[AusNOG] SPF, IP's and domains
Paul Gear
ausnog at libertysys.com.au
Fri Jul 6 10:06:44 EST 2018
On 05/07/18 22:27, Michael J. Carmody wrote:
> Hey All,
>
> Apologies but I think this is not too far off charter.
>
> Had the usual fraud attempt to a client asking to pay monies to
> **OTHER** bank account for usual bullshit reasons, but what is confusing
> me from header analysis is why the email from an external obviously
> compromised host, checked the compromised hosts domain SPF records
> rather than the domain in the From: address.
>
> From my read of the RFC (http://www.openspf.org/RFC_4408#operation)
>
> It appears that maybe it did the SPF check on the HELO command, and not
> the MAIL FROM command, which seems like an odd choice for O365 to make
> (as of course its up to the mail provider to implement their SPF checks).
>
> On the attached image, orange is the spoofed 3rd domain with perfectly
> lovely SPF records, which were not checked in favour of the spoofed
> domains non-existent SPF records and allowed through.
>
> This seems weird behavior to myself, unless I am completely
> misunderstanding the usefulness of SPF.
>
> May I lean on the experienced knowledge of old SMTP heads on why this
> didnt check the Mail From: Domain ?
I'm not an expert on this, but I'm pretty sure SPF doesn't check on the
HELO source or the Mail From:, but on the envelope sender's domain,
which doesn't necessarily match the Mail From: sender. The body of the
email isn't available until the DATA part of the SMTP transaction, and
SPF checks can be done earlier than that.
Paul
More information about the AusNOG
mailing list