This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF Check not working on UTM 9

Sophos UTM 9 Version 9.705-3

We had yesterday an Phishing Mail attack with pishing mails, that were sent from a fake address with our own domain.

They were sent from random hosting servers and were not blocked by the SPF check. Even though this servers aren't permitted over the SPF entry.



This thread was automatically locked due to age.
  • you don't have an exception for your domain?

    can you send the SPF record (possible via PM)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Agreed with Dirk - you will want someone else to check your SPF configuration first.  Ihr spricht beide Deutsch.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • There is no exception for our domain and synchronization@ is also an invalid address.

  • Thanks for the hint, we can stay in english so more people can read it.

  • Since you can't really configure anything SPF wise on the UTM other than turning it on or off, I would also suspect the SPF record. I would first validate the record via this tool: https://www.kitterman.com/spf/validate.html?

    This is our SPF record which works with the UTM: v=spf1 mx -all (it permits all IPs listed in the MX record of our domain): 

  • That is our spf record
    v=spf1 a mx include:XXXX include:XXXX a:XXXX include:XXXX -all
  • That seems fine, I would still verify with the test:

    Can you also post the header of one of the spam e-mails, only replacing your domain?

  • <table class="moz-email-headers-table" cellspacing="0"
    cellpadding="0" border="0">
    <tbody>
    <tr>
    <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Betreff:
    </th>
    <td>xxx— Your sync has failed</td>
    </tr>
    <tr>
    <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Datum: </th>
    <td>Tue, 25 May 2021 13:39:31 +0300</td>
    </tr>
    <tr>
    <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Von: </th>
    <td><a class="moz-txt-link-abbreviated" href="mailto:synchronization@xxx.de">synchronization@xxx.de</a>
    <a class="moz-txt-link-rfc2396E" href="mailto:synchronization@xxx.de"><synchronization@xxx.de></a></td>
    </tr>
    <tr>
    <th valign="BASELINE" nowrap="nowrap" align="RIGHT">An: </th>
    <td>xxx<a class="moz-txt-link-rfc2396E" href="mailto:xxx@xxx"><xxx@xxx.de></a></td>
    </tr>
    </tbody>
    </table>
    <br>
    <br>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
    </div>
    <div>
    </div>
    <div>
    <div>
    <div>
    <table width="100%" cellspacing="0" cellpadding="0" border="0">
    <tbody>
    <tr>
    <td style="padding:24px 24px 8px 24px; max-width:592px">
    <table class="x_qdwcfe" style="vertical-align:middle;
    background-color:white" width="100%" cellspacing="0"
    cellpadding="0" border="0">
    </table>
    <img src="data:image/png;base64,
    
    moz-do-not-send="true"> <br>
    <br>
    <div>
    <div dir="ltr">
    <div>
    <div>
    <p id="x_efversd" style="color:#222222;
    font-size:16pt; font-family:Segoe UI
    Light,Segoe UI Bold; margin-top:0;
    margin-bottom:0">
    <b>You have 2 important
    messages that have not
    reached you </b>
    <br>
    </p>
    <div id="x_erfger"><span
    style="color:rgb(34,34,34);
    font-size:13pt; font-family:serif">Priority:</span>
    <span style="color:darkorange;
    font-size:15pt">●</span> <span
    style="color:rgb(34,34,34);
    font-size:13pt; font-family:"Segoe UI
    Light",serif">
    High</span> </div>
    <div id="x_ewfdd"><span
    style="color:rgb(34,34,34);
    font-size:13pt; font-family:serif">Time:</span>
    <span style="color:rgb(34,34,34);
    font-size:13pt; font-family:"Segoe UI
    Light",serif">
    5/25/2021 1:39:31 PM (UTC)</span> </div>
    <div id="x_ewfew"><span
    style="color:rgb(34,34,34);
    font-size:13pt; font-family:serif">User:</span>
    <span style="color:rgb(34,34,34);
    font-size:13pt; font-family:"Segoe UI
    Light",serif">
    <a class="moz-txt-link-abbreviated" href="mailto:xxx@xxx.de">xxx@xxx.de</a></span> </div>
    <div id="x_frefrefr"><span
    style="color:rgb(34,34,34);
    font-size:13pt; font-family:serif">Details:
    </span><span style="color:rgb(34,34,34);
    font-size:13pt; font-family:"Segoe UI
    Light",serif">The alert is
    triggered when user
    have error in mail sync.</span>
    </div>
    <div id="x_defewsc" style="margin-top:10px">
    <table cellpadding="0" border="0">
    <tbody>
    <tr>
    <td style="background-color:#2172B9"
    align="center"><a
    href="">zimbralogin.website.yandexcloud.net
    target="_blank" rel="noopener
    noreferrer" style="color:white;
    font-size:15pt; font-family:Segoe
    UI; background-color:#2172B9;
    display:inline-block;
    text-decoration:none; padding:6px
    20px; border:1px solid #2172B9"
    moz-do-not-send="true">View
    messages </a></td>
    </tr>
    </tbody>
    </table>
    </div>
    <p style="color:#222222; font-size:13pt;
    font-family:Segoe UI Light; margin-top:0;
    margin-bottom:0"><br>
    Thank you, <br>
    The Zimbra Team </p>
    <hr>
    <p style="color:#666666; font-size:8pt;
    font-family:Segoe UI Light; margin-top:0;
    margin-bottom:0">
    ©2021 Zimbra, Inc. All rights
    reserved</p>
    </div>
    </div>
    </div>
    </div>
    </td>
    </tr>
    </tbody>
    </table>
    </div>
    </div>
    </div>
    </body>
    </html>

  • Hi,

    please test your domain at https://www.kitterman.com/spf/validate.html

    You would see an error for a single ip.

    This will kill your SPF-record ...

    details: there are "include:" parte within SPF-record and one has syntax errors  (missing "ip4:"):

    "v=spf1 ip4:zz.zzz.zzz.zz ip4:zz.zzz.zzz.zzz ip4:zz.zzz.zzz.zzz zzz.zzz.zz.zzz zz.zzz.zzz.zz ~all"


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Well it's right, that the SPF-Record had an broken entry and that the sophos utm spf check failed from that. But our newsletter service contractor says, it's an sophos utm (exim) specific behaviour. He tested it with postfix and there the spf-record keeps working even with the partly broken spf-record.


    Anyone any idea on that?

    There is an exim high priority update on my sophos (version 9.705-3 --> 9.705-7). Maybe that has anything to do with it? @BAlfons