This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF Check not working on UTM 9

Sophos UTM 9 Version 9.705-3

We had yesterday an Phishing Mail attack with pishing mails, that were sent from a fake address with our own domain.

They were sent from random hosting servers and were not blocked by the SPF check. Even though this servers aren't permitted over the SPF entry.



This thread was automatically locked due to age.
Parents Reply Children
  • That seems fine, I would still verify with the test:

    Can you also post the header of one of the spam e-mails, only replacing your domain?

  • <table class="moz-email-headers-table" cellspacing="0"
    cellpadding="0" border="0">
    <tbody>
    <tr>
    <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Betreff:
    </th>
    <td>xxx— Your sync has failed</td>
    </tr>
    <tr>
    <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Datum: </th>
    <td>Tue, 25 May 2021 13:39:31 +0300</td>
    </tr>
    <tr>
    <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Von: </th>
    <td><a class="moz-txt-link-abbreviated" href="mailto:synchronization@xxx.de">synchronization@xxx.de</a>
    <a class="moz-txt-link-rfc2396E" href="mailto:synchronization@xxx.de"><synchronization@xxx.de></a></td>
    </tr>
    <tr>
    <th valign="BASELINE" nowrap="nowrap" align="RIGHT">An: </th>
    <td>xxx<a class="moz-txt-link-rfc2396E" href="mailto:xxx@xxx"><xxx@xxx.de></a></td>
    </tr>
    </tbody>
    </table>
    <br>
    <br>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
    </div>
    <div>
    </div>
    <div>
    <div>
    <div>
    <table width="100%" cellspacing="0" cellpadding="0" border="0">
    <tbody>
    <tr>
    <td style="padding:24px 24px 8px 24px; max-width:592px">
    <table class="x_qdwcfe" style="vertical-align:middle;
    background-color:white" width="100%" cellspacing="0"
    cellpadding="0" border="0">
    </table>
    <img src="data:image/png;base64,
    
    moz-do-not-send="true"> <br>
    <br>
    <div>
    <div dir="ltr">
    <div>
    <div>
    <p id="x_efversd" style="color:#222222;
    font-size:16pt; font-family:Segoe UI
    Light,Segoe UI Bold; margin-top:0;
    margin-bottom:0">
    <b>You have 2 important
    messages that have not
    reached you </b>
    <br>
    </p>
    <div id="x_erfger"><span
    style="color:rgb(34,34,34);
    font-size:13pt; font-family:serif">Priority:</span>
    <span style="color:darkorange;
    font-size:15pt">●</span> <span
    style="color:rgb(34,34,34);
    font-size:13pt; font-family:"Segoe UI
    Light",serif">
    High</span> </div>
    <div id="x_ewfdd"><span
    style="color:rgb(34,34,34);
    font-size:13pt; font-family:serif">Time:</span>
    <span style="color:rgb(34,34,34);
    font-size:13pt; font-family:"Segoe UI
    Light",serif">
    5/25/2021 1:39:31 PM (UTC)</span> </div>
    <div id="x_ewfew"><span
    style="color:rgb(34,34,34);
    font-size:13pt; font-family:serif">User:</span>
    <span style="color:rgb(34,34,34);
    font-size:13pt; font-family:"Segoe UI
    Light",serif">
    <a class="moz-txt-link-abbreviated" href="mailto:xxx@xxx.de">xxx@xxx.de</a></span> </div>
    <div id="x_frefrefr"><span
    style="color:rgb(34,34,34);
    font-size:13pt; font-family:serif">Details:
    </span><span style="color:rgb(34,34,34);
    font-size:13pt; font-family:"Segoe UI
    Light",serif">The alert is
    triggered when user
    have error in mail sync.</span>
    </div>
    <div id="x_defewsc" style="margin-top:10px">
    <table cellpadding="0" border="0">
    <tbody>
    <tr>
    <td style="background-color:#2172B9"
    align="center"><a
    href="">zimbralogin.website.yandexcloud.net
    target="_blank" rel="noopener
    noreferrer" style="color:white;
    font-size:15pt; font-family:Segoe
    UI; background-color:#2172B9;
    display:inline-block;
    text-decoration:none; padding:6px
    20px; border:1px solid #2172B9"
    moz-do-not-send="true">View
    messages </a></td>
    </tr>
    </tbody>
    </table>
    </div>
    <p style="color:#222222; font-size:13pt;
    font-family:Segoe UI Light; margin-top:0;
    margin-bottom:0"><br>
    Thank you, <br>
    The Zimbra Team </p>
    <hr>
    <p style="color:#666666; font-size:8pt;
    font-family:Segoe UI Light; margin-top:0;
    margin-bottom:0">
    ©2021 Zimbra, Inc. All rights
    reserved</p>
    </div>
    </div>
    </div>
    </div>
    </td>
    </tr>
    </tbody>
    </table>
    </div>
    </div>
    </div>
    </body>
    </html>

  • Hi,

    please test your domain at https://www.kitterman.com/spf/validate.html

    You would see an error for a single ip.

    This will kill your SPF-record ...

    details: there are "include:" parte within SPF-record and one has syntax errors  (missing "ip4:"):

    "v=spf1 ip4:zz.zzz.zzz.zz ip4:zz.zzz.zzz.zzz ip4:zz.zzz.zzz.zzz zzz.zzz.zz.zzz zz.zzz.zzz.zz ~all"


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Well it's right, that the SPF-Record had an broken entry and that the sophos utm spf check failed from that. But our newsletter service contractor says, it's an sophos utm (exim) specific behaviour. He tested it with postfix and there the spf-record keeps working even with the partly broken spf-record.


    Anyone any idea on that?

    There is an exim high priority update on my sophos (version 9.705-3 --> 9.705-7). Maybe that has anything to do with it? @BAlfons

  • I don't think so.  That's in response to the 21 Nails threat.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • SPF behavior depends on the implementation.    An invalid clause, or an unresolvable include, should always trigger PERMERROR, so UTM is behaving correctly.   

    But a savvy implementation can try to work with what it has.   I use an implementation of SPF which has a selectable level of strictness.   In the relaxed mode, which I use, it can return two results:  PERMERROR because of the syntax problem, and a second result based on whatever could be determined from the valid clauses.

    My complaints against the UTM implementation of SPF include:

    - Difficult or impossible to create an exception that says, "If SMTP domain is Example.com, and the host name ends with Outlook.com, and the host name forward-confirms to the IP address, then treat the message equivalent to SPF PASS".  This is a typical SPF policy error.

    - Impossible to run in test mode to see which domains have SPF errors, so that exceptions can be created before I begin enforcing SPF.

    My configuration solves that.  It uses SmarterMail (free version) from SmarterTools.com as the incoming gateway, Declude (also free) from MailsBestFriend.com as a filtering engine underneath SmarterMail, and our own customization scripts to call the Python PYSPF library (also free).    The SmarterMail/Declude/Phython configuration receives incoming mail first, then hands it off to the UTM spam filter for additional testing, before passing the allowed messages to my mail server.

    MailsBestFriend can provide per-hour services to help you get started with SmarterMail and Declude,