Hi,
Last days lots of spams are ignored by my Proxmox Mail Gateway, it seams that SPF check is only done on the 'helo' information and not de 'from'
My SPF configuration is :
My DMARK configuration is :
Spam header :
The spammer use my own email (From: THE HOME DEPOT survey <r.gggg@mycorporate.com>) to send spam to my email (To: r.gggg <r.gggg@mycorporate.com>) and this is not blocked by SPF !
What do I miss ?
Last days lots of spams are ignored by my Proxmox Mail Gateway, it seams that SPF check is only done on the 'helo' information and not de 'from'
My SPF configuration is :
Code:
v=spf1 include:spf.protection.outlook.com include:mycorporate.net ip4:93.XX.YY.ZZ/32 ip4:91.XX.YY.ZZ/32 -allMy DMARK configuration is :
Code:
v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:dmarc@mycorporate.com;ruf=mailto:dmarc@mycorporate.com;ri=86400;fo=1Spam header :
Code:
Received: from SERVEUR (192.168.9.11) by SERVEUR.mycorporate.local (192.168.9.11)
with Microsoft SMTP Server id 14.1.438.0; Thu, 21 Jul 2022 19:59:06 +0200
Return-Path: <>
Delivered-To: mycorporate-com-r.gggg@mycorporate.com
Received: (qmail 9357 invoked from network); 21 Jul 2022 17:58:14 -0000
Received: from smtp25.mycorporate.net (91.XX.YY.ZZ) by dns1.mycorporate.com with SMTP;
21 Jul 2022 17:58:14 -0000
Received: from smtp25.mycorporate.net (localhost.localdomain [127.0.0.1]) by
smtp25.mycorporate.net (Proxmox) with ESMTP id A6F3722BA2 for <r.gggg@mycorporate.com>;
Thu, 21 Jul 2022 19:58:14 +0200 (CEST)
Received-SPF: pass (peelregion.ca: Sender is authorized by default to use 'peelregion.ca' in 'helo' identity (mechanism 'all' matched)) receiver=smtp25.mycorporate.net; identity=helo; helo=peelregion.ca; client-ip=185.173.176.154
Received: from peelregion.ca (unknown [185.173.176.154]) by smtp25.mycorporate.net
(Proxmox) with ESMTP id BBCF822B9D for <r.gggg@mycorporate.com>; Thu, 21 Jul 2022
19:58:09 +0200 (CEST)
Received: from 10.194.153.162 by atlas102.aol.mail.bf1.yahoo.com with HTTPS;
Thu, 21 Jul 2023 15:55:17 +0000
X-Originating-Ip: [209.85.221.54]
Received-SPF: pass (domain of gmail.com designates 209.85.221.54 as permitted sender)
Authentication-Results: atlas102.aol.mail.bf1.yahoo.com;
dkim=pass header.i=@gmail.com header.s=20210112;
spf=pass smtp.mailfrom=gmail.com;
dmarc=pass(p=NONE,sp=QUARANTINE) header.from=gmail.com;
X-Apparently-To: r.gggg@mycorporate.com; Thu, 21 Jul 2023 15:55:17 +0000
X-YMailAVSC: JPZiTNE3bBunbSuFZcQkbsT6yrqauCCjZRaGytILa3ztQq9
_vvqc7U1MXrodFjNMZQkOb_XXaMDszJu3fnIodqrLtI7jc1wNTcDElwXQ40b
azWJ76VX7TsN8cbw0sENRGoWYmBMaOWEbQJVngWLfrVq49AVIJsTBKUcu.Ok
nNRcmOTAyxVThyQmiqlx7hOnkU2dMXI1qjRga9iKwb1bnK.vRR1rWzR9aq8m
oMYw5e0m8SJLtsnkUbyQGnzIKqxkLZPiuBsS1vAGFNxih.K2pD1.J5Pl4dwq
PjYXcBpKZ0yNwiKK4vo3nrjfhwLmXeq1bIa2AnMwG25LXqhV_jNConXVxMq6
CGAfq2HKjWP44w8e8gDZfumX_edl6tWBz5lUXVQE_t7pS6btc1VwaYgTVIio
39Dt5UkTFLgPtvOQOka_Mfjqc_XFVrCOm0j28J7P674D45ICO2PUOGPhyKu2
ZlM9MDLexGU3vbAYCdaLx9yiOJZopNT0ZvN6al1IBcQ498MRukLyYakkL5Ld
aU06U8fRGxJkCY8akmoXlJ0mez71Jc5NMkxlDnlk1bUiYVfb6dNxB_FCxtnw
WB3Te_OE23HpY_so3D_OvujtTBnQ8d7NYgk5uE3tkT6sjRXAVbIcCev7mNw6
abdpiw71pBzvjp_qF2WN8hWpXDe9OwfbZdSC4EpUehTnzpbGwwZSQvCK_KV8
P104bwXB67FvnH7sbTHpR6KUmN6QG5lJ7Tr7kWe_H0uBRPkjIvnR6cl9bgzZ
s6w8M0bvAG.Kso8is83y5xhvXg0Gef8Rv7wHkBOXWWeymVXV8xGKmUmZNqPd
v0EIR4dzr5nDylndHlRY.uvTdOz8rw4wQHE_tVvdgSngAfRXEEkYct6smCTQ
12DhyDOUo8cf65MxBhqLpRgXQg9vwAJkZNoW8GVxZlmsMEOU_FQbEkXH9uAj
J8IgMm4s79Yf2PdY6n4C8xKSqDB5Wy0CF_Jhg4V3RI5VP.__GWbtTabnLFh8
nJSL9HNhG_heWqyziekAlBsMN_QDfXlG47vbO1ZiJDte97gGcgtDc1A021Lb
7Y2Hw35G1gsw-
X-YMailISG: C7e7jw4WLDvlYxDfuwyoULmeCZgb3meoQGwoX0ZvLhFEj_OR
aA60tTCOSwRb.3nOEi_vHb9Ui_GHEglHUth1ibid22FbmWgdV2OF2XMWpxjN
Tbh.I_UnQWUlF0TvxfXzGMHgWwFft592vtoz.8RVwXIIYJ5DtmGUP.drnUvM
LCQyDUdC93U2xs9FIGedltDNmO7HTZmMdypmaVWIDNd84k8PU.64oqaMTr1a
5jnmUYFSmeD62X71IzdMBciahbC2mdGvbWUu.Gt8oIX4yR5YnX47xE_byKeW
9AeQn0SAInPTM_qcAY7Eo8CQ_2uIMbocqAqK6Vrm2LZI5ZDE9SBPPrD11MTw
CjyWvKK.W1PIAeCCDwW19WYFlFM5OdHIVR97E9R_Mybuteq1UhjNIjsIQMOW
onAgNr03Zcpi0w2QR_Sx3X28drgi4ZUKFOiV3l05WKv6mYBzuMMxK5bDyq4_
oVumgyyupKC7L2SyW8mpKvI1tgsuuCFrZ_OMiGllSbh_H7a8S.33lxTXazFz
t7ZAHn.jjou8U4_JhhCYQU_SP5iw4uRq3GB1xpYiMKcG_tIIltIdJUEM5pms
7iiYUpVGpYCGwORtojjsIoXQ1zkF5k4.yRpb79ZNBg9f2XrnFhuDANk5puyt
tU.uAt98Haj.7_K_dX2fLxC73V9ka04pbOwXws9AzCDehOhodklK.MO2BSP2
GiKYGIIc7NSQp.CK2bAjka_ZzCuANYNMpX46SJmiRx8XV.ZkJxJDEiEm2PWj
SqgMWexD4RVyZElsWCVjmoksoTr_JQnWloxTp2YALaRXWEfTS9ocr1AbrdWd
lcMbNQorffZ51RoTI6XrXqM08nBjAwyiOwaw0B8bB_4.kDk6fZdSCosb6Xa_
Rwq5cTqCPAXPvvtjKUTuHonIApiGau.Sqdsl8WWpjx8DGeO6_Ae2XB_NYX9C
dtimLk0pQWa9nATdUdfLscmq6GoYOOyTyvj5U9S.CYqPe.kCXVpQEl4REgN1
jV2RWjZFyeQZoaS5zQ_YAXoDaz3zwBxa8BPW8lzo9RblEGGhPRDLilWhRO2V
.1FRxLIgNU3VOSQ-
Received: from 209.85.221.54 (EHLO mail-wr1-f54.google.com) by 10.194.153.162
with SMTPs (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256); Thu, 21 Jul 2023
15:55:17 +0000
Received: by mail-wr1-f54.google.com with SMTP id n12so2881980wrc.8 for
<r.gggg@mycorporate.com>; Thu, 21 Jul 2023 08:55:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=mime-version:from:date:message-id:subject:to;
bh=GFgKcMPTA9rvTjkzhUnVB1xxdNo8tAtvM1hW9AphR4M=;
b=dXQpF+LkGpw54M9DCiCPxSNeEUMN1nq6L91cAQYZuwi7KFI8VRoqB+uWJ2SlP4na8g
DFlFWOR3WdIEvpetW4eADeoOQxDvYe0LsPbdkNZ0Ozp7UCoZzhd/w62A2TV3v31qtxbw
ym9tnY372LeoCnxUJxfuc2+2KYLoCsbAljluvvdX36HNUlvGKn/eqnVTUw/w3rCo94W6
vGby9FsX+Tus8wJMPjz0upnB9sCxId/hqnFifA29zKdceA4cKaShI583fWeJkNJVOvqO
6079zx+KihtGPvgu0d449Lra9Xzs/rMp7WgNFMSLZq/MYg0MAgSpzVGrBvOwVfyoOgY3
SWvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=GFgKcMPTA9rvTjkzhUnVB1xxdNo8tAtvM1hW9AphR4M=;
b=ke5R0nrl0UOpR8Yf8XC6OhemD+FpYs5JkDVO3lT4k1FmSYNxjJNxsFFdMfw6wamqgK
CQ5v1QDDEB1v8bkfJAMnB5lSvZ34XXJ8ts2u1q04KrKPi7uRNUdiuy1cvObCnUxgf2RN
/ZnDim6SBtClxp83K5GuIfCMS4cJ8MkKgNIyh7sD8PCbC7OCDL0SA+gdMm7Oc58Uva5A
D+NO/85Lt65Nlt6E+EIeXRnd83Qv2L/SeyYH21R+eaBkLiytnsZPjTmy9El71gYMW3WD
EXwVH/lh48YxNIMl0V/5V3p5jdYs/uswxeZmomMK4JOBeT9c6qS9bFzkizVxA16v0UD/
eW/Q==
X-Gm-Message-State: AJIora+MPQF5IufwMmC6rJX0gbeNe5dajeTgIinRqbfp2DJwp/ZTMnVN
CzTn2ELrFAFYyEgCk86OPj2fhEiFZYdT5lRCdJl8yz7ebM0=
X-Google-Smtp-Source: AGRyM1spysgWi6CmNf+M/ic0fD04/jDSfLGoskTmJHxWv2TPKTh62jpbMlqMX4d41YVOJWWLVUZaOEYDqbUs3d/+sNk=
X-Received: by 2002:adf:e312:0:b0:21e:5d66:e0f1 with SMTP id
b18-20020adfe312000000b0021e5d66e0f1mr542007wrj.428.1658418916887; Thu, 21
Jul 2023 08:55:16 -0700 (PDT)
MIME-Version: 1.0
From: THE HOME DEPOT survey <r.gggg@mycorporate.com>
Date: Fri, 21 Jul 2023 08:55:06 -0700
Message-ID: <Dz9kiqPlPy02JNbFaaAyqSh1l3wXN_UOp-zNAeu7TBFQCsL5eXVu0PDm1w@mail.gmail.com>
Subject: complete this survey and enjoy your reward. ????
To: r.gggg <r.gggg@mycorporate.com>
Content-Type: text/html
X-SPAM-LEVEL: Spam detection results: 19
AWL -3.063 Adjusted score from AWL reputation of From: address
BAYES_99 3.5 Bayes spam probability is 99 to 100%
BAYES_999 0.2 Bayes spam probability is 99.9 to 100%
DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
HTML_FONT_SIZE_LARGE 0.001 HTML font size is large
HTML_IMAGE_RATIO_02 0.001 HTML has a low ratio of text to image area
HTML_MESSAGE 0.001 HTML included in message
HTML_MIME_NO_HTML_TAG 0.377 HTML-only message, but there is no HTML tag
KAM_DMARC_REJECT 3 DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_SHORT 0.001 Use of a URL Shortener for very short URL
KAM_STORAGE_GOOGLE 2.25 Google Storage API being abused by spammers
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
PDM_URI_GOOGLEAPIS 3 Rule to look for spammy Google API usage
RCVD_IN_BL_SPAMCOP_NET 1.347 Received via a relay in bl.spamcop.net
RCVD_IN_HOSTKARMA_BL 1.5 Sender listed in HOSTKARMA-BLACK
RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2)
RCVD_IN_SBL 0.141 Received via a relay in Spamhaus SBL
RCVD_IN_SBL_CSS 3.335 Received via a relay in Spamhaus SBL-CSS
RCVD_IN_VALIDITY_RPBL 1.31 Relay in Validity RPBL, https://senderscore.org/blocklistlookup/
RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
URIBL_ABUSE_SURBL 1.25 Contains an URL listed in the ABUSE SURBL blocklist [iili.io]
Status:
X-MS-Exchange-Organization-AuthSource: SERVEUR.mycorporate.local
X-MS-Exchange-Organization-AuthAs: AnonymousThe spammer use my own email (From: THE HOME DEPOT survey <r.gggg@mycorporate.com>) to send spam to my email (To: r.gggg <r.gggg@mycorporate.com>) and this is not blocked by SPF !
What do I miss ?
Last edited:
