none
EOP SPF success when it should fail RRS feed

  • Question

  • We recently started using EOP to filter our mail for an Exchange 2007 environment. We set up the X-Forefront-Antispam-Report rule to set the scl for messages tagged as spam to at least 6 (we recently changed it to 9 as some messages were still appearing in user's inboxes rather than the junk folder).

    One issue we recently came across was a message sent with a spoofed from address. The message originates from a server not on our domain, or in our IP range, and not specified in our SPF records, and the from address is using our domain name. In the headers EOP tagged the SPF as a pass since the IP address of the originating server matched the SPF records of the originating server's FQDN. Neither the from, or reply-to addresses match that FQDN.

    Are we wrong in thinking that if a from address is included that it should check the SPF records for the domain specified in that address rather than just the originating server information? That is ultimately one reason we configured SPF in the first place was to help with rejecting messages that spoof our domain.

    Here are the headers in question:

    Received: from na01-bl2-obe.outbound.protection.outlook.com (207.46.163.205)
     by ex-cas2.nsula.edu (10.10.20.223) with Microsoft SMTP Server (TLS) id
     8.3.298.1; Mon, 10 Jun 2013 10:34:43 -0500
    Received: from BLUPR05CA002.namprd05.prod.outlook.com (10.255.219.160) by
     BLUPR05MB037.namprd05.prod.outlook.com (10.255.210.145) with Microsoft SMTP
     Server (TLS) id 15.0.702.21; Mon, 10 Jun 2013 15:34:41 +0000
    Received: from BY2FFO11FD025.protection.gbl (2a01:111:f400:7c0c::23) by
     BLUPR05CA002.outlook.office365.com (2a01:111:e400:83f::32) with Microsoft
     SMTP Server (TLS) id 15.0.702.21 via Frontend Transport; Mon, 10 Jun 2013
     15:34:41 +0000
    Received: from bosmailout15.eigbox.net (66.96.185.15) by
     BY2FFO11FD025.mail.protection.outlook.com (10.1.15.214) with Microsoft SMTP
     Server id 15.0.707.0 via Frontend Transport; Mon, 10 Jun 2013 15:34:40 +0000
    Received: from bosmailscan18.eigbox.net ([10.20.15.18])
    by
     bosmailout15.eigbox.net with esmtp (Exim)
    id 1Um47D-0004Lg-M5; Mon, 10 Jun
     2013 11:34:39 -0400
    Received: from bosimpout03.eigbox.net ([10.20.55.3])
    by
     bosmailscan18.eigbox.net with esmtp (Exim)
    id 1Um47B-0001t6-KW; Mon, 10 Jun
     2013 11:34:38 -0400
    Received: from boswebmail09.eigbox.net ([10.20.16.9])
    by
     bosimpout03.eigbox.net with NO UCE
    id mfPz1l00E0BjvkA01fPzxb; Mon, 10 Jun
     2013 11:23:59 -0400
    X-Authority-Analysis: v=2.0 cv=bNyU0YCZ c=1 sm=1
     a=VPlmSNoSjRwk22eSPKD6cQ==:17 a=Q7zus9ReCAYA:10 a=kuCZ8jO7f7sA:10
     a=8nJEP1OIZ-IA:10 a=oGIcDX3jAAAA:8 a=hFlREuPYAAAA:8 a=-mM_um03YY5SmUl26csA:9
     a=wPNLvfGTeEIA:10 a=73YDsbcTHZsA:10 a=hdsnRn87qCUYT2jdlcOltA==:117
    X-EN-OrigOutIP: 10.20.16.9
    X-EN-IMPSID: mfPz1l00E0BjvkA01fPzxb
    Received: from [127.0.0.1] (helo=emailmg.startlogic.com)
    by
     boswebmail09.eigbox.net with esmtp (Exim)
    id 1Um46G-0000uF-Df; Mon, 10 Jun
     2013 11:33:40 -0400
    
    Received: from 41.203.67.54        (SquirrelMail authenticated user
    <potential real address removed>)        by emailmg.startlogic.com with HTTP;
    
            Mon, 10 Jun 2013 11:33:40 -0400
    Message-ID: <b3abdd9cfb4eaa9c30882bbdc2ee2daa.squirrel@emailmg.startlogic.com>
    Date: Mon, 10 Jun 2013 11:33:40 -0400
    Subject: Notice
    From: Northwestern State University <noreply@nsula.edu>
    Reply-To: <suport20@mail2webmaster.com>
    User-Agent: SquirrelMail/1.4.19
    MIME-Version: 1.0
    X-Priority: 3 (Normal)
    Importance: Normal
    Sender: Northwestern State University <noreply@nsula.edu>
    To: Undisclosed recipients:;
    Return-Path: SRS0=uNdlXP=P2=nsula.edu=noreply@eigbox.net
    X-Forefront-Antispam-Report: CIP:66.96.185.15;CTRY:US;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(189002)(199002)(44976003)(74502001)(69226001)(50466002)(1671002)(46102001)(47736001)(54316002)(558084002)(47976001)(65816001)(221733001)(54356001)(56776001)(56816003)(76786001)(77096001)(63266003)(16406001)(74662001)(10356001)(23756003)(77982001)(76176001)(76796001)(47446002)(51856001)(43066001)(10646002)(63696002)(47776003)(881003)(59766001)(80022001)(74366001)(551544002)(74706001)(49866001)(76482001)(50986001)(20776003)(4396001)(79102001)(81342001)(74876001)(33646001)(81542001)(63076002);DIR:INB;SFP:;SCL:1;SRVR:BLUPR05MB037;H:bosmailout15.eigbox.net;RD:bosmailout15.eigbox.net;MX:1;A:1;LANG:en;
    Received-SPF: Pass (: domain of eigbox.net designates 66.96.185.15 as
     permitted sender) receiver=; client-ip=66.96.185.15;
     helo=bosmailout15.eigbox.net;
    X-OriginatorOrg: nsula.edu
    Content-type: text/plain;
    charset="US-ASCII"
    Content-transfer-encoding: 7bit

    I removed the original account used to authenticate to the originating server (nirvanacreations.com.au domain). You can see it has from set to our domain (nsula.edu) and a reply to mail2webmaster.com. You can also see that it passes spf due to domain eigbox.net designating the originating server IP as a valid sender for that domain.

    Our expectation is that EOP should see the from being @nsula.edu and do an SPF lookup at our domain and see that the IP address used isn't in our SPF record. It should then fail the SPF lookup.

    Any ideas on why this is not working as we expect? Is this a bug? 

    Thanks for any help.


    • Edited by Shawn parr Monday, June 17, 2013 4:01 PM Format headers to distinguish from message body
    Monday, June 17, 2013 4:00 PM

All replies

  • I am having the exact same issue with someone/thing sending mail to our domain from our domain.

    The originating IP is not on the SPF records but one of the servers that the mail has passed through on its way it.

    For some reason the SPF check is giving the message a pass when it really should be refusing it.

    I am unable to reproduce the error myself which is rather annoying.

    Monday, October 21, 2013 12:31 PM