postfix-policyd-spf-perl

The SPF test isn't rejecting obvious forgeries!

Asked by Chloe

I set up the SPF with Postfix and this email still got through. It is clearly a forgery. It is first delivered to oliveyou.net somehow bypassing the Perl SPF check. Then a spam filter service called SpamArrest fetches the mail and does its own SPF checks, which correctly fails. How do I reject these emails in the first place?

-----------------------------------
Return-Path: <drolleroe3@8bitandroid.com>
X-Original-To: <email address hidden>
Delivered-To: <email address hidden>
Received-SPF: pass (8bitandroid.com: Sender is authorized by default to use 'drolleroe3@8bitandroid.com' in 'mfrom' identity (mechanism 'all' matched)) receiver=308321.oliveyou.net; identity=mailfrom; envelope-from="drolleroe3@8bitandroid.com"; helo="[193.158.253.131]"; client-ip=193.158.253.131
Received-SPF: fail(oliveyou.net: domain of
 _spf.spamarrest.com does not designate 193.158.253.131 as permitted sender)
Received: from [193.158.253.131] (unknown [193.158.253.131])
 by mail.kizbit.com (Postfix) with ESMTP id 5DDB4D41FB
 for <email address hidden>; Fri, 16 Nov 2012 17:21:24 -0500 (EST)
Message-ID: <Fri, 16 Nov 2012 23:21:57 +0100.808020@8bitandroid.com>
Date: Fri, 16 Nov 2012 23:21:57 +0100
From: <email address hidden>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <email address hidden>
Subject: Erect penis pills
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-SA-Poll-Id: 1353104904225..1351234150-1358..2..1353104517000
X-SA-USERIDNR: 3476943
X-SA-CTIP: 2
X-SA-RBLFAIL: 2
X-SA-MPREASON: SPF Failed - Preference is Unverified

We sell only quality pills.Your penis will be hard!
Trusted by thousands.
http://www.meds-deals.net/?affid=36271253

----------------------------------------------

Here is the maillog from oliveyou.net

------------------------------------
Nov 16 22:21:24 308321 postfix/policy-spf[30016]: Policy action=PREPEND Received-SPF: pass (8bitandroid.com: Sender is authorized by default to use 'drolleroe3@8bitandroid.com' in 'mfrom' identity (mechanism 'all' matched)) receiver=308321.oliveyou.net; identity=mailfrom; envelope-from="drolleroe3@8bitandroid.com"; helo="[193.158.253.131]"; client-ip=193.158.253.131
Nov 16 22:21:24 308321 postfix/smtpd[30007]: 5DDB4D41FB: client=unknown[193.158.253.131]
Nov 16 22:21:24 308321 postfix/cleanup[30017]: 5DDB4D41FB: message-id=<Fri, 16 Nov 2012 23:21:57 +0100.808020@8bitandroid.com>
Nov 16 22:21:24 308321 postfix/qmgr[27704]: 5DDB4D41FB: from=<drolleroe3@8bitandroid.com>, size=1027, nrcpt=1 (queue active)
Nov 16 22:21:24 308321 postfix/smtpd[30007]: disconnect from unknown[193.158.253.131]
Nov 16 22:21:25 308321 postfix/virtual[30018]: 5DDB4D41FB: to=<email address hidden>, relay=virtual, delay=0.93, delays=0.51/0/0/0.41, dsn=2.0.0, status=sent (delivered to maildir)
Nov 16 22:21:25 308321 postfix/qmgr[27704]: 5DDB4D41FB: removed
Nov 16 22:24:44 308321 postfix/anvil[30009]: statistics: max connection rate 1/60s for (smtp:193.158.253.131) at Nov 16 17:21:21
Nov 16 22:24:44 308321 postfix/anvil[30009]: statistics: max connection count 1 for (smtp:193.158.253.131) at Nov 16 17:21:21
Nov 16 22:24:44 308321 postfix/anvil[30009]: statistics: max cache size 1 at Nov 16 17:21:21
---------------------------------------------

Question information

Language:
English Edit question
Status:
Answered
For:
postfix-policyd-spf-perl Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Scott Kitterman (kitterman) said : 		#1

Here's their SPF record:

8bitandroid.com. 606 IN TXT "v=spf1 +all"

The +all means that it matches everything. Since 8bitandroid.com have authorized mail from anywhere on the internet via SPF, SPF isn't going to give you a basis to reject these. It's a silly SPF record, but the package can only do what it's told based on the published record.

Revision history for this message
Chloe (starrychloe) said : 		#2

But the emails says: From: <email address hidden>, and my SPF record doesn't allow that IP.

Otherwise, SPF would be worthless because a spammer/forger would only need to find a single domain with +all.

Revision history for this message
Scott Kitterman (kitterman) said : 		#3

SPF operates on the envelope from (also known as Mail From or Return Path). SPF Pass should not be used to accept mail from random domains (or you would be right). SPF Pass should only be used to whitelist known good domains. It's true that SPF doesn't block all types of forgery, but that was never it's goal.

Can you help with this problem?

Provide an answer of your own, or ask Chloe for more information if necessary.

To post a message you must log in.