You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2015/10/14 23:51:23 UTC
SPF and blocking phishing attempts
Hi,
I have a few questions about SPF as it relates to spamassassin, and
more specifically, as it relates to stopping incoming phishing
attempts, and assumes we're using "-all".
I'd like to make sure incoming mail that appears to be "From:" one of
our internal users has indeed gone through one of the systems
specified in the SPF record, resulting in an SPF_PASS.
Will all other mail with our domain in the "From:" result in an SPF_FAIL?
Will a rule need to be created to mark as spam any of those that lack
any SPF info at all?
I believe the KAM rules (KAM_LAZY_DOMAIN_SECURITY, for example) will
catch some of these, but in the specific case of domain
spoofing/phishing, we wish to block all incoming attempts that aren't
authorized.
While the MX systems are all Linux, the outbound are Exchange,
limiting our ability to install DKIM, thereby also limiting the
effectiveness of a DMARC effort, I believe.
I was thinking of just creating a DMARC TXT entry for the domain, but
SA doesn't have rules that act upon this info? I believe I can use
DMARC without DKIM, as long as SPF is implemented properly.
Hopefully my situation is clear. I'd like to know the best approach to
go about blocking spoofed email with spamassassin for a domain with an
SPF record and, possibly, a DMARC record as well.
Thanks,
Alex
Re: SPF and blocking phishing attempts
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Wed, 14 Oct 2015, Dave Wreski wrote:
> Hi,
>
> On 10/14/2015 06:08 PM, Dianne Skoll wrote:
>> On Wed, 14 Oct 2015 17:51:23 -0400
>> Alex <my...@gmail.com> wrote:
>>
>>> I'd like to make sure incoming mail that appears to be "From:" one of
>>> our internal users has indeed gone through one of the systems
>>> specified in the SPF record, resulting in an SPF_PASS.
>>
>> Can't be done. SPF looks at the envelope sender (what end-users know
>> as the Return-Path:) and not at all at the From: header.
>
> Yes, I realize SPF is only concerned with the envelope-sender. I was thinking
> it would be possible to somehow correlate the SPF_PASS with a rule that
> analyzes the From: header and use that to compare?
>
> Thanks,
> Alex
The problem with that approach is that the phish spammer can create a
valid SPF record for a domain they control, put that in the envelope
from, and your domain in the header "From:"
Thus you'll have a message that passes SPF for the env-from but still
has a deceptive header "From:"
DKIM is the way to go as Dianne says, then you know you can trust
the contents of the header "From:" (assuming you've checked to make sure
that the DKIM sig came from your system).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: SPF and blocking phishing attempts
Posted by Benny Pedersen <me...@junc.eu>.
Dave Wreski skrev den 2015-10-15 00:11:
> Yes, I realize SPF is only concerned with the envelope-sender. I was
> thinking it would be possible to somehow correlate the SPF_PASS with a
> rule that analyzes the From: header and use that to compare?
From: header is dkim, just know that some milters like sid-milter is
checking sender-id and says spf, but this is not the case, did you read
such docs ?, if so its depricated with spf and dkim, dmarc is a subset
meta on what dkim and spf does, when dmarc is a plugin in spamassassin
it would be a faq on what not todo :=)
if you see my msg here on maillist gives dmarc pass, then i am happy to
say it works for us both
so back to your subject
if dmarc fail its a phishing attempt more or less
Re: SPF and blocking phishing attempts
Posted by Dave Wreski <dw...@guardiandigital.com>.
Hi,
On 10/14/2015 06:08 PM, Dianne Skoll wrote:
> On Wed, 14 Oct 2015 17:51:23 -0400
> Alex <my...@gmail.com> wrote:
>
>> I'd like to make sure incoming mail that appears to be "From:" one of
>> our internal users has indeed gone through one of the systems
>> specified in the SPF record, resulting in an SPF_PASS.
>
> Can't be done. SPF looks at the envelope sender (what end-users know
> as the Return-Path:) and not at all at the From: header.
Yes, I realize SPF is only concerned with the envelope-sender. I was
thinking it would be possible to somehow correlate the SPF_PASS with a
rule that analyzes the From: header and use that to compare?
Thanks,
Alex
>
> You can do what you're trying to do with DKIM, though, and reject mail
> claiming to be from your domain (in the From: header) that has an invalid
> or no DKIM signature.
>
> If you can't install DKIM software on your Exchange server, you can use
> your Linux box as a smarthost and have the Linux box sign outbound
> mail from the Exchange server.
>
> Of course, internal mail won't ever leave the Exchange server and will thus
> lack a DKIM signature, but that shouldn't be a problem... just check DKIM
> on the MX hosts and not Exchange.
>
> Regards,
>
> Dianne.
>
Re: SPF and blocking phishing attempts
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Wed, 14 Oct 2015 17:51:23 -0400
Alex <my...@gmail.com> wrote:
> I'd like to make sure incoming mail that appears to be "From:" one of
> our internal users has indeed gone through one of the systems
> specified in the SPF record, resulting in an SPF_PASS.
Can't be done. SPF looks at the envelope sender (what end-users know
as the Return-Path:) and not at all at the From: header.
You can do what you're trying to do with DKIM, though, and reject mail
claiming to be from your domain (in the From: header) that has an invalid
or no DKIM signature.
If you can't install DKIM software on your Exchange server, you can use
your Linux box as a smarthost and have the Linux box sign outbound
mail from the Exchange server.
Of course, internal mail won't ever leave the Exchange server and will thus
lack a DKIM signature, but that shouldn't be a problem... just check DKIM
on the MX hosts and not Exchange.
Regards,
Dianne.
Re: SPF and blocking phishing attempts
Posted by Reindl Harald <h....@thelounge.net>.
Am 14.10.2015 um 23:51 schrieb Alex:
> I have a few questions about SPF as it relates to spamassassin, and
> more specifically, as it relates to stopping incoming phishing
> attempts, and assumes we're using "-all".
>
> I'd like to make sure incoming mail that appears to be "From:" one of
> our internal users has indeed gone through one of the systems
> specified in the SPF record, resulting in an SPF_PASS
no, you don't - SPF is about the envelope sender and *not* the From:
header, otherwise you couldn't use this mailing list and no other one
there is not more to say about that broken idea