• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question SPF Filter Not working properly?

R

RuiCadete

New Pleskian
Hello all,

In order to test the SPF protection I tried to send a email from another server changing the from to my domain... hopping that the SPF will block it but no. the email passed validations.

The email is coming from otherdomain.com but is delivered in [email protected] form [email protected], this should trigger SPF fail, right?

why is SPF checking otherdomain.com SPF and not the domain from the "from" field?

otherdomain.com has no SPF record at all
mydomain.com has a valid SPF record

upload_2018-12-10_11-50-18.png

Email headers
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from server7768.otherserver.com (otherdomain.com [213.229.106.xxx])
by LCSrv02.myserver.com (Postfix) with ESMTPS id A08C54361AE
for <[email protected]>; Mon, 10 Dec 2018 10:57:50 +0000 (GMT)
Authentication-Results: LCSrv02.myserver.com;
spf=pass (sender IP is 213.229.106.xxx) [email protected] smtp.helo=server7768.otherserver.com
Received-SPF: pass (LCSrv02.myserver.com: domain of otherdomain designates 213.229.106.xxx as permitted sender) client-ip=213.229.106.145; [email protected]; helo=server7768.otherserver.com;
Received: by server7768.otherserver.com (Postfix, from userid 10001)
id 5D2EA33B0794; Mon, 10 Dec 2018 10:57:50 +0000 (GMT)
To: [email protected]
Subject: SUBJECT FROM 3
X-PHP-Originating-Script: 10001:qwerty.php
to: [email protected] <[email protected]>
from: ruicadete@mydomain.com <ruicadete@mydomain.com>
Message-Id: ---
Date: Mon, 10 Dec 2018 10:57:50 +0000 (GMT)
 
You did not change the envelope-sender of the mail, you only changed the "From:" header inside the mail.
SPF checks are made against the envelope sender ("MAIL FROM" command in the SMTP transaction).

So if you want to test SPF functionality then you need to change the enveloper sender
 
Hello Monty,

What I did was just use an PHP script to emulate an email sent by someone that is not me... and the email received in the outlook, looks like being sent from the email I scripted.

upload_2018-12-10_19-37-25.png

I ran this script from another server that is not cleared by the SPF of "mydomain.com"... I suppose that this is what a spammer do.

Is not supposed to be blocked by the SPF check? since its not sent by the SPF domain or IP? If not, any one one with this simple script can spoof an address right?

Regrads,
Rui
 
Your script does not change the envelope sender, it only sets the "From:" and "To:" headers in the mail. Your mail client will not display the envelope sender, it will always display the "From:" / "To:" headers, but the SPF checks are made against the envelope sender.

The envelope sender ("MAIL FROM") and recipients ("RCPT TO") are only visible to the MTAs doing the mail transport (example: SMTP server to MX server) but they won't show up in the mail. Under normal conditions, your mail client will set the same "From:" / "To:" headers as used in the envelope. But of course you can fake those headers, like in this example:

Code: 
MAIL FROM: <[email protected]>
250 Ok
RCPT TO: <[email protected]>
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: Test Name <[email protected]>
Subject: Test

So in this example the recipient's mail server would perform the SPF checks on the domain "your-spf-domain.tld" (if the server has SPF checks enabled) and not on "some-fake-domain.tld".

Have a look at Simple Mail Transfer Protocol - Wikipedia for more details

In your case you can use the "additional parameters" of the PHP mail() function to set the envelope sender using "-f", have a look here:
PHP: mail - Manual (see example 4 to see how to set the envelope sender).
 
Hi Monty!

Thanks for your reply.

I understand what you are saying, but this way and if the "Spammer" use the mail php function the way I did, is still possible to pass SPF validation and reach users with a spoofed "from" information.

Since it is a useless overhead to the server (at least in my case and for my expectations), I will disable it and only rely in the spamassasin rules.

Thanks!
 
You must log in or register to reply here.

Similar threads

D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
1K
drdna
D
Erwin Fiten
Question Spam sent from my server by other hosts ???
Replies
4
Views
448
Bitpalast
Bitpalast
E
Question Is multiple HELO registration possible?
Replies
2
Views
511
emrekoc
E
A
Issue DKIM and DMARC issue, emails not sending
Replies
4
Views
3K
danami
danami
EnriqueR
Question Incoming mail is stored in Junk folder
Replies
6
Views
790
EnriqueR
EnriqueR
Back
Top