Menu
Reply
Pantsu-san
  • 83
  • 0
  • 2
Tuning in
248 Views
Message 1 of 7
Flag for a moderator

SPF fail = spam

Why are Virgin Media delivering emails that fail SPF to their customer's inboxes? It's failing for a reason : it's spam and the domain is being spoofed.

At least let me manually filter for this (spf=fail) from the source header and let me decide if I want to be constantly bombarded with digital excrement seeing as VM's response so far appears to be inept.

If you don't want to do your jobs competently then please give us the tools to do it ourselves.

Thanks for your time.

Tags (2)
0 Kudos
Reply
ravenstar68
  • 18.71K
  • 1.09K
  • 8.06K
Very Insightful Person
Very Insightful Person
218 Views
Message 2 of 7
Flag for a moderator

Re: SPF fail = spam

Except just because SPF fails doesn't mean that it's spam

Consider a mail sent to a yahoo.co.uk address and automatically forwarded on to a different mail provider..

Lets look at the authentication headers:

Authentication-Results: box.timothydutton.co.uk; dmarc=pass (p=quarantine dis=none) header.from=ravenstar68.co.uk
Authentication-Results: box.timothydutton.co.uk; spf=fail smtp.mailfrom=me@ravenstar68.co.uk
Authentication-Results: box.timothydutton.co.uk;
	dkim=pass (2048-bit key; unprotected) header.d=yahoo.com header.i=@yahoo.com header.b="AEu6/fIp";
	dkim=pass (2048-bit key; secure) header.d=ravenstar68.co.uk header.i=@ravenstar68.co.uk header.b="EhUFqJVB";
	dkim-atps=neutral

Here we have:

DMARC pass
SPF fail
DKIM pass

What's going on:

Because yahoo forwarded my mail to an alternate address, when it arrives at the mail exchanger - It's not coming from an IP address that I've specified in my SPF record.  But the mail is still a legitimate mail.

However before the mail was sent, my server created a DKIM signature and added it to the mail.  Provided the body and certain headers have not been modified in transit, the DKIM signature still passes, even though the mail arrived from an unexpected source.

DMARC works by checking the SPF and DKIM headers - If either of them pass, the mail passes. 

If both fail then the mail fails an the p=quarantine action is triggered.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Pantsu-san
  • 83
  • 0
  • 2
Tuning in
183 Views
Message 3 of 7
Flag for a moderator

Re: SPF fail = spam

In that example, yes, I agree.

However, the request is still valid : Let us personally filter on the source header for *something* that works and if legit mails are being caught then that's on us to remedy.

0 Kudos
Reply
ravenstar68
  • 18.71K
  • 1.09K
  • 8.06K
Very Insightful Person
Very Insightful Person
170 Views
Message 4 of 7
Flag for a moderator

Re: SPF fail = spam

In theory that should work, but VM don't necessarily write the software that does the filtering.

I do get your point, but here's something else to consider.

Looking at random spam in my inbox and Spam folder respectively, all of the mail I looked at had SPF passes.  One mal sent from a GMX account even had a DKIM pass as well.

So based on that I'd say, filtering by SPF fail is more likely to reject legitimate mail than it is spam..

Finally, I'd also note that when VM took the mail service in house, prior to putting in DMARC checks VM did try filtering on SPF hard fail, a number of VM customers did find legitimate mails being bounced because of the issue discussed above.

@ModTeam - Could we take a look into why if I enter a Header of 

Authentication-results:

and a condition of

Contains spf=fail

The filter fails to pick up on the result. 

I suspect that the software is parsing the lines and because there are multiple Authentication-results: headers, the search ends at the first header found.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
用心棒
  • 5.65K
  • 634
  • 1.97K
Very Insightful Person
Very Insightful Person
146 Views
Message 5 of 7
Flag for a moderator

Re: SPF fail = spam

Consider creating a filter rule with the following conditions to handle these:

2021-02-11.jpeg

@ravenstar68, it would be interesting to see how such a rule handles multiple occurrences of the header

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
ravenstar68
  • 18.71K
  • 1.09K
  • 8.06K
Very Insightful Person
Very Insightful Person
116 Views
Message 6 of 7
Flag for a moderator

Re: SPF fail = spam

@用心棒 

That's where I went wrong.  I left the : at the end of Authentication-results.

That rule definitely caught spf=fail

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

ravenstar68
  • 18.71K
  • 1.09K
  • 8.06K
Very Insightful Person
Very Insightful Person
114 Views
Message 7 of 7
Flag for a moderator

Re: SPF fail = spam

Just to clarify, I created a Folder called caught and then set up the following rule:

ravenstar68_0-1613165877923.png

Ignore the icons in the input boxes, they're related to a couple of Chrome add ins I have installed.

Tim

 

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply