Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1788
Views
0
Helpful
1
Replies

A new interesting SPAM bypassing SPF validation...

frederic.lens
Level 1
Level 1

‎09-05-2008 01:43 PM

Hi All,

I received a notification from one of our user that he had received a SPAM message with his own EMail address as sender.
Our Ironports are configured for SPF validation so I was quite curious to find out that indeed, the sender was his email address.

See the SMTP headers here (some host names have been sanitized) below. The interesting trick here is that the spammer uses SPF headers with an "Envelope-from" and an X-Sender.

Any idea how we could block this ?

Cheers,
Fred

Microsoft Mail Internet Headers Version 2.0
Received: from TIGER by PUMA with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 5 Sep 2008 11:58:04 +0100
Received: from ironport-2.champ.aero by TIGER with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 5 Sep 2008 11:58:04 +0100
Authentication-Results: ironport-2.champ.aero; dkim=neutral (message not signed) header.i=none
Received-SPF: None identity=pra; client-ip=220.227.219.2;
receiver=mxfarm.champ.aero;
envelope-from="duscan@peoplepc.com";
x-sender="dus@cargolux.com";
x-conformance=sidf_compatible
Received-SPF: None identity=mailfrom; client-ip=220.227.219.2;
receiver=mxfarm.champ.aero;
envelope-from="duscan@peoplepc.com";
x-sender="duscan@peoplepc.com";
x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=220.227.219.2;
receiver=mxfarm.champ.aero;
envelope-from="duscan@peoplepc.com";
x-sender="postmaster@kumar-e3c4892c0";
x-conformance=sidf_compatible
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AmFYACGrwEjc49sCYWdsb2JhbAARgTSBH4NaimMLgQEcIEsBjT6WOmoJcg
X-IronPort-AV: E=Sophos;i="4.32,320,1217808000";
d="scan'208,217";a="3729856"
Received: from unknown (HELO kumar-e3c4892c0) ([220.227.219.2])
by ironport-2.champ.aero with SMTP; 05 Sep 2008 10:58:00 +0000
X-SID-PRA: Malaki Jamison <dus>
X-SID-Result: Pass
X-Originating-IP: [72.51.74.05]
Return-Path: dus@cargolux.com
Message-ID: <20080905092802>
To: <dus>
Subject: Your Monthly Alerts
From: Paloma Marques <dus>
MIME-Version: 1.0
Importance: Normal
Content-Type: multipart/alternative;
boundary="_b693bc36-9df7-4029-b503-7d7fe8a809f4_"
X-OriginalArrivalTime: 05 Sep 2008 10:58:04.0811 (UTC) FILETIME=[45B0C5B0:01C90F46]
Date: 5 Sep 2008 11:58:04 +0100

--_b693bc36-9df7-4029-b503-7d7fe8a809f4_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

--_b693bc36-9df7-4029-b503-7d7fe8a809f4_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Labels:
0 Helpful
1 Reply 1

ypa_ironport
Level 1
Level 1

‎11-18-2008 05:25 PM

Hello,

Sorry but it looks that in your case the spammer does not use any SPF entry. Because for the all three types you have a None value, see the lines from your post:
Received-SPF: None identity=pra; client-ip=220.227.219.2;
Received-SPF: None identity=mailfrom; client-ip=220.227.219.2;
Received-SPF: None identity=helo; client-ip=220.227.219.2;

Regards.

0 Helpful
Customers Also Viewed These Support Documents