Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - SPF filter should be higher up in the order
  FAQ FAQ  Forum Search   Register Register  Login Login

SPF filter should be higher up in the order

 Post Reply Post Reply
Author
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Topic: SPF filter should be higher up in the order
    Posted: 09 April 2012 at 11:50am
Seeing a large increase of phishing using common vendors like airlines, stores like NewEgg, UPS Fedex, etc. Things a lot of people have whitelisted. I checked on a Newegg order and an Airlines ticket email I got today that were both phishing attempts and SPF filter caught them, but because the email from addresses were whitelisted they got thru to my inbox. SPF is a tool most major vendors are using to fight spam. I think if you changed the SPF filter to just above the whitelist entries it would make more sense. I think spammers know what the filter order is for SFE and how to get around it. By moving SPF test up the list it would help close one big hole.
 
 
http://www.webguyz.net
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 09 April 2012 at 7:02pm
There are several large websites (for ex. cnn.com) that have grossly misconfigured "email this" links. When a user clicks to send the link to their friends, the websites often ask for the sender and the recipient's email address. The administrators/web designers, who obviously have no idea of what SPF is or don't care about their emails not reaching destination, then proceed to send the email to the recipients using the email address of the sender as the "from", instead of using their own domain (ex. robot@cnn.com). This will cause any SPF filter to reject the email if the sender's domain has SPF configured.

This is just as example, but it shows why whitelists should always have precedence over other filters. If an email is to be whitelisted for some reason, and it ends up being blocked anyways because there are other filters that take over even though the user is expecting to be whitelisted, this could result in some very upset customers.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 09 April 2012 at 7:52pm
I agree whitelists should take precedence, but if spoofing is used to achieve the whitelisting then whats the point. I would rather have a false positive end up in quarantine then have a spoofed whitelisted entry come sailing into my inbox as well as my customers inboxes. I have to explain to them that since they whitelisted apple.com the must receive all emails from apple.com even when the email itself did not really come from apple.com.
 
Anyone else out there getting a lot of phishing emails for popular websites like paypal, newegg, ups, airline companies, etc and usually an email invoice for a large amount of money?
http://www.webguyz.net
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 297
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 15 April 2012 at 10:28am
I think the rule of whitelisting having priority must remain.  Saying you can whitelist, except the whitelist would not apply under specific conditions like SPF failure would be very confusing.

I think SPF is great and if implemented correctly it would single handily eliminate the worldwide problem of spam.

Problem is people simply do not understand it, how to implement it, how to use it correctly etc.  so it will never solve the spam problems of the world :-(

Paypal is another one, often spoofed and often whitelisted.
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 15 April 2012 at 10:49am
Actually this is a wonderful way for spammers to sneak in spam. Just spoof the most popular domains like paypal.com, constantcontact.com, ups.com, irs.gov and everything is let thru because these are often whitelisted domains, like a free pass, spamfilter won't touch it. Brilliant on the part of spammers
 
Looking at alternatives since this is too big a hole to ignore.  I have to explain to customers why I can't stop the fake invoices they are getting from paypal.com, itunes,newegg, and others, unless I remove the whitelisted entries which will just be back again after they get a valid invoice from one of these domains and retreive it from quarantine.
 
 
http://www.webguyz.net
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 297
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 16 April 2012 at 4:22am
How about whitelisting the IP address ranges of those big guys.  Like PayPal's legit address space.  Then BLACKLIST any other paypal address, this way legit stuff comes in and all others are rejected.
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 16 April 2012 at 9:54am
Originally posted by yapadu yapadu wrote:

How about whitelisting the IP address ranges of those big guys.  Like PayPal's legit address space.  Then BLACKLIST any other paypal address, this way legit stuff comes in and all others are rejected.
 
If you know of a list of the IP's of all major companies please point me to it. Then we wouldn't need all those different filters and just a single one for known good IP's. :-)
 
Thanks!
http://www.webguyz.net
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 297
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 18 April 2012 at 12:40am
They could be calculated from the SPF records.  Here is PayPal.

ip4:216.113.188.96/27 ip4:66.211.168.230/31 ip4:173.0.84.224/28
ip4:208.201.241.163 ip4:67.72.99.26 ip4:206.165.246.80/29
ip4:64.127.115.252 ip4:194.64.234.129 ip4:65.110.161.77
ip4:204.13.11.48/29 ip4:63.80.14.0/23 ip4:208.64.132.0/22 ip4:81.223.46.0/27

etc. etc.

In reality though monitoring where real email comes from would give you a much smaller subset.

The ability to whitelist things in a different manner, one that the end users can not see would be good.  For example if we could whitelist an email address and put a condition that is MUST also validate with SPF, then allow it through.

That would be way to confusing for end users but we we had the power to add server wide whitelisting with a more advanced rule-set that would be be powerful.

--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 297
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 18 April 2012 at 12:44am
So, expanding on that line of thought a bit more.

1) Blacklist paypal
2) Whitelist paypal domain, if SPF also validates.

If someone is spoofing paypal it would be rejected.  You would also need a way to prevent someone from whitelisting paypal email addresses at the user level...

Gets complex quick.
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 18 April 2012 at 12:50am
IP addresses change. Most major companies do NOT want to be spoofed and know what a SPF record is and how to add one.
Not sure what your talking about confusing end users, they have no clue how it works now. All they know is they are getting phishing spam and sending it to me the admin to stop it and I have to tell them I can't without deleteing their autowhitelistentry's and then they next time they retrieve their paypal.com emails from quarantine they will be autowhitelisted again and that they will be allowing the same phishing email from faux paypal.com addresses.
http://www.webguyz.net
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 18 April 2012 at 12:53am
Originally posted by yapadu yapadu wrote:


If someone is spoofing paypal it would be rejected.  You would also need a way to prevent someone from whitelisting paypal email addresses at the user level...

Gets complex quick.
But once they retrieve it from quarantine paypal.com is back in the whitelist and your blacklist entry is meaningless.
 
Your overthinking this. The idea is to whitelist a REAL actual domain, not a faked domain
http://www.webguyz.net
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 297
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 18 April 2012 at 3:42am
I don't think I'm over thinking this, but I don't think SPF should overrule a white list.

You come across as a bit hostile, so I will shut up now.  Hopefully you come up with a solution.
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.
Back to Top
AndrewD View Drop Down
Groupie
Groupie
Avatar

Joined: 03 May 2008
Location: Australia
Status: Offline
Points: 71
Post Options Post Options   Thanks (0) Thanks(0)   Quote AndrewD Quote  Post ReplyReply Direct Link To This Post Posted: 04 May 2012 at 9:51am
Webguyz, i think you are not thinking of the alternative.
a user receives an email from spoofed@legit.com however legit.com havnt implemented SPF correctly so the message goes to quarrantine. Everything good.
then the user receives a valid email from legit.com but it goes to their quarrantine. So they whitelist legit.com - Thats how it works now but the spoofed will come through as they are in the whitelist.
 
if we enforce SPF prior to whitelist then regardless of whitelisting then all the emails from legit.com will get quarantined and you will have users screaming "how come this always gets quarantined... I added it to my whitelist." This to me would b e a bigger problem.
 
1. The users should only be whitelisting the email (user@legit.com) not the domain (*@legit.com). I know this doesnt always help as some companies (constant contacts) utilize random users.
 
2. As has been said add the IP to the whitelist, and run a script to remove all email whitelist entries for the domain. I know the email servers may change their IP address but from the CIDR given above they have listed a large range of IP's so you could add them all. (i have written an app to convert CIDR to valid list of addresses if you want. I did this for greylisting companies like gmail.) Then if some time down the track they suddenly start getting caught again you know that the IP has gone outside the original SPF CIDR range and you simply adjust your script to include all the new CIDR's.
 
then as long as legit.com keep their network secure and dont allow spammers to open relay through them you should not have any problem.
 
Cheers.
Spamfilter web interface. www.tyrexpg.com.au

See http://www.logsat.com/SpamFilter/Forums/forum_posts.asp?TID=6883
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 01 June 2012 at 3:20pm
How do I respond to customers like this who get Bank of America phishing attempts all the time because the scammers are using the same exact email address as what BofA uses. These was an official looking email asking them to log into their account and of course the links were somewhere overseas
 
Customers Email:

"This is the third one of these I’ve gotten.  I’ve confirmed they are not legit.  While I forward them to the real BOA, now I’m sending them to my e-mail provider to black-list them."

How do I explain to customer that I can't do a thing about it.
 
Whitelisting by IP should be before SPF but whitelisting by name before SPF is a problem. Looked at my logfile and had over 300 emails from bankofamerica.com and all but 4 had failed the spf test, but they were forwarded to my customers because they use BofA and have it in their whitelist. heck I have BofA in my whitelist and I get the same crap and can't stop it. Doesn't do any good to remove all the entries from whitelists and hard code the IPs because the first authentic looking email from them that ends up in quarantine will be retrieved (and whitelisted) by customers who don't know any better.
 
Can't beleive I'm the only one having this issue. I swear the spammers are targeting my customers because I use SFE.
 
 

 

http://www.webguyz.net
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 297
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 09 June 2012 at 3:16am
You can keep after Roberto and see if he changes the system for you, but I have another suggestion.

It does not fix the issue 100% but it certainly should help.

Your situation may be different, but we allow users to view messages in quarantine via a web interface.  They can click a message and view the message details, including to options:

* Release from quarantine
* Release from quarantine and whitelist sender

You could do your own SPF lookup when someone is looking at the message online.  If the message fails the SPF check the whitelist sender option would not be available.

As mentioned how well this works would depend on your setup.  I think in our situation that would probably work quite well.

Users could still manually whitelist the sender on our website, but it should reduce the instances of false whitelisting.

Your mileage may vary...
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 09 June 2012 at 7:57am
Found a solution. I have spamassassin check after the SFE and the ability to do a 
content check of each email. Realized that in the header of each email that was whitelisted
there a rejection reason as well:
X-SF-WhiteListedReason: AutoWhiteList Force Delivery
X-Rejection-Reason: 15 - 550 The sender did not meet Sender Policy Framework rules. Please see http://spf.pobox.com - This email was rejected by our spamfilter. To notify the recipient go to http://spam.webguyz.net/freeme.asp
X-Return-Path: onlinebanking@ealerts.bankofamerica.com
Going to do a filter check if whitelistesd &  rejection reason 'did not meet Sender Policy Framework Rules'
That should fix the problem quite elegantly.
http://www.webguyz.net
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 297
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 24 June 2012 at 4:57am
That is a very sweet solution for those who pass email through spamassassin after spamfilter.
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.173 seconds.