[exim-dev] [Bug 996] New: SPF checks work sometimes, but not…

Top Pagina
Delete this message
Reply to this message
Auteur: Thanassis Tsiodras
Datum:  
Aan: exim-dev
Onderwerp: [exim-dev] [Bug 996] New: SPF checks work sometimes, but not always
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=996
           Summary: SPF checks work sometimes, but not always
           Product: Exim
           Version: 4.69
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Delivery in general
        AssignedTo: nigel@???
        ReportedBy: ttsiodras@???
                CC: exim-dev@???



First things first:

bash$ exim -bV
Exim version 4.69 #1 built 16-Mar-2009 14:44:43
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (February 22, 2005)
Support for: crypteq iconv() IPv6 PAM Perl OpenSSL Content_Scanning Old_Demime
Experimental_SPF Experimental_SRS Experimental_DomainKeys
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz passwd
Authenticators: cram_md5 dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Size of off_t: 8
Configuration file is /etc/exim.conf

Now, the weird behaviour I am seeing:

By grep-ing in my cPanel's (v.11) exim_mainlog, I can see that the SPF checks I
added for my company's domain (semantix.gr) are working:

bash$ sudo grep -i spf /var/log/exim_mainlog | grep ttsiod
2010-06-03 05:48:54 H=(212.113.232.115) [212.113.232.115]
F=<ttsiodras@???> rejected RCPT <ttsiodras@???>: SPF:
212.113.232.115 is not allowed to send mail from semantix.gr
...

That is, someone tried to send mail with a forged "from" that supposedly came
from my account at my company, but the SPF check stopped it in its tracks
(the valid MX addresses are reported in the SPF part of the DNS record for
"semantix.gr", and do not include "212.113.232.115").

However, some of these mails, with "forged froms" that supposedly originate
from my company, DO pass exim's SPF checks:

2010-06-05 10:23:48 1OKuHr-00025w-TD H=cuscon77544.tstt.net.tt
(cuscon79293.tstt.net.tt) [190.58.182.10] Warning: "SpamAssassin as semantix
detected message as NOT spam (-1.1)"
2010-06-05 10:23:48 1OKuHr-00025w-TD <= obson@???
H=cuscon77544.tstt.net.tt (cuscon79293.tstt.net.tt) [190.58.182.10] P=smtp
S=1334
2010-06-05 10:23:49 1OKuHr-00025w-TD => ttsiodras <ttsiodras@???>
R=virtual_user T=virtual_userdelivery
2010-06-05 10:23:49 1OKuHr-00025w-TD Completed

Exim says in the log that the mail's "From" was "obson@???" -
but in fact, the actual spam I received has these headers, impersonating myself
sending to myself, with "obson@???" only referred in the
"Return-path"... (does this mean that Exim uses "Return-path" instead of "From"
during the SPF checks? If so, why? If it were using the "From" it would be
clear that this is a fraudulent message...)

Here are the actual headers of the message, as received in my Thunderbird:

Return-path: <obson@???>
Envelope-to: ttsiodras@???
Delivery-date: Sat, 05 Jun 2010 10:23:49 -0400
Received: from cuscon77544.tstt.net.tt ([190.58.182.10]
helo=cuscon79293.tstt.net.tt)
        by vz104.securenet-server.net with smtp (Exim 4.69)
        (envelope-from <obson@???>)
        id 1OKuHr-00025w-TD
        for ttsiodras@???; Sat, 05 Jun 2010 10:23:48 -0400
From: <ttsiodras@???>
To: <ttsiodras@???>
Subject: International Real Estate Consulting Company needs local
representation
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-1.1
...



Any help/advise most welcome.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email