This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF Check not working

Sorry my english is not the best.

We have setup an SPF-Record for our Domain. SPF-Record Checker reports everything is ok.

SPF-Check is activated on UTM. If we get a mail from "copy@mydomain.com" to copy@mydomain.com from an not in SPF registered IP and this mail contains an attachemen, the mail will pass and gets delivered. In this case an docm-file with Locky was delivered to user.

We have no sandboxing-licence, but i think SPF-Check didnt work in this case or did i make a mistake ?



This thread was automatically locked due to age.
  • You can check if your SPF record is correct here: http://mxtoolbox.com/spf.aspx

    I also blacklisted my domain under E-Mail Protection -> SMTP - > Antispam -> Sender Blacklist

    the new sophos board sucks... :-( please give us the old one back.

  • Same issue here!
    UTM9 up to date to 9.404-5, SPF check on incoming emails for openimpact.be domain, SPF record in place and tested through several online SPF checkers, but the mails (with the docm attachments) keep coming through... Has been like this for a while now... No real clue when it started, if after some update or whatever...

    I suspect the SPF check or mail scanner not doing what it needs to for some reason on SPF records...

    Any idea?

  • Hi,

    Please post the header of the actual spam mail.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • I have also been getting many and many spam emails from within our company.  This problem has become rampant since the beginning of June.  Here is an example of a spoofed email header.  We have SPF check enabled as well.

    Received: from NWS-EX2013.nws.local (192.168.1.6) by NWS-EX2013.nws.local

    (192.168.1.6) with Microsoft SMTP Server (TLS) id 15.0.1076.9 via Mailbox

    Transport; Tue, 19 Jul 2016 15:19:28 -0500

    Received: from NWS-EX2013.nws.local (192.168.1.6) by NWS-EX2013.nws.local

    (192.168.1.6) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 19 Jul

    2016 15:19:27 -0500

    Received: from mail.northernwholesale.com (192.168.1.56) by

    NWS-EX2013.nws.local (192.168.1.6) with Microsoft SMTP Server (TLS) id

    15.0.1076.9 via Frontend Transport; Tue, 19 Jul 2016 15:19:27 -0500

    Received: from [189.121.89.181] (port=19292 helo=bd7959b5.virtua.com.br)

                    by mail.northernwholesale.com with esmtp (Exim 4.82_1-5b7a7c0-XX)

                    (envelope-from <johnp@northernwholesale.com>)

                    id 1bPbUD-0004Q9-0P

                    for johnp@northernwholesale.com; Tue, 19 Jul 2016 15:19:25 -0500

    Date: Tue, 19 Jul 2016 12:49:58 -0400

    From: <johnp@northernwholesale.com>

    X-Priority: 3

    Message-ID: <141256082.201607191319@northernwholesale.com>

    To: <johnp@northernwholesale.com>

    Subject: Re: Salary [$1000 /week]

    MIME-Version: 1.0

    Content-Type: multipart/alternative; boundary="----------45D11AEE938E256"

    Return-Path: johnp@northernwholesale.com

    X-MS-Exchange-Organization-Network-Message-Id: 9458fd11-21f4-4d10-94b8-08d3b011fc09

    X-MS-Exchange-Organization-AuthSource: NWS-EX2013.nws.local

    X-MS-Exchange-Organization-AuthAs: Anonymous

  • If your not getting mails with your domain from external just blacklist your domain under E-Mail Protection -> SMTP - > Antispam -> Sender Blacklist

    ->

    *@yourTLD.com

    the new sophos board sucks... :-( please give us the old one back.

  • Ok.  So if I do this then I will not get spam from our email that is actually from an outside source.   But I will still be able to receive emails from within the company.  Correct?

  • Yep, exactly ;).

    the new sophos board sucks... :-( please give us the old one back.

  • Hi,

    Take SSH to UTM and execute "dig -tTXT domain.com" post the output. 

    Is there any receiver MTA being (transparent or not transparent) before the UTM on the way of incoming mails?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • It would be interesting to see the SMTP log lines related to this email.  Also, is 'Scan relayed (outgoing) messages' selected?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • So this is what it turns out was our issue.  For some reason in the past before I was hired on here, someone added our domain to the Exceptions tab under a SKIP SPAM list.  Being on this list caused any email that was legitimate or not that used our domain to skip and of the spam checks including the SPF check.  I removed our domain from this list yesterday and have yet to receive any spam emails that appear to be coming internally.   This was the way this has always been set up and had never been an issue before.  I believe after one of the recent updates this started occurring.  Hopefully the spam stays away this time.