Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 519 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with SPF; some mails not blocked; only Return-Path checked and not From-Field?

Julian F

It looks like SPF check is working only on the return-path. Proved by: I can see external messages in the email log, which a blocked via spf (faking our domain as sender).

However, there are other messages, which have our domain in the from field (mail header) and they are not blocked.

Device log:
device="SFW" date=2021-12-16 time=11:54:15 timezone="CET"  [...]  status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="anonymous@s2.valueserver.jp" to_email_address="sales@ourdomain.com" email_subject="Here's the document shared with you" mailid="1mxoOs-00065N-RL-1639652055" mailsize=4297 spamaction="QUEUED" reason="Email has been accepted by Device and queued for scanning." src_domainname="s2.valueserver.jp" dst_domainname="" src_ip=157.7.184.17 src_country_code=JPN dst_ip= dst_country_code= protocol="TCP" src_port=34189 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason="Other"


Outlook:
Von: Sharepoint <finance9221792217@ourdomain.com>
Gesendet: Donnerstag, 16. Dezember 2021 11:54
An: Sales <Sales@ourdomain.com>
Betreff: EXTERN: [SPAM] Here's the document shared with you


mail header:
[...]
Received: from s2.valueserver.jp ([157.7.184.17]:54983)
    by mail.ourdomain.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.94.2)
    (envelope-from <anonymous@s2.valueserver.jp>)
    id 1mxoOs-00065M-RC
    for sales@ourdomain.com; Thu, 16 Dec 2021 11:54:15 +0100
Received: (qmail 969521 invoked by uid 10115); 16 Dec 2021 19:53:57 +0900
Date: Thu, 16 Dec 2021 19:53:57 +0900
Message-ID: <20211216105357.969520.qmail@s2.valueserver.jp>
To: <sales@ourdomain.com>
X-PHP-Originating-Script: 10115:onlygod.php
From: =?UTF-8?B?U2hhcmVwb2ludA==?=
    <finance1134411344@ourdomain.com>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Sophos-IBS: success
X-CTCH-PVer: 0000001
X-CTCH-Spam: Bulk
X-CTCH-VOD: Unknown
X-CTCH-Flags: 0
X-CTCH-RefID: str=0001.0A682F1C.61BB1AD7.005F,ss=3,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
X-CTCH-Score: 0.000
X-CTCH-ScoreCust: 0.000
X-CTCH-Rules:
Subject: EXTERN: [SPAM] Here's the document shared with you
X-Sophos-Firewall: smtpd v1.0
Return-Path: anonymous@s2.valueserver.jp

Is it possible, that only the return-path (smtp from?) will be spf checked and not the from field (header?)? This is very irritating.


Is there a way to check both fields; especially if the domain is not the same?


Thank you for your help.
Julian




This thread was automatically locked due to age.