Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Spoofed SPF Headers

Does Ironport strip existing SPF headers from incomming messages?

SANS Diary today had an interesting article by Johannes B. Ullrich, Ph.D. titled "UPS Malware Spam Using Fake SPF Headers".  Its premise was that spammers have started faking SPF headers to indicate the message has passed SPF validation.

To be effective in an Ironport environment, spoofed SPF headers would require at least the name of your Ironport servers to format the SPF record correctly.  No matter what, I would expect Ironport to write its own Received-SPF headers regardless of any found in incomming messages. 

It is possible for conflicting headers could cause confusion if Ironport does not strip spoofed SPF headers first.

Everyone's tags (3)
Cisco Employee

No - The ESA performs

No - The ESA performs validation of SPF status based on the actual connecting IP - not the headers.  It will also still create its own SPF result headers, regardless of pre-existing headers.

- Jackie

CreatePlease to create content