13

I run a mail server which appears to correctly handle emails with SPF set - however I've started receiving fake emails purporting to be from a bank - with the From address set as the bank - but which definitely do not originate from the bank.

The relevant headers of the email are as follows:

Delivered-To: me@mydomain.name
Received: from mail.mydomain.org (localhost [127.0.0.1])
    by mail.mydomain.org (Postfix) with ESMTP id AD4BB80D87
    for <user@mydomain.com>; Thu, 13 Oct 2016 20:04:01 +1300 (NZDT)
Received-SPF: none (www.tchile.com: No applicable sender policy available) receiver=mydomain.org; identity=mailfrom; envelope-from="apache@www.tchile.com"; helo=www.tchile.com; client-ip=200.6.122.202
Received: from www.tchile.com (www.tchile.com [200.6.122.202])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mail.mydomain.org (Postfix) with ESMTPS id 40F6080B9F
    for <user@mydomain.com>; Thu, 13 Oct 2016 20:03:57 +1300 (NZDT)
Received: from www.tchile.com (localhost.localdomain [127.0.0.1])
    by www.tchile.com (8.13.1/8.13.1) with ESMTP id u9D73sOG017283
    for <user@mydomain.com>; Thu, 13 Oct 2016 04:03:55 -0300
Received: (from apache@localhost)
    by www.tchile.com (8.13.1/8.13.1/Submit) id u9D73smu017280;
    Thu, 13 Oct 2016 04:03:54 -0300
Date: Thu, 13 Oct 2016 04:03:54 -0300
Message-Id: <201610130703.u9D73smu017280@www.tchile.com>
To: user@mydomain.com
Subject: CANCELLATION_PROCESS.
From: KIWI BANK <noreply@kiwibank.co.nz>
Reply-To: 
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=029F3E3270D5187AA69203962BF830E3
X-Virus-Scanned: ClamAV using ClamSMTP

The key thing here is that kiwibank.co.nz is a legitimate, reputable bank where I am from, and have an SPF record which reads:

kiwibank.co.nz.     13594   IN  TXT "v=spf1 include:_spf.jadeworld.com ip4:202.174.115.25 ip4:202.126.81.240 ip4:202.12.250.165 ip4:202.12.254.165 ip4:66.231.88.80 include:spf.smtp2go.com include:spf.protection.outlook.com -all"

So, after some reading - it appears that the Envolope-From is correct, but the "From" has been faked. Is there any way I can correct/mitigate this without breaking "general" email ? I note that I use Postfix, Spamassassin and policyd (postfix-policyd-spf-perl) - and if its really so easy to bypass, whats the point of SPF?

davidgo
  • 6,222
  • 3
  • 23
  • 41

2 Answers2

13

In this case they probably said to your server something like this:

EHLO www.tchile.com
MAIL FROM: apache@www.tchile.com 
RCPT TO: user@mydomain.com
DATA
Date: Thu, 13 Oct 2016 04:03:54 -0300
Message-Id: <201610130703.u9D73smu017280@www.tchile.com>
To: user@mydomain.com
Subject: CANCELLATION_PROCESS.
From: KIWI BANK <noreply@kiwibank.co.nz>
Reply-To: 
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=029F3E3270D5187AA69203962BF830E3
X-Virus-Scanned: ClamAV using ClamSMTP

The contents of mail...
.

The SMTP conversation (aka "the envelope") can have different From/To than email headers. SPF doesn't check the header, however it's always the header which is actually displayed to end-user! Yes, SMTP is that broken. Yes, SPF is that broken.

You will be best served by checking DMARC instead of only checking SPF. DMARC by default checks SPF but it also checks the alignment of From header with SMTP MAIL FROM (domains need to match - it ignores the username part). As a bonus you could also get DKIM support, which is a very useful addendum to SPF.

The DMARC would depend on DNS TXT record set at _dmarc.kiwibank.co.nz. but currently there is none. Per current state of Internet regulations that means the owner of kiwibank.co.nz. doesn't care at all about being protected against such spoofs. But you could in some implementations enforce DMARC for all incoming emails.

Mike
  • 689
  • 3
  • 9
  • 27
kubanczyk
  • 13,812
  • 5
  • 41
  • 55
  • SPF isn't broken. Mail itself is broken here. Envelope to != header to has good reasons. Cross-domain envelope from != header from doesn't have good reasons. – joshudson Oct 13 '16 at 15:48
  • 1
    @joshudson yes it does. For example, if I set up a `.forward` file (or other email forwarding) to forward from one of my accounts to another, it makes sense to preserve who the message is from (From header), and to display it as who it's from in the email client, etc. But any bounces generated by that forwarding (the envelope sender) should go to me, not the person who originally sent the message. The same applies to mailing lists. – derobert Oct 17 '16 at 22:12
  • 1
    @derobert Mailing lists are a fringe. Mail clients don't warn users about an obvious fake - it's a huge problem, and no `.forward` usage can justify it. – kubanczyk Oct 18 '16 at 08:02
  • This is just incredible. –  Feb 01 '19 at 06:27
2

So, after some reading - it appears that the Envolope-From is correct, but the "From" has been faked. Is there any way I can correct/mitigate this without breaking "general" email?

Verifying the From header will break mailing lists:

  1. foo@yourbank sends a mail to cat-picture-sharing-list@bar.

  2. The mailing list will take the mail,

    • replace the Envelope-From with something akin to cat-picture-sharing-list-bounce@bar,
    • possibly modify the Reply-To header and
    • re-send the mail to all recipients (e.g. you).

Now your mail server gets a mail with

Envelope-From: cat-picture-sharing-list-bounce@bar
From: foo@yourBank

sent from bar's mail servers.

I note that I use Postfix, Spamassassin and policyd (postfix-policyd-spf-perl) - and if its really so easy to bypass, whats the point of SPF?

  1. Lots of spammers don't bother to send a "correct" Envelope-From.
  2. Your bank won't get (most of) the backscatter for this spam mail, since NDRs are (or: should be) sent to the Envelope-From address.
  3. Scoring based on Envelope-From gets more reliable. If you (or some scoring provider that you trust) assign all mails with Envelope-From=...@yourbank a highly negative spam score, spammers cannot abuse that.
Heinzi
  • 2,217
  • 5
  • 32
  • 52