Page 1 of 1

possible efa spoof

Posted: 13 May 2020 09:31
by jamerson
Dear all,

Today one of our customer has called because they recieved a email from someone calimed to be from our company.
let assume our domain is company.com
they received email from someone user@company.com time and date.
when we checked the email was flagged as spam on their outlook folder.

so when i check the time and date on both efa they are has never come through the efa.
their exchange recieve emails only from their efa and port 25.
Our domain use DKIM/SPF

how is this possible ?

Can someone clarify to me please

thank you

Re: possible efa spoof

Posted: 13 May 2020 12:56
by smyers119
Did you look at the full header? That will answer your questions

Re: possible efa spoof

Posted: 13 May 2020 16:03
by darky83
Yup, check the mail header it should give you the path the mail has taken to reach the client mailbox and go from there to figure out how the mail reached the clients inbox. (maybe you missed it in eFa or maybe it was malware directly from client to client..)

Re: possible efa spoof

Posted: 14 May 2020 09:31
by pdwalker
This is what SPF is for.

SPF allows mail servers to check the domain of the incoming message against the ip address of the server delivering the message to see if it is a valid mail server for this domain.

If the spf record for example.com says that ip 10.10.1.1 is a valid mail server for the domain, then the mailserver *knows* that the message is valid and accepts it without problem.

if the spf record for example.com has no record for 172.17.2.1 (a spammers hijacked mail server), then the receiving mail server can do one 3 things, depending on the mail servers spf settings

- it can accept the mail anyway
- it can accept the mail, but consider it very likely spam
- it can reject the message entirely

if you run a mail server, you should set your spf records correctly, but remember it is up to the receiving mail server to check the spf status of an incoming mail delivery. You cannot control what they do, you can only suggest.

Also remember that there are still circumstances where a spoofed message can show your domain and be delivered from an invalid mail server, so it's not perfect.

smtp was never designed for security or authentication unfortunately.

Re: possible efa spoof

Posted: 14 May 2020 10:18
by jamerson
darky83 wrote: 13 May 2020 16:03 Yup, check the mail header it should give you the path the mail has taken to reach the client mailbox and go from there to figure out how the mail reached the clients inbox. (maybe you missed it in eFa or maybe it was malware directly from client to client..)
Got catch i checked the header and the efa has deleiver it to the exchange, i noticed the efa didnt had dmarc enabled maybe that why?
in the mean time have enabled dmarc.

@pdwalker we have spf/dkim configured wel and is valid, when we do a mail-test it does score 10/10.

Re: possible efa spoof

Posted: 15 May 2020 03:30
by pdwalker
jamerson wrote: 14 May 2020 10:18@pdwalker we have spf/dkim configured wel and is valid, when we do a mail-test it does score 10/10.
What are your spf settings for mail that comes from invalid servers? accept? maybe spam or reject? (+all, ~all, -all)

Remember, it is up to the destination mail server to determine whether they honour your spf record settings or not.

Re: possible efa spoof

Posted: 16 May 2020 12:36
by jamerson
pdwalker wrote: 15 May 2020 03:30
jamerson wrote: 14 May 2020 10:18@pdwalker we have spf/dkim configured wel and is valid, when we do a mail-test it does score 10/10.
What are your spf settings for mail that comes from invalid servers? accept? maybe spam or reject? (+all, ~all, -all)

Remember, it is up to the destination mail server to determine whether they honour your spf record settings or not.
Hallo Paul,

thank you for your answer, the SPf is configured -all and the prefex is fail " Always matches. It goes at the end of your record" as you explain its the destination mail server who decieded,
but i think this mail has passed because Dmarc was off ? we never had such thing before

Re: possible efa spoof

Posted: 18 May 2020 04:24
by pdwalker
Like I said, SPF is only a suggestion. It is up to the destination mail server to decide whether to accept/reject the mail on the basis of the -all SPF flag. It's not something you can control.

As for your dmarc, check to see if it is working correctly. Again, whether a destination mail server checks and uses this information or not is up to them, not you. All you can do is offer it. The better run mail servers will use all this information in order to cut down on spam.

It can be difficult to educate other mail admins if they are not even going to make the effort do do the minimum amount of work necessary to keep spam out of their system. Not every mail server is competently managed.

Is your dmarc configured correctly? Were you able to check/test it using a dmarc testing service? At least make sure that you have that part right.

Re: possible efa spoof

Posted: 18 May 2020 11:23
by jamerson

Code: Select all

Is your dmarc configured correctly? Were you able to check/test it using a dmarc testing service? At least make sure that you have that part right.
what do you mean exactly here? how to check Dmarc settings? is enabled and its published at the public dns.
using mxtoolbox comes up with the right records.

when i send a test email to gmail and check the dkim/dmar/spf i get the below

Code: Select all

DMARC-Filter: OpenDMARC Filter v1.3.2 mx-01.domain.nl 49QcD732LDz6ZF7
Authentication-Results: mx-01.domain.com; dmarc=fail (p=reject dis=none) header.from=domain.com
Authentication-Results: mx-01.domain.com; spf=fail smtp.mailfrom=julien@domain.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx-01.domain.nl 49QcD732LDz6ZF7
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domain.com; s=default; t=1589801207; bh=ABe/m7y7G85QzgpbltiX+DjfX6eciRiA+19Ief7s/To=; h=From:To:Subject:Date:From; b=lZ/VN1RjisRJdKQ02KyFqhlNg6NesuoWESCnNCvG1hhww0+eY7uefkYHUrtoVjER6
	 xIL6n5YI/2Z8XcQoDdBnilnGv2H8WjiMqHU23CIWtpKxzgXDmjtWTv6K6IaHzJDvaQ
	 V334n1S+evaTiJkxwDViUTaQfeFvcIIKPCPZDNe8=
the dmarc records are

Code: Select all

v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@domain.com
Here is the SPF record:

Code: Select all

v=spf1 mx ip4:50.230.4.67 ip4:50.230.4.68 -all
You can see DMARC failed. But I don't understand why. The SPF record passes. DKIM does also (although we have that requirement relaxed here).

Maybe I'm misunderstanding something about DMARC, but it seems like this should work.

Thank you for the help!

Re: possible efa spoof

Posted: 18 May 2020 12:08
by smyers119
So gmail is showing that spf and dmarc are failing. Can you pm your domain so I can find out what your doing wrong. I'll also pm you my email so you can send me a test email.

Re: possible efa spoof

Posted: 20 May 2020 09:30
by jamerson
smyers119 wrote: 18 May 2020 12:08 So gmail is showing that spf and dmarc are failing. Can you pm your domain so I can find out what your doing wrong. I'll also pm you my email so you can send me a test email.
only Dmarc is failing, spf and dkim are set up correctly.

Re: possible efa spoof

Posted: 20 May 2020 14:18
by smyers119
Authentication-Results: mx-01.domain.com; spf=fail smtp.mailfrom=julien@domain.com

Re: possible efa spoof

Posted: 22 May 2020 09:14
by jamerson
smyers119 wrote: 20 May 2020 14:18
Authentication-Results: mx-01.domain.com; spf=fail smtp.mailfrom=julien@domain.com
good catch, i didnt see that one, but using mail-tester it scores 10/10 and spf is succecefully passed.
is this only google thing that dkim and spf failed

Re: possible efa spoof

Posted: 22 May 2020 13:54
by shawniverson
If google says it is failing, it is failing. You need to revisit your spf and dkim.