[AusNOG] SPF, IP's and domains

Michael J. Carmody michael at opusv.com.au
Thu Jul 5 22:27:58 EST 2018


Hey All,

Apologies but I think this is not too far off charter.

Had the usual fraud attempt to a client asking to pay monies to **OTHER** bank account for usual bullshit reasons, but what is confusing me from header analysis is why the email from an external obviously compromised host, checked the compromised hosts domain SPF records rather than the domain in the From: address.

>From my read of the RFC (http://www.openspf.org/RFC_4408#operation)

It appears that maybe it did the SPF check on the HELO command, and not the MAIL FROM command, which seems like an odd choice for O365 to make (as of course its up to the mail provider to implement their SPF checks).

On the attached image, orange is the spoofed 3rd domain with perfectly lovely SPF records, which were not checked in favour of the spoofed domains non-existent SPF records and allowed through.

This seems weird behavior to myself, unless I am completely misunderstanding the usefulness of SPF.

May I lean on the experienced knowledge of old SMTP heads on why this didnt check the Mail From: Domain ?

-Michael


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180705/20cf2d7b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: headers.png
Type: image/png
Size: 55705 bytes
Desc: headers.png
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180705/20cf2d7b/attachment.png>


More information about the AusNOG mailing list