This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF Check not working on UTM 9

Sophos UTM 9 Version 9.705-3

We had yesterday an Phishing Mail attack with pishing mails, that were sent from a fake address with our own domain.

They were sent from random hosting servers and were not blocked by the SPF check. Even though this servers aren't permitted over the SPF entry.

This thread was automatically locked due to age.

Top Replies

dirkkotte over 2 years ago in reply to NewCom23 +1 verified

Hi, please test your domain at https://www.kitterman.com/spf/validate.html You would see an error for a single ip. This will kill your SPF-record ... details: there are "include:" parte within…

0 dirkkotte over 2 years ago

you don't have an exception for your domain?

can you send the SPF record (possible via PM)

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 2 years ago

Agreed with Dirk - you will want someone else to check your SPF configuration first. Ihr spricht beide Deutsch.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 NewCom23 over 2 years ago in reply to dirkkotte

There is no exception for our domain and synchronization@ is also an invalid address.
Cancel
Vote Up 0 Vote Down

Cancel
0 NewCom23 over 2 years ago in reply to BAlfson

Thanks for the hint, we can stay in english so more people can read it.
Cancel
Vote Up 0 Vote Down

Cancel
0 admin888 over 2 years ago

Since you can't really configure anything SPF wise on the UTM other than turning it on or off, I would also suspect the SPF record. I would first validate the record via this tool: https://www.kitterman.com/spf/validate.html?

This is our SPF record which works with the UTM: v=spf1 mx -all (it permits all IPs listed in the MX record of our domain):
Cancel
Vote Up 0 Vote Down

Cancel

0 NewCom23 over 2 years ago in reply to admin888

That is our spf record
v=spf1 a mx include:XXXX include:XXXX a:XXXX include:XXXX -all

0 admin888 over 2 years ago in reply to NewCom23

That seems fine, I would still verify with the test:

Can you also post the header of one of the spam e-mails, only replacing your domain?
Cancel
Vote Up 0 Vote Down

Cancel

0 NewCom23 over 2 years ago in reply to admin888

<table class="moz-email-headers-table" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Betreff:
</th>
<td>xxx— Your sync has failed</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Datum: </th>
<td>Tue, 25 May 2021 13:39:31 +0300</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Von: </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:synchronization@xxx.de">synchronization@xxx.de</a>
<a class="moz-txt-link-rfc2396E" href="mailto:synchronization@xxx.de"><synchronization@xxx.de></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">An: </th>
<td>xxx<a class="moz-txt-link-rfc2396E" href="mailto:xxx@xxx"><xxx@xxx.de></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
</div>
<div>
</div>
<div>
<div>
<div>
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="padding:24px 24px 8px 24px; max-width:592px">
<table class="x_qdwcfe" style="vertical-align:middle;
background-color:white" width="100%" cellspacing="0"
cellpadding="0" border="0">
</table>
<img src="data:image/png;base64,

moz-do-not-send="true"> <br>
<br>
<div>
<div dir="ltr">
<div>
<div>
<p id="x_efversd" style="color:#222222;
font-size:16pt; font-family:Segoe UI
Light,Segoe UI Bold; margin-top:0;
margin-bottom:0">
<b>You have 2 important
messages that have not
reached you </b>
<br>
</p>
<div id="x_erfger"><span
style="color:rgb(34,34,34);
font-size:13pt; font-family:serif">Priority:</span>
<span style="color:darkorange;
font-size:15pt">●</span> <span
style="color:rgb(34,34,34);
font-size:13pt; font-family:"Segoe UI
Light",serif">
High</span> </div>
<div id="x_ewfdd"><span
style="color:rgb(34,34,34);
font-size:13pt; font-family:serif">Time:</span>
<span style="color:rgb(34,34,34);
font-size:13pt; font-family:"Segoe UI
Light",serif">
5/25/2021 1:39:31 PM (UTC)</span> </div>
<div id="x_ewfew"><span
style="color:rgb(34,34,34);
font-size:13pt; font-family:serif">User:</span>
<span style="color:rgb(34,34,34);
font-size:13pt; font-family:"Segoe UI
Light",serif">
<a class="moz-txt-link-abbreviated" href="mailto:xxx@xxx.de">xxx@xxx.de</a></span> </div>
<div id="x_frefrefr"><span
style="color:rgb(34,34,34);
font-size:13pt; font-family:serif">Details:
</span><span style="color:rgb(34,34,34);
font-size:13pt; font-family:"Segoe UI
Light",serif">The alert is
triggered when user
have error in mail sync.</span>
</div>
<div id="x_defewsc" style="margin-top:10px">
<table cellpadding="0" border="0">
<tbody>
<tr>
<td style="background-color:#2172B9"
align="center"><a
href="">zimbralogin.website.yandexcloud.net
target="_blank" rel="noopener
noreferrer" style="color:white;
font-size:15pt; font-family:Segoe
UI; background-color:#2172B9;
display:inline-block;
text-decoration:none; padding:6px
20px; border:1px solid #2172B9"
moz-do-not-send="true">View
messages </a></td>
</tr>
</tbody>
</table>
</div>
<p style="color:#222222; font-size:13pt;
font-family:Segoe UI Light; margin-top:0;
margin-bottom:0"><br>
Thank you, <br>
The Zimbra Team </p>
<hr>
<p style="color:#666666; font-size:8pt;
font-family:Segoe UI Light; margin-top:0;
margin-bottom:0">
©2021 Zimbra, Inc. All rights
reserved</p>
</div>
</div>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</body>
</html>

+1 dirkkotte over 2 years ago in reply to NewCom23

Hi,

please test your domain at https://www.kitterman.com/spf/validate.html

You would see an error for a single ip.

This will kill your SPF-record ...

details: there are "include:" parte within SPF-record and one has syntax errors (missing "ip4:"):

"v=spf1 ip4:zz.zzz.zzz.zz ip4:zz.zzz.zzz.zzz ip4:zz.zzz.zzz.zzz zzz.zzz.zz.zzz zz.zzz.zzz.zz ~all"

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up +1 Vote Down

Cancel
0 NewCom23 over 2 years ago in reply to dirkkotte

Well it's right, that the SPF-Record had an broken entry and that the sophos utm spf check failed from that. But our newsletter service contractor says, it's an sophos utm (exim) specific behaviour. He tested it with postfix and there the spf-record keeps working even with the partly broken spf-record.

Anyone any idea on that?

There is an exim high priority update on my sophos (version 9.705-3 --> 9.705-7). Maybe that has anything to do with it? @BAlfons
Cancel
Vote Up 0 Vote Down

Cancel