Spoofing emails even when SPF is used
SPF (Sender Policy Framework) is designed to prevent email forgery. However, spammers have figured out how to spoof even when SPF is used. This article talks about how is this done and what measures you can take to block such messages.How Is It Done
SPF checks theMAIL FROM value in the SMTP envelope, not the
FROM header in the message. Therefore, by using a domain that does not publish SPF record in the MAIL FROM they
can easily bypass SPF check.
Consider an example below, which has two parts: SMTP Envelope and Email Header
SMTP Envelope
Assume the message comes from 200.201.202.203 and no SPF or DMARC record exists for spammermarketing.net.
C --> EHLO host.spammermarketing.net S <-- 250-host.spammermarketing.net. Please to meet you S <-- 250 OK C --> MAIL FROM:<spammer@spammermarketing.net> S <-- 250 OK C --> RCPT TO:<victim@yourcompany.com>Notice the envelope suggests the sender belongs to spammermarketing.net, which does not have an SPF record.
Email Header
The email header for the message is displayed below.
From: Mr. CEO "ceo@yourcompany.com" <spammer@spammermarketing.net> To: <victim@yourcompany.com> Subject: Hi,my name is EvieNotice there are two email addresses in the
From header. Most email clients will only display the first
address, giving an impression the message came from their CEO.
What Happened
Since theMAIL FROM value in the envelope used a domain that did not have an SPF record, the receiving server
simply ignore checking for SPF. Additionally, DMARC was also skipped because SPF was missing.
Final result: the receiving server does not block the email. Message goes all the way to the recipients Inbox giving an impression it came from their CEO.
How To Block Such Emails In Xeams
Xeams comes with 2 custom filters that can assign scores to such messages:- Tricky Sender - Among other tricks, this looks for multiple email addresses in the FROM header
- Inconsistent Sender - This looks for different values in the envelope MAIL FROM and header FROM.