an message with anyone@mydomain.com that connected externally.

     

    As for a blank sender... It would impact the overall spam score but would not necessarily automatically trigger 50% spam score. 

     

    I would go over this KB and ensure your spam settings match   specifically : filtering options, delay queue and smtp settings .. but in general everything is important

    community.sophos.com/.../120802

     

    As for creating a rule, yes it's possible...  However I would NOT recommend it unless it's absolutely necessary.

  • Hi, I do have external services that send legittimate email from our domain, which are included in our SPF record.

    I have checked the KB and my appliance follows the recommendations.

     

    Is it possible at least to check the validity of the HELO/EHLO parameter?

     

    Thanks

     

  • Hi Massimo,

     

    I think there is some confusion about SPF and a From header.. SPF checking is done on the connecting mta ip.  SPF is a security feature.. not an anti-spam feature.

    The from header of a message is never even looked at until the message is accepted by postfix and delivered to the processing engine (milter) SPF checking is done by postfix.

     

    You may wish to contact support an open a case if you are having spam issues.  In the meantime I recommend submitting samples to is-spam@labs.sophos.com

    Just create a new message and drag and drop all of the spam as .eml attachments and send it off.