This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF Check not working

Sorry my english is not the best.

We have setup an SPF-Record for our Domain. SPF-Record Checker reports everything is ok.

SPF-Check is activated on UTM. If we get a mail from "copy@mydomain.com" to copy@mydomain.com from an not in SPF registered IP and this mail contains an attachemen, the mail will pass and gets delivered. In this case an docm-file with Locky was delivered to user.

We have no sandboxing-licence, but i think SPF-Check didnt work in this case or did i make a mistake ?



This thread was automatically locked due to age.
Parents
  • Hi,

    Please post the header of the actual spam mail.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • I have also been getting many and many spam emails from within our company.  This problem has become rampant since the beginning of June.  Here is an example of a spoofed email header.  We have SPF check enabled as well.

    Received: from NWS-EX2013.nws.local (192.168.1.6) by NWS-EX2013.nws.local

    (192.168.1.6) with Microsoft SMTP Server (TLS) id 15.0.1076.9 via Mailbox

    Transport; Tue, 19 Jul 2016 15:19:28 -0500

    Received: from NWS-EX2013.nws.local (192.168.1.6) by NWS-EX2013.nws.local

    (192.168.1.6) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 19 Jul

    2016 15:19:27 -0500

    Received: from mail.northernwholesale.com (192.168.1.56) by

    NWS-EX2013.nws.local (192.168.1.6) with Microsoft SMTP Server (TLS) id

    15.0.1076.9 via Frontend Transport; Tue, 19 Jul 2016 15:19:27 -0500

    Received: from [189.121.89.181] (port=19292 helo=bd7959b5.virtua.com.br)

                    by mail.northernwholesale.com with esmtp (Exim 4.82_1-5b7a7c0-XX)

                    (envelope-from <johnp@northernwholesale.com>)

                    id 1bPbUD-0004Q9-0P

                    for johnp@northernwholesale.com; Tue, 19 Jul 2016 15:19:25 -0500

    Date: Tue, 19 Jul 2016 12:49:58 -0400

    From: <johnp@northernwholesale.com>

    X-Priority: 3

    Message-ID: <141256082.201607191319@northernwholesale.com>

    To: <johnp@northernwholesale.com>

    Subject: Re: Salary [$1000 /week]

    MIME-Version: 1.0

    Content-Type: multipart/alternative; boundary="----------45D11AEE938E256"

    Return-Path: johnp@northernwholesale.com

    X-MS-Exchange-Organization-Network-Message-Id: 9458fd11-21f4-4d10-94b8-08d3b011fc09

    X-MS-Exchange-Organization-AuthSource: NWS-EX2013.nws.local

    X-MS-Exchange-Organization-AuthAs: Anonymous

Reply
  • I have also been getting many and many spam emails from within our company.  This problem has become rampant since the beginning of June.  Here is an example of a spoofed email header.  We have SPF check enabled as well.

    Received: from NWS-EX2013.nws.local (192.168.1.6) by NWS-EX2013.nws.local

    (192.168.1.6) with Microsoft SMTP Server (TLS) id 15.0.1076.9 via Mailbox

    Transport; Tue, 19 Jul 2016 15:19:28 -0500

    Received: from NWS-EX2013.nws.local (192.168.1.6) by NWS-EX2013.nws.local

    (192.168.1.6) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 19 Jul

    2016 15:19:27 -0500

    Received: from mail.northernwholesale.com (192.168.1.56) by

    NWS-EX2013.nws.local (192.168.1.6) with Microsoft SMTP Server (TLS) id

    15.0.1076.9 via Frontend Transport; Tue, 19 Jul 2016 15:19:27 -0500

    Received: from [189.121.89.181] (port=19292 helo=bd7959b5.virtua.com.br)

                    by mail.northernwholesale.com with esmtp (Exim 4.82_1-5b7a7c0-XX)

                    (envelope-from <johnp@northernwholesale.com>)

                    id 1bPbUD-0004Q9-0P

                    for johnp@northernwholesale.com; Tue, 19 Jul 2016 15:19:25 -0500

    Date: Tue, 19 Jul 2016 12:49:58 -0400

    From: <johnp@northernwholesale.com>

    X-Priority: 3

    Message-ID: <141256082.201607191319@northernwholesale.com>

    To: <johnp@northernwholesale.com>

    Subject: Re: Salary [$1000 /week]

    MIME-Version: 1.0

    Content-Type: multipart/alternative; boundary="----------45D11AEE938E256"

    Return-Path: johnp@northernwholesale.com

    X-MS-Exchange-Organization-Network-Message-Id: 9458fd11-21f4-4d10-94b8-08d3b011fc09

    X-MS-Exchange-Organization-AuthSource: NWS-EX2013.nws.local

    X-MS-Exchange-Organization-AuthAs: Anonymous

Children