Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Spoofed SPF Headers

Does Ironport strip existing SPF headers from incomming messages?

SANS Diary today had an interesting article by Johannes B. Ullrich, Ph.D. titled "UPS Malware Spam Using Fake SPF Headers".

https://isc.sans.edu/forums/diary/UPS+Malware+Spam+Using+Fake+SPF+Headers/17693  Its premise was that spammers have started faking SPF headers to indicate the message has passed SPF validation.

To be effective in an Ironport environment, spoofed SPF headers would require at least the name of your Ironport servers to format the SPF record correctly.  No matter what, I would expect Ironport to write its own Received-SPF headers regardless of any found in incomming messages. 

It is possible for conflicting headers could cause confusion if Ironport does not strip spoofed SPF headers first.

Everyone's tags (3)
1 REPLY
Cisco Employee

No - The ESA performs

No - The ESA performs validation of SPF status based on the actual connecting IP - not the headers.  It will also still create its own SPF result headers, regardless of pre-existing headers.

- Jackie

193
Views
0
Helpful
1
Replies
CreatePlease to create content