Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1050
Views
0
Helpful
1
Replies

Spoofed SPF Headers

bnklein
Level 1
Level 1

‎02-24-2014 10:23 AM

Does Ironport strip existing SPF headers from incomming messages?

SANS Diary today had an interesting article by Johannes B. Ullrich, Ph.D. titled "UPS Malware Spam Using Fake SPF Headers".

https://isc.sans.edu/forums/diary/UPS+Malware+Spam+Using+Fake+SPF+Headers/17693  Its premise was that spammers have started faking SPF headers to indicate the message has passed SPF validation.

To be effective in an Ironport environment, spoofed SPF headers would require at least the name of your Ironport servers to format the SPF record correctly.  No matter what, I would expect Ironport to write its own Received-SPF headers regardless of any found in incomming messages. 

It is possible for conflicting headers could cause confusion if Ironport does not strip spoofed SPF headers first.

Labels:
0 Helpful
1 Reply 1

Jacqueline Fleming
Level 1
Level 1

‎03-11-2014 04:54 PM

No - The ESA performs validation of SPF status based on the actual connecting IP - not the headers.  It will also still create its own SPF result headers, regardless of pre-existing headers.

- Jackie

0 Helpful
Customers Also Viewed These Support Documents