Mailing List Archive: SPF: Help

Spam still getting through

Index | Next | Previous | View Threaded

tkloos at ncdcorp

Nov 20, 2009, 10:03 AM

Post #1 of 4 (873 views)
Permalink

Spam still getting through

I received an email the other day from support [at] sample (and this was
clearly spoofed). I put in my spamassassin local.cf file the following
line:
whitelist_from_spf support [at] sample
and restarted spamassassin.
Yet, the following day, I still received an email from
support [at] sample that was again clearly a spoof. Any idea what I am
doing wrong?

Thanks

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Nov 20, 2009, 10:16 AM

Post #2 of 4 (839 views)
Permalink

Re: Spam still getting through [In reply to]

On Fri, Nov 20, 2009 at 18:03, Tim Kloos <tkloos [at] ncdcorp> wrote:
> I received an email the other day from support [at] sample (and this was
> clearly spoofed). I put in my spamassassin local.cf file the following
> line:
> whitelist_from_spf support [at] sample
> and restarted spamassassin.
> Yet, the following day, I still received an email from support [at] sample
> that was again clearly a spoof. Any idea what I am doing wrong?

Well, starting with the fact that we don't know your real domain so we
can't check the SPF record - no. Further, without the headers of the
problem email it's hard to say why it got through.

Also, AFAIK the whitelist settings in SpamAssassin are used to allow
emails through filtering (they add 100 to the score).

Note too that, as covered in the FAQ, SPF is not an anti-spam
mechanism - it's an anti-forgery one.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

aculver at uwo

Nov 20, 2009, 10:17 AM

Post #3 of 4 (829 views)
Permalink

Re: Spam still getting through [In reply to]

Hi Tim,

As many on this list will point out, SPF is an anti-forgery tool, not an
anti-spam tool as your subject implies. Although helping stop spam is
sometimes a nice side effect.

First of all, sample.com doesn't have an SPF record. But I'll continue,
assuming you've replaced the real domain with "sample.com" ...

SPF works on the SMTP envelope MAIL FROM command and the HELO command.
It does not check the From: header. Was support [at] sample used in the
MAIL FROM command (check the Return-Path: in the message source for
something like: Return-path: <aculver [at] uwo> -- this is the MAIL FROM
address), or was it just used in the From: header?

By whitelisting support [at] sample, you're specifically allowing it
through your SPF checks. You probably don't want this.

Andrew

Tim Kloos wrote:
> I received an email the other day from support [at] sample (and this was
> clearly spoofed). I put in my spamassassin local.cf file the following
> line:
> whitelist_from_spf support [at] sample
> and restarted spamassassin.
> Yet, the following day, I still received an email from
> support [at] sample that was again clearly a spoof. Any idea what I am
> doing wrong?
>
> Thanks
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/
> [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Nov 20, 2009, 10:50 AM

Post #4 of 4 (832 views)
Permalink

Re: Spam still getting through [In reply to]

At 18:03 20/11/2009 Friday, Tim Kloos wrote:
>I received an email the other day from support [at] sample (and this was clearly spoofed). I put in my spamassassin local.cf file the following line:
>whitelist_from_spf support [at] sample
>and restarted spamassassin.
>Yet, the following day, I still received an email from support [at] sample that was again clearly a spoof. Any idea what I am doing wrong?

1 SPF dosn't check the From address it checks the envelope-sender or return-path address in the smtp instruction "mail from:xxx [at] yy"
{so assuming that address was non-spoofed it would pass SPF}

2 sample.com {if this is the correct domain, has no SPF record thus SPF has to PASS all mail from sample.com as probably legit}
their domain, their choice as to whether to avail of SPF or not to protect their domain from forgery

3 spamassasin dosn't block spam and is a poor choice to check SPF, it scores it, thus failing spf will only raise its spammyness score, its up to your client or mailserver to spanmfolder or reject mail with a high enough score

if you actually intend to reject mail that is provably forged due to the "forgee" having SPF it should be done within your mailserver at RCPT time before the DATA portion and long before spamassain is capable of running

{this also cuts down the processor and bandwith load due to these forged spams}

oh and 5 most importantly!!!!!!!!!!!!!
whitelist_from_spf support [at] sample

means {whitelist} ie do not check/fail mail from support [at] sample
thus even if sample.com had an SPF record you told your spamassasin to not bother checking it for mail from support [at] sample

>Thanks
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads