Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

A new interesting SPAM bypassing SPF validation...

Hi All,

I received a notification from one of our user that he had received a SPAM message with his own EMail address as sender.
Our Ironports are configured for SPF validation so I was quite curious to find out that indeed, the sender was his email address.

See the SMTP headers here (some host names have been sanitized) below. The interesting trick here is that the spammer uses SPF headers with an "Envelope-from" and an X-Sender.

Any idea how we could block this ?

Cheers,
Fred

Microsoft Mail Internet Headers Version 2.0
Received: from TIGER by PUMA with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 5 Sep 2008 11:58:04 +0100
Received: from ironport-2.champ.aero by TIGER with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 5 Sep 2008 11:58:04 +0100
Authentication-Results: ironport-2.champ.aero; dkim=neutral (message not signed) header.i=none
Received-SPF: None identity=pra; client-ip=220.227.219.2;
receiver=mxfarm.champ.aero;
envelope-from="duscan@peoplepc.com";
x-sender="dus@cargolux.com";

x-conformance=sidf_compatible
Received-SPF: None identity=mailfrom; client-ip=220.227.219.2;
receiver=mxfarm.champ.aero;
envelope-from="duscan@peoplepc.com";
x-sender="duscan@peoplepc.com";

x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=220.227.219.2;
receiver=mxfarm.champ.aero;
envelope-from="duscan@peoplepc.com";
x-sender="postmaster@kumar-e3c4892c0";

x-conformance=sidf_compatible
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AmFYACGrwEjc49sCYWdsb2JhbAARgTSBH4NaimMLgQEcIEsBjT6WOmoJcg
X-IronPort-AV: E=Sophos;i="4.32,320,1217808000";
d="scan'208,217";a="3729856"
Received: from unknown (HELO kumar-e3c4892c0) ([220.227.219.2])
by ironport-2.champ.aero with SMTP; 05 Sep 2008 10:58:00 +0000
X-SID-PRA: Malaki Jamison <dus>
X-SID-Result: Pass
X-Originating-IP: [72.51.74.05]
Return-Path: dus@cargolux.com
Message-ID: <20080905092802>
To: <dus>
Subject: Your Monthly Alerts
From: Paloma Marques <dus>
MIME-Version: 1.0
Importance: Normal
Content-Type: multipart/alternative;
boundary="_b693bc36-9df7-4029-b503-7d7fe8a809f4_"
X-OriginalArrivalTime: 05 Sep 2008 10:58:04.0811 (UTC) FILETIME=[45B0C5B0:01C90F46]
Date: 5 Sep 2008 11:58:04 +0100

--_b693bc36-9df7-4029-b503-7d7fe8a809f4_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

--_b693bc36-9df7-4029-b503-7d7fe8a809f4_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

1 REPLY
New Member

Re: A new interesting SPAM bypassing SPF validation...

Hello,

Sorry but it looks that in your case the spammer does not use any SPF entry. Because for the all three types you have a None value, see the lines from your post:
Received-SPF: None identity=pra; client-ip=220.227.219.2;
Received-SPF: None identity=mailfrom; client-ip=220.227.219.2;
Received-SPF: None identity=helo; client-ip=220.227.219.2;

Regards.

538
Views
0
Helpful
1
Replies
CreatePlease to create content