Question SPF Filter Not working properly?

[RuiCadete]

Hello all,

In order to test the SPF protection I tried to send a email from another server changing the from to my domain... hopping that the SPF will block it but no. the email passed validations.

The email is coming from otherdomain.com but is delivered in [email protected] form [email protected], this should trigger SPF fail, right?

why is SPF checking otherdomain.com SPF and not the domain from the "from" field?

otherdomain.com has no SPF record at all
mydomain.com has a valid SPF record



Email headers
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from server7768.otherserver.com (otherdomain.com [213.229.106.xxx])
by LCSrv02.myserver.com (Postfix) with ESMTPS id A08C54361AE
for <[email protected]>; Mon, 10 Dec 2018 10:57:50 +0000 (GMT)
Authentication-Results: LCSrv02.myserver.com;
spf=pass (sender IP is 213.229.106.xxx) [email protected] smtp.helo=server7768.otherserver.com
Received-SPF: pass (LCSrv02.myserver.com: domain of otherdomain designates 213.229.106.xxx as permitted sender) client-ip=213.229.106.145; [email protected]; helo=server7768.otherserver.com;
Received: by server7768.otherserver.com (Postfix, from userid 10001)
id 5D2EA33B0794; Mon, 10 Dec 2018 10:57:50 +0000 (GMT)
To: [email protected]
Subject: SUBJECT FROM 3
X-PHP-Originating-Script: 10001:qwerty.php
to: [email protected] <[email protected]>
from: ruicadete@mydomain.com <ruicadete@mydomain.com>
Message-Id: ---
Date: Mon, 10 Dec 2018 10:57:50 +0000 (GMT)

 

[Monty]

You did not change the envelope-sender of the mail, you only changed the "From:" header inside the mail.
SPF checks are made against the envelope sender ("MAIL FROM" command in the SMTP transaction).

So if you want to test SPF functionality then you need to change the enveloper sender

 

[RuiCadete]

Hello Monty,

What I did was just use an PHP script to emulate an email sent by someone that is not me... and the email received in the outlook, looks like being sent from the email I scripted.



I ran this script from another server that is not cleared by the SPF of "mydomain.com"... I suppose that this is what a spammer do.

Is not supposed to be blocked by the SPF check? since its not sent by the SPF domain or IP? If not, any one one with this simple script can spoof an address right?

Regrads,
Rui

 

[Monty]

Your script does not change the envelope sender, it only sets the "From:" and "To:" headers in the mail. Your mail client will not display the envelope sender, it will always display the "From:" / "To:" headers, but the SPF checks are made against the envelope sender.

The envelope sender ("MAIL FROM") and recipients ("RCPT TO") are only visible to the MTAs doing the mail transport (example: SMTP server to MX server) but they won't show up in the mail. Under normal conditions, your mail client will set the same "From:" / "To:" headers as used in the envelope. But of course you can fake those headers, like in this example:

MAIL FROM: <[email protected]>
250 Ok
RCPT TO: <[email protected]>
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: Test Name <[email protected]>
Subject: Test

So in this example the recipient's mail server would perform the SPF checks on the domain "your-spf-domain.tld" (if the server has SPF checks enabled) and not on "some-fake-domain.tld".

Have a look at Simple Mail Transfer Protocol - Wikipedia for more details

In your case you can use the "additional parameters" of the PHP mail() function to set the envelope sender using "-f", have a look here:
PHP: mail - Manual (see example 4 to see how to set the envelope sender).

 

[RuiCadete]

Hi Monty!

Thanks for your reply.

I understand what you are saying, but this way and if the "Spammer" use the mail php function the way I did, is still possible to pass SPF validation and reach users with a spoofed "from" information.

Since it is a useless overhead to the server (at least in my case and for my expectations), I will disable it and only rely in the spamassasin rules.

Thanks!