SPF filter should be higher up in the order |
Post Reply |
Author | |
WebGuyz
Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348 |
Post Options
Thanks(0)
Posted: 09 April 2012 at 11:50am |
Seeing a large increase of phishing using common vendors like airlines, stores like NewEgg, UPS Fedex, etc. Things a lot of people have whitelisted. I checked on a Newegg order and an Airlines ticket email I got today that were both phishing attempts and SPF filter caught them, but because the email from addresses were whitelisted they got thru to my inbox. SPF is a tool most major vendors are using to fight spam. I think if you changed the SPF filter to just above the whitelist entries it would make more sense. I think spammers know what the filter order is for SFE and how to get around it. By moving SPF test up the list it would help close one big hole.
|
|
http://www.webguyz.net
|
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
There are several large websites (for ex. cnn.com) that have grossly misconfigured "email this" links. When a user clicks to send the link to their friends, the websites often ask for the sender and the recipient's email address. The administrators/web designers, who obviously have no idea of what SPF is or don't care about their emails not reaching destination, then proceed to send the email to the recipients using the email address of the sender as the "from", instead of using their own domain (ex. robot@cnn.com). This will cause any SPF filter to reject the email if the sender's domain has SPF configured.
This is just as example, but it shows why whitelists should always have precedence over other filters. If an email is to be whitelisted for some reason, and it ends up being blocked anyways because there are other filters that take over even though the user is expecting to be whitelisted, this could result in some very upset customers.
|
|
WebGuyz
Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348 |
Post Options
Thanks(0)
|
I agree whitelists should take precedence, but if spoofing is used to achieve the whitelisting then whats the point. I would rather have a false positive end up in quarantine then have a spoofed whitelisted entry come sailing into my inbox as well as my customers inboxes. I have to explain to them that since they whitelisted apple.com the must receive all emails from apple.com even when the email itself did not really come from apple.com.
Anyone else out there getting a lot of phishing emails for popular websites like paypal, newegg, ups, airline companies, etc and usually an email invoice for a large amount of money?
|
|
http://www.webguyz.net
|
|
yapadu
Senior Member Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
|
I think the rule of whitelisting having priority must remain. Saying you can whitelist, except the whitelist would not apply under specific conditions like SPF failure would be very confusing.
I think SPF is great and if implemented correctly it would single handily eliminate the worldwide problem of spam. Problem is people simply do not understand it, how to implement it, how to use it correctly etc. so it will never solve the spam problems of the world :-( Paypal is another one, often spoofed and often whitelisted. |
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
WebGuyz
Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348 |
Post Options
Thanks(0)
|
Actually this is a wonderful way for spammers to sneak in spam. Just spoof the most popular domains like paypal.com, constantcontact.com, ups.com, irs.gov and everything is let thru because these are often whitelisted domains, like a free pass, spamfilter won't touch it. Brilliant on the part of spammers
Looking at alternatives since this is too big a hole to ignore. I have to explain to customers why I can't stop the fake invoices they are getting from paypal.com, itunes,newegg, and others, unless I remove the whitelisted entries which will just be back again after they get a valid invoice from one of these domains and retreive it from quarantine. |
|
http://www.webguyz.net
|
|
yapadu
Senior Member Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
|
How about whitelisting the IP address ranges of those big guys. Like PayPal's legit address space. Then BLACKLIST any other paypal address, this way legit stuff comes in and all others are rejected.
|
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
WebGuyz
Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348 |
Post Options
Thanks(0)
|
If you know of a list of the IP's of all major companies please point me to it. Then we wouldn't need all those different filters and just a single one for known good IP's. :-) Thanks!
|
|
http://www.webguyz.net
|
|
yapadu
Senior Member Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
|
They could be calculated from the SPF records. Here is PayPal.
ip4:216.113.188.96/27 ip4:66.211.168.230/31 ip4:173.0.84.224/28 ip4:208.201.241.163 ip4:67.72.99.26 ip4:206.165.246.80/29 ip4:64.127.115.252 ip4:194.64.234.129 ip4:65.110.161.77 ip4:204.13.11.48/29 ip4:63.80.14.0/23 ip4:208.64.132.0/22 ip4:81.223.46.0/27 etc. etc. In reality though monitoring where real email comes from would give you a much smaller subset. The ability to whitelist things in a different manner, one that the end users can not see would be good. For example if we could whitelist an email address and put a condition that is MUST also validate with SPF, then allow it through. That would be way to confusing for end users but we we had the power to add server wide whitelisting with a more advanced rule-set that would be be powerful. |
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
yapadu
Senior Member Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
|
So, expanding on that line of thought a bit more.
1) Blacklist paypal 2) Whitelist paypal domain, if SPF also validates. If someone is spoofing paypal it would be rejected. You would also need a way to prevent someone from whitelisting paypal email addresses at the user level... Gets complex quick. |
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
WebGuyz
Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348 |
Post Options
Thanks(0)
|
IP addresses change. Most major companies do NOT want to be spoofed and know what a SPF record is and how to add one.Not sure what your talking about confusing end users, they have no clue how it works now. All they know is they are getting phishing spam and sending it to me the admin to stop it and I have to tell them I can't without deleteing their autowhitelistentry's and then they next time they retrieve their paypal.com emails from quarantine they will be autowhitelisted again and that they will be allowing the same phishing email from faux paypal.com addresses.
|
|
http://www.webguyz.net
|
|
WebGuyz
Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348 |
Post Options
Thanks(0)
|
Your overthinking this. The idea is to whitelist a REAL actual domain, not a faked domain
|
|
http://www.webguyz.net
|
|
yapadu
Senior Member Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
|
I don't think I'm over thinking this, but I don't think SPF should overrule a white list.
You come across as a bit hostile, so I will shut up now. Hopefully you come up with a solution. |
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
AndrewD
Groupie Joined: 03 May 2008 Location: Australia Status: Offline Points: 71 |
Post Options
Thanks(0)
|
Webguyz, i think you are not thinking of the alternative.
a user receives an email from spoofed@legit.com however legit.com havnt implemented SPF correctly so the message goes to quarrantine. Everything good. then the user receives a valid email from legit.com but it goes to their quarrantine. So they whitelist legit.com - Thats how it works now but the spoofed will come through as they are in the whitelist. if we enforce SPF prior to whitelist then regardless of whitelisting then all the emails from legit.com will get quarantined and you will have users screaming "how come this always gets quarantined... I added it to my whitelist." This to me would b e a bigger problem. 1. The users should only be whitelisting the email (user@legit.com) not the domain (*@legit.com). I know this doesnt always help as some companies (constant contacts) utilize random users. 2. As has been said add the IP to the whitelist, and run a script to remove all email whitelist entries for the domain. I know the email servers may change their IP address but from the CIDR given above they have listed a large range of IP's so you could add them all. (i have written an app to convert CIDR to valid list of addresses if you want. I did this for greylisting companies like gmail.) Then if some time down the track they suddenly start getting caught again you know that the IP has gone outside the original SPF CIDR range and you simply adjust your script to include all the new CIDR's. then as long as legit.com keep their network secure and dont allow spammers to open relay through them you should not have any problem. Cheers.
|
|
Spamfilter web interface. www.tyrexpg.com.au
See http://www.logsat.com/SpamFilter/Forums/forum_posts.asp?TID=6883 |
|
WebGuyz
Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348 |
Post Options
Thanks(0)
|
How do I respond to customers like this who get Bank of America phishing attempts all the time because the scammers are using the same exact email address as what BofA uses. These was an official looking email asking them to log into their account and of course the links were somewhere overseas Customers Email: "This is the third one of these I’ve gotten. I’ve confirmed they are not legit. While I forward them to the real BOA, now I’m sending them to my e-mail provider to black-list them." |
|
http://www.webguyz.net
|
|
yapadu
Senior Member Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
|
You can keep after Roberto and see if he changes the system for you, but I have another suggestion.
It does not fix the issue 100% but it certainly should help. Your situation may be different, but we allow users to view messages in quarantine via a web interface. They can click a message and view the message details, including to options: * Release from quarantine * Release from quarantine and whitelist sender You could do your own SPF lookup when someone is looking at the message online. If the message fails the SPF check the whitelist sender option would not be available. As mentioned how well this works would depend on your setup. I think in our situation that would probably work quite well. Users could still manually whitelist the sender on our website, but it should reduce the instances of false whitelisting. Your mileage may vary... |
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
WebGuyz
Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348 |
Post Options
Thanks(0)
|
Found a solution. I have spamassassin check after the SFE and the ability to do a X-SF-WhiteListedReason: AutoWhiteList Force Delivery X-Rejection-Reason: 15 - 550 The sender did not meet Sender Policy Framework rules. Please see http://spf.pobox.com - This email was rejected by our spamfilter. To notify the recipient go to http://spam.webguyz.net/freeme.asp X-Return-Path: onlinebanking@ealerts.bankofamerica.com Going to do a filter check if whitelistesd & rejection reason 'did not meet Sender Policy Framework Rules' That should fix the problem quite elegantly. |
|
http://www.webguyz.net
|
|
yapadu
Senior Member Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
|
That is a very sweet solution for those who pass email through spamassassin after spamfilter.
|
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
Post Reply | |
Tweet
|
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.281 seconds.