This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF Check did not work for all Mails

Hey there,

we found an issue with the SPF-Check feature in OUR UTM version: 9.705-3.

The spf-Record for our domain is set correctly.

If I sent a message from a spoofed sender to one receiver in our organisation,

the mail is correctly rejected: Abgelehnt: SPF (SPF check failed).

But if I sent the same mail to two or more receivers (with the same domain) in our organisation,

only the mail to the first receiver is rejected and the second one gets delivered!


If I sent a message from a spoofed sender to two receivers (with different domains) in our organisation,

both mails gets delivered!

If I sent a message from a spoofed sender to multiple receivers (with different domains) in our organisation,

only the first mail per domain gets rejected and the rest gets delivered!

In short: Only the mail to the first receiver per domain gets SPF-checked and rejected.

For me this seems like a bug. Can anyone confim this behavior?

Chris



This thread was automatically locked due to age.
Parents
  • Hallo Chris and welcome to the UTM Community!

    If you want to pursue this here, please show the lines from the SMTP log file related to one of the emails that wasn't rejected, but should have been  Be sure to obfuscate private information.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hallo Chris and welcome to the UTM Community!

    If you want to pursue this here, please show the lines from the SMTP log file related to one of the emails that wasn't rejected, but should have been  Be sure to obfuscate private information.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi, I did the upgrade to 9.706 yesterday but nothing changed.

    Here are the lines from the smtp log. The mail was sent to two recipients in our organisation (with the same domain) but only the first mail (in alphabetical order) was rejected, the second one was delivered to the user. I do not see any entrys for the second recipient.

    2021:05:25-09:10:52 XXXXX-2  exim-in[12348]: 2021-05-25 09:10:52 SMTP connection from [194.25.134.21]:43150 (TCP/IP connection count = 2)
    2021:05:25-09:10:52 XXXXX-2 exim-in[17498]: 2021-05-25 09:10:52 H=mailout10.t-online.de [194.25.134.21]:43150 Warning: XXXXXX profile excludes SANDBOX scan
    2021:05:25-09:10:53 XXXXX-2 exim-in[17498]: 2021-05-25 09:10:53 [194.25.134.21] F=<XXXXXX@xxxx.de> R=<XXXXXX@xxxx.de> Verifying recipient address in Active Directory
    2021:05:25-09:10:53 XXXXX-2 exim-in[17498]: 2021-05-25 09:10:53 H=mailout10.t-online.de [194.25.134.21]:43150 Warning: ACL "warn" statement skipped: condition test deferred: failed to bind the LDAP connection to server xxxxxxx:636 - ldap_bind() returned -1
    2021:05:25-09:10:53 XXXXX-2 exim-in[17498]: 2021-05-25 09:10:53 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="194.25.134.21" from="XXXXXX@xxxx.de" to="XXXXXX@xxxx.de" size="3279" reason="spf" extra="SPF check failed"
    2021:05:25-09:10:53 XXXXX-2 exim-in[17498]: 2021-05-25 09:10:53 H=mailout10.t-online.de [194.25.134.21]:43150 X=TLS1.2:AECDH-AES256-SHA:256 CV=no F=<XXXXXX@xxxx.de> rejected RCPT <XXXXXX@xxxx.de>: 194.25.134.21 is not allowed to send mail from XXXXXXX

    2021:05:25-09:10:57 XXXXX exim-in[12348]: 2021-05-25 09:10:57 SMTP connection from [194.25.134.21]:43298 (TCP/IP connection count = 2)
    2021:05:25-09:10:57 XXXXX exim-in[17513]: 2021-05-25 09:10:57 H=mailout10.t-online.de [194.25.134.21]:43298 Warning: XXXXX profile excludes SANDBOX scan
    2021:05:25-09:10:58 XXXXX-2 exim-in[17513]: 2021-05-25 09:10:58 H=mailout10.t-online.de [194.25.134.21]:43298 Warning: F=<> R=<c.strobel@bo-wohnungswirtschaft.de> Missing BATV signature
    2021:05:25-09:10:58 XXXXX-2 exim-in[17513]: 2021-05-25 09:10:58 [194.25.134.21] F=<> R=<XXXXXX@xxxx.de> Verifying recipient address in Active Directory
    2021:05:25-09:10:58 XXXXX-2 exim-in[17513]: 2021-05-25 09:10:58 H=mailout10.t-online.de [194.25.134.21]:43298 Warning: ACL "warn" statement skipped: condition test deferred: failed to bind the LDAP connection to server XXXXXX:636 - ldap_bind() returned -1
    2021:05:25-09:10:58 XXXXX-2 exim-in[17513]: 2021-05-25 09:10:58 [194.25.134.21] F=<> R=<XXXXXX@xxxx.de> Accepted: is a bounce
    2021:05:25-09:10:58 XXXXX-2 exim-in[17513]: 2021-05-25 09:10:58 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="194.25.134.21" from="" to="XXXXXX@xxxx.de" subject="" queueid="" size="5559" reason="batv" extra=""
    2021:05:25-09:10:58 XXXXX-2 exim-in[17513]: 2021-05-25 09:10:58 H=mailout10.t-online.de [194.25.134.21]:43298 X=TLS1.2:AECDH-AES256-SHA:256 CV=no rejected DATA
    2021:05:25-09:10:58 XXXXX-2 exim-in[17513]: 2021-05-25 09:10:58 SMTP connection from mailout10.t-online.de [194.25.134.21]:43298 closed by DROP in ACL

     This is what I see in the mail manager.

  • Chris, it looks like the second email was a spoofed bounce from the same attacker and that it was rejected because it didn't contain a valid BATV signature.  SPF isn't checked for an email that appears to have been sent by one of your colleagues and bounced by the recipient's mail system.

    What evidence do you have that an email was delivered that should have been rejected?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA