SPF check success RSS

1

Here is headers of received email:
==========================
Received: from mss-exmb02.sodrugestvo.local (172.21.16.129) by
mss-exmb03.sodrugestvo.local (172.29.10.6) with Microsoft SMTP Server (TLS)
id 15.0.1236.3 via Mailbox Transport; Fri, 2 Dec 2016 11:16:28 +0100
Received: from mss-exmb02.sodrugestvo.local (172.21.16.129) by
mss-exmb02.sodrugestvo.local (172.21.16.129) with Microsoft SMTP Server (TLS)
id 15.0.1236.3; Fri, 2 Dec 2016 12:16:27 +0200
Received: from mss-exedge01.sodrugestvo.local (172.20.17.135) by
mss-exmb02.sodrugestvo.local (172.21.16.129) with Microsoft SMTP Server (TLS)
id 15.0.1236.3 via Frontend Transport; Fri, 2 Dec 2016 12:16:27 +0200
Received: from smtp108.iad3a.emailsrvr.com (173.203.187.108) by
mss-exedge01.sodrugestvo.local (172.20.17.135) with Microsoft SMTP Server
(TLS) id 15.0.1156.6; Fri, 2 Dec 2016 12:15:50 +0200
Received: from smtp22.relay.iad3a.emailsrvr.com (localhost [127.0.0.1])
by smtp22.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 779E16B6D
for ; Fri, 2 Dec 2016 05:07:39 -0500 (EST)
Received: from app1.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140])
by smtp22.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 6EFF86B19
for ; Fri, 2 Dec 2016 05:07:39 -0500 (EST)
X-Sender-Id:
Received: from app1.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140])
by 0.0.0.0:25 (trex/5.7.12);
Fri, 02 Dec 2016 05:07:39 -0500
Received: from reagan.com (localhost [127.0.0.1])
by app1.wa-webapps.iad3a (Postfix) with ESMTP id 621FB60045
for ; Fri, 2 Dec 2016 05:07:39 -0500 (EST)
Received: by webmail.reagan.com
(Authenticated sender: , from: )
with HTTP; Fri, 2 Dec 2016 11:07:39 +0100 (CET)
Date: Fri, 2 Dec 2016 11:07:39 +0100
Subject: 02 Dec., 2016
From: Real User1
To:
Reply-To:
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_20161202110739000000_49287"
Importance: Normal
X-Priority: 3 (Normal)
X-Type: html
X-Auth-ID:
Message-ID:
X-Mailer: webmail/12.6.3-RC
Return-Path:
X-MS-Exchange-Organization-PRD: sodru.com
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (mss-exedge01.sodrugestvo.local: does
not designate permitted sender hosts)
X-MS-Exchange-Organization-Network-Message-Id: 80f9a971-f7a9-4c6e-1bab-08d41a9c3130
X-MS-Exchange-Organization-SCL: 4
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.16312.857;SID:SenderIDStatus None;OrigIP:173.203.187.108
X-MS-Exchange-Organization-AuthSource: mss-exedge01.sodrugestvo.local
X-MS-Exchange-Organization-AuthAs: Anonymous
==========================
In ORF logs i found this:
==========================

-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 02.12.2016 12:15:52 GMT+0200 (local)
Sender Email:
Recipient Email:
Related IP: 173.203.187.108
Action: (not available)
Email Subject: 02 Dec., 2016

-- EVENT MESSAGE --
Email passed checks.

-- EVENT DETAILS --
Filtering Point: On Arrival
Event Class: Pass
Severity: Information
Server: mss-exedge01.sodrugestvo.local
Event Source: MSEXCHANGE
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.3 REGISTERED

-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 02.12.2016 12:15:50 GMT+0200 (local)
Sender Email:
Recipient Email:
Related IP: 173.203.187.108
Action: (not available)
Email Subject: 02 Dec., 2016

-- EVENT MESSAGE --
SPF check done for domain "reagan.com". Result: SPF Pass

-- EVENT DETAILS --
Filtering Point: On Arrival
Event Class: System Message
Severity: Information
Server: mss-exedge01.sodrugestvo.local
Event Source: MSEXCHANGE
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.3 REGISTERED

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 02.12.2016 12:07:22 GMT+0200 (local)
Sender Email:
Recipient Email:
Related IP: 173.203.187.108
Action: Rejected
Email Subject: (not available)

-- EVENT MESSAGE --
Temporarily rejected by the Greylisting Test.

-- EVENT DETAILS --
Filtering Point: Before Arrival
Event Class: Blacklist
Severity: Information
Server: mss-exedge01.sodrugestvo.local
Event Source: MSEXCHANGE
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.3 REGISTERED

-------------------------------------------------------------------------------
==========================

So, i have question why realuser2 saw that mail came from realuser1?
I think it must fail on SPF check cause it put realuser1 name in from field. Am i wrong?

by Dmitriy Ilyin 2 years ago
2

IDK why but in post "headers" some filed was corrupted :
=========================
Subject: 02 Dec., 2016
From: Real User1
To:
Reply-To:
MIME-Version: 1.0
=========================
must be
=========================
Subject: 02 Dec., 2016
From: Real User1
To:
Reply-To:
MIME-Version: 1.0
=========================

by Dmitriy Ilyin 2 years ago
3

it broken again - email address was hided :(

by Dmitriy Ilyin 2 years ago
4

correct headers in pastebin http://pastebin.com/8zYBmEUM

by Dmitriy Ilyin 2 years ago
5

Hello Dmitriy,

To validate the sender of an email, the SPF Test checks the IP address of the sender against the SPF record of the domain derived from the *SMTP envelope sender address* - which is submitted by the sending server in the MAIL FROM command during the SMTP tranmission (see: https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example). This address should not be confused with the *MIME sender address* which is set in the "From:" header field and is displayed by email clients, such as Outlook. If you were to construct your own outbound emails from scratch - just like spammers, phishers and legitimate newsletter services do - you too could put anything in the "From:" header field, as this practice is entirely legal by RFC standards.

If you want to filter emails based on the MIME sender information in order protect your own domain, you will need to manually create "message header filter" as described in the "Other campgaigns: MIME sender spoofing" section - at the bottom - of the following article: http://vamsoft.com/support/docs/articles/how-to-blacklist-self-spam

by Daniel Novak (Vamsoft) 2 years ago
6

That's called MIME spoofing. We have a single server setup and use this keyword blacklist to stop them:
.*^From:[^\r\n]*\b[^\r\n]*@contos\.org\b[^\r\n]*\s$

Remember to whitelist any outside servers using your domain in the from field otherwise people in your organization won't be able to receive those emails.

by jean.davis 2 years ago
7

thanks!

by Dmitriy Ilyin 2 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed