possible efa spoof

General eFa discussion
Post Reply
jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

possible efa spoof

Post by jamerson » 13 May 2020 09:31

Dear all,

Today one of our customer has called because they recieved a email from someone calimed to be from our company.
let assume our domain is company.com
they received email from someone user@company.com time and date.
when we checked the email was flagged as spam on their outlook folder.

so when i check the time and date on both efa they are has never come through the efa.
their exchange recieve emails only from their efa and port 25.
Our domain use DKIM/SPF

how is this possible ?

Can someone clarify to me please

thank you
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

smyers119
Posts: 74
Joined: 29 Nov 2019 11:36

Re: possible efa spoof

Post by smyers119 » 13 May 2020 12:56

Did you look at the full header? That will answer your questions

User avatar
darky83
Site Admin
Posts: 537
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: possible efa spoof

Post by darky83 » 13 May 2020 16:03

Yup, check the mail header it should give you the path the mail has taken to reach the client mailbox and go from there to figure out how the mail reached the clients inbox. (maybe you missed it in eFa or maybe it was malware directly from client to client..)
Version eFa 4.x now available!

User avatar
pdwalker
Posts: 1260
Joined: 18 Mar 2015 09:16

Re: possible efa spoof

Post by pdwalker » 14 May 2020 09:31

This is what SPF is for.

SPF allows mail servers to check the domain of the incoming message against the ip address of the server delivering the message to see if it is a valid mail server for this domain.

If the spf record for example.com says that ip 10.10.1.1 is a valid mail server for the domain, then the mailserver *knows* that the message is valid and accepts it without problem.

if the spf record for example.com has no record for 172.17.2.1 (a spammers hijacked mail server), then the receiving mail server can do one 3 things, depending on the mail servers spf settings

- it can accept the mail anyway
- it can accept the mail, but consider it very likely spam
- it can reject the message entirely

if you run a mail server, you should set your spf records correctly, but remember it is up to the receiving mail server to check the spf status of an incoming mail delivery. You cannot control what they do, you can only suggest.

Also remember that there are still circumstances where a spoofed message can show your domain and be delivered from an invalid mail server, so it's not perfect.

smtp was never designed for security or authentication unfortunately.

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: possible efa spoof

Post by jamerson » 14 May 2020 10:18

darky83 wrote:
13 May 2020 16:03
Yup, check the mail header it should give you the path the mail has taken to reach the client mailbox and go from there to figure out how the mail reached the clients inbox. (maybe you missed it in eFa or maybe it was malware directly from client to client..)
Got catch i checked the header and the efa has deleiver it to the exchange, i noticed the efa didnt had dmarc enabled maybe that why?
in the mean time have enabled dmarc.

@pdwalker we have spf/dkim configured wel and is valid, when we do a mail-test it does score 10/10.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1260
Joined: 18 Mar 2015 09:16

Re: possible efa spoof

Post by pdwalker » 15 May 2020 03:30

jamerson wrote:
14 May 2020 10:18
@pdwalker we have spf/dkim configured wel and is valid, when we do a mail-test it does score 10/10.
What are your spf settings for mail that comes from invalid servers? accept? maybe spam or reject? (+all, ~all, -all)

Remember, it is up to the destination mail server to determine whether they honour your spf record settings or not.

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: possible efa spoof

Post by jamerson » 16 May 2020 12:36

pdwalker wrote:
15 May 2020 03:30
jamerson wrote:
14 May 2020 10:18
@pdwalker we have spf/dkim configured wel and is valid, when we do a mail-test it does score 10/10.
What are your spf settings for mail that comes from invalid servers? accept? maybe spam or reject? (+all, ~all, -all)

Remember, it is up to the destination mail server to determine whether they honour your spf record settings or not.
Hallo Paul,

thank you for your answer, the SPf is configured -all and the prefex is fail " Always matches. It goes at the end of your record" as you explain its the destination mail server who decieded,
but i think this mail has passed because Dmarc was off ? we never had such thing before
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1260
Joined: 18 Mar 2015 09:16

Re: possible efa spoof

Post by pdwalker » 18 May 2020 04:24

Like I said, SPF is only a suggestion. It is up to the destination mail server to decide whether to accept/reject the mail on the basis of the -all SPF flag. It's not something you can control.

As for your dmarc, check to see if it is working correctly. Again, whether a destination mail server checks and uses this information or not is up to them, not you. All you can do is offer it. The better run mail servers will use all this information in order to cut down on spam.

It can be difficult to educate other mail admins if they are not even going to make the effort do do the minimum amount of work necessary to keep spam out of their system. Not every mail server is competently managed.

Is your dmarc configured correctly? Were you able to check/test it using a dmarc testing service? At least make sure that you have that part right.

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: possible efa spoof

Post by jamerson » 18 May 2020 11:23

Code: Select all

Is your dmarc configured correctly? Were you able to check/test it using a dmarc testing service? At least make sure that you have that part right.
what do you mean exactly here? how to check Dmarc settings? is enabled and its published at the public dns.
using mxtoolbox comes up with the right records.

when i send a test email to gmail and check the dkim/dmar/spf i get the below

Code: Select all

DMARC-Filter: OpenDMARC Filter v1.3.2 mx-01.domain.nl 49QcD732LDz6ZF7
Authentication-Results: mx-01.domain.com; dmarc=fail (p=reject dis=none) header.from=domain.com
Authentication-Results: mx-01.domain.com; spf=fail smtp.mailfrom=julien@domain.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx-01.domain.nl 49QcD732LDz6ZF7
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domain.com; s=default; t=1589801207; bh=ABe/m7y7G85QzgpbltiX+DjfX6eciRiA+19Ief7s/To=; h=From:To:Subject:Date:From; b=lZ/VN1RjisRJdKQ02KyFqhlNg6NesuoWESCnNCvG1hhww0+eY7uefkYHUrtoVjER6
	 xIL6n5YI/2Z8XcQoDdBnilnGv2H8WjiMqHU23CIWtpKxzgXDmjtWTv6K6IaHzJDvaQ
	 V334n1S+evaTiJkxwDViUTaQfeFvcIIKPCPZDNe8=
the dmarc records are

Code: Select all

v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@domain.com
Here is the SPF record:

Code: Select all

v=spf1 mx ip4:50.230.4.67 ip4:50.230.4.68 -all
You can see DMARC failed. But I don't understand why. The SPF record passes. DKIM does also (although we have that requirement relaxed here).

Maybe I'm misunderstanding something about DMARC, but it seems like this should work.

Thank you for the help!
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

smyers119
Posts: 74
Joined: 29 Nov 2019 11:36

Re: possible efa spoof

Post by smyers119 » 18 May 2020 12:08

So gmail is showing that spf and dmarc are failing. Can you pm your domain so I can find out what your doing wrong. I'll also pm you my email so you can send me a test email.

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: possible efa spoof

Post by jamerson » 20 May 2020 09:30

smyers119 wrote:
18 May 2020 12:08
So gmail is showing that spf and dmarc are failing. Can you pm your domain so I can find out what your doing wrong. I'll also pm you my email so you can send me a test email.
only Dmarc is failing, spf and dkim are set up correctly.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

smyers119
Posts: 74
Joined: 29 Nov 2019 11:36

Re: possible efa spoof

Post by smyers119 » 20 May 2020 14:18

Authentication-Results: mx-01.domain.com; spf=fail smtp.mailfrom=julien@domain.com

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: possible efa spoof

Post by jamerson » 22 May 2020 09:14

smyers119 wrote:
20 May 2020 14:18
Authentication-Results: mx-01.domain.com; spf=fail smtp.mailfrom=julien@domain.com
good catch, i didnt see that one, but using mail-tester it scores 10/10 and spf is succecefully passed.
is this only google thing that dkim and spf failed
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
shawniverson
Posts: 3089
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: possible efa spoof

Post by shawniverson » 22 May 2020 13:54

If google says it is failing, it is failing. You need to revisit your spf and dkim.
Version eFa 4.0.2 now available!

Post Reply