Forum

You are not logged in.

#1 29-08-2017 15:28:21

Fleurou
Membre
Registered: 03-05-2017
Posts: 7

SPF and DMARC

Hi all,
I am trying to get e-mail sent from spammer to mydomain (called mydom.fr afterwards), that pretend to be sent from mydom.fr, rejected.
So I set-up SPF, and DMARC:

TXT 	_dmarc 	v=DMARC1; p=quarantine; rua=mailto:dmarc@mydom.fr 		
TXT 	default._domainkey 	k=rsa; p=[...]

And some mail get correctly refused:
From: "Voicemail Service" <vmservice@mydom.fr>
To: "fleurou@mydom.fr" <fleurou@mydom.fr>

X-alwaysdata-Spam-Report: Content analysis details:   (8.5 points, 5.0 required)
	 pts rule name              description
	---- ---------------------- --------------------------------------------------
	 0.0 FSL_HELO_NON_FQDN_1    No description available.
	 0.0 RCVD_IN_MSPIKE_L5      RBL: Very bad reputation (-5)
	                            [89.47.1.58 listed in bl.mailspike.net]
	 3.3 RCVD_IN_SBL_CSS        RBL: Received via a relay in Spamhaus SBL-CSS
	                            [89.47.1.58 listed in zen.spamhaus.org]
	 0.4 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
	 0.0 SPF_FAIL               SPF: sender does not match SPF record (fail)
	[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=vmservice%40mydom.fr;ip=89.47.x.xx;r=mailscan1.paris1.alwaysdata.com]
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	                            [score: 0.0000]
	 1.1 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
	 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
	                  [Blocked - see <http://www.spamcop.net/bl.shtml?89.47.1.58>]
	 1.4 RCVD_IN_BRBL_LASTEXT   RBL: No description available.
	                            [89.47.1.58 listed in bb.barracudacentral.org]
	 1.5 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is an abusable web server
	                            [89.47.1.58 listed in dnsbl.sorbs.net]
	 0.5 RCVD_IN_SORBS_SPAM     RBL: SORBS: sender is a spam source
	 0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
	 0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
	 0.0 TO_EQ_FM_DOM_SPF_FAIL  To domain == From domain and external SPF
	                            failed

But some other are wrongly accepted:

Return-Path: <Elva5555@mydom.fr>
Delivered-To: fleurou@mydom.fr
Received: from smtpin1.paris1.alwaysdata.com ([2a00:b6e0:1:42:1::1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	by imap2.paris1.alwaysdata.com (Dovecot) with LMTP id /p7hL0Tuo1l5IgAAOPslWg
	for <fleurou@mydom.fr>; Mon, 28 Aug 2017 12:19:48 +0200
Return-path: <Elva5555@mydom.fr>
Envelope-to: fleurou@mydom.fr
Delivery-date: Mon, 28 Aug 2017 12:19:48 +0200
Received: from r2.smtpout1.paris1.alwaysdata.com ([2a00:b6e0:1:40:1:0:10:3])
	by smtpin1.paris1.alwaysdata.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.89)
	(envelope-from <Elva5555@mydom.fr>)
	id 1dmH92-0004w4-LZ
	for fleurou@mydom.fr; Mon, 28 Aug 2017 12:19:48 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=alwaysdata.net; s=; h=Content-Type:To:Subject:Message-ID:Date:From:
	MIME-Version:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=01P30k7y2JguqXgpNc9vakKDyYtlyPjgQiCs9nbGdkQ=; b=mT9HN3UFWPpTvna48TEHIq0v5o
	0vjuN3v3unKlmm9KegR8n2FLSbrPXwKtNICnNVEk1s5ggVW768aHc0uAobGbxKQbzBgT+2zY7kYmi
	3bm2h8r0Cpc8Uye2nhRPsU3rbCcEOp74rZ6Uxl6xVxSgjJQZnAGzwn0A34dweRSS6PAM=;
Received: from imap2.paris1.alwaysdata.com ([2a00:b6e0:1:30:2::1])
	by smtpout1.paris1.alwaysdata.com with esmtp (Exim 4.89)
	(envelope-from <Elva5555@mydom.fr>)
	id 1dmH91-0004r0-A5
	for fleurou@mydom.fr Mon, 28 Aug 2017 12:19:47 +0200
X-Sieve: Pigeonhole Sieve 0.4.13 (7b14904)
X-Sieve-Redirected-From: *@mydom.fr
Delivered-To: *@mydom.fr
Received: from smtpin1.paris1.alwaysdata.com ([2a00:b6e0:1:42:1::1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	by imap2.paris1.alwaysdata.com (Dovecot) with LMTP id kuKkKyruo1mxIAAAOPslWg
	for <*@mydom.fr>; Mon, 28 Aug 2017 12:19:47 +0200
Received: from [43.249.71.218]
	by smtpin1.paris1.alwaysdata.com with esmtp (Exim 4.89)
	(envelope-from <Elva5555@mydom.fr>)
	id 1dmH8z-0004m6-1c
	for cdewaroquier@mydom.fr; Mon, 28 Aug 2017 12:19:45 +0200
MIME-Version: 1.0
From: Elva Trickett <Elva5555@mydom.fr>
Date: Mon, 28 Aug 2017 17:19:30 +0700
Message-ID: <1867d7748cd085E9c13f7723a1148571359763A3bed3402Ff2B@mail.mydom.fr>
Subject: images
To: cdewaroquier@mydom.fr <cdewaroquier@mydom1.fr>
Content-Type: multipart/mixed; boundary="11b576eb489fd4223e054f57bc6d"
X-alwaysdata-Virus-Report: CLEAN
X-alwaysdata-Spam-Score: 3.7
X-alwaysdata-Spam-Report: Content analysis details:   (3.7 points, 5.0 required)
	 pts rule name              description
	---- ---------------------- --------------------------------------------------
	 1.5 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is an abusable web server
	                            [43.249.71.218 listed in dnsbl.sorbs.net]
	 3.3 RCVD_IN_SBL_CSS        RBL: Received via a relay in Spamhaus SBL-CSS
	                            [43.249.71.218 listed in zen.spamhaus.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	 0.8 MPART_ALT_DIFF         BODY: HTML and text parts are different
	 0.0 HTML_MESSAGE           BODY: HTML included in message
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	                            [score: 0.0000]
X-alwaysdata-Outgoing-Rating: Rating score: 2
	+2: SpamAssassin score: high
X-alwaysdata-ID: 261029435
X-alwaysdata-Outgoing-Permission: ok

I have downloaded a thunderbird extension to check DKIM signature, and it identifies it as invalid (which is true). What can I do to have enforce DMARC rules (at the moment it is only quarantine), and ensure nobody received forged emails?

Thanks
Fleurou

Offline

#2 29-08-2017 16:02:40

@Héloïse
Staff
Registered: 03-03-2016
Posts: 196

Re: SPF and DMARC

Hello,

Could you try on an email with no redirection and give us the sources of this email?

Offline

Board footer

Powered by FluxBB