4
SPF False Negatire and Dmarc Bypass.
Problem reported by J Lee - 4/29/2024 at 12:01 PM
Submitted
Hi 

re: SmarterMail Enterprise 100.0.8867.17559

I'm seeing an issue where a spammer sends you a message with your own email address. 

The Subject: Security status not satisfied. - This email has been flowing around the internet for a while now. 

Your email address is usually a Trust Sender as it is in your Contact List by default.

The problem is highlighted below. The SPF is a "fail" but Smartermai is saying it is a "pass."

182.180.172.210 is not in the domain SPF record, and it is not in the server whitelist.

The spam score on this email is enormous.

Received: from [182.180.172.210] (UnknownHost [182.180.172.210]) by mail.xxxxxx.com with SMTP;
   Mon, 29 Apr 2024 04:35:48 -0500
X-CTCH-RefID: str=0001.0A702F1D.662F43FE.00A9,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
Authentication-Results: spool.mail.xxxxxxx.com; iprev=fail (182.180.172.210); spf=pass smtp.mailfrom="slee@xxxx.com"; dkim=none
Authentication-Results: smtp.mail.s2cxxxx.com; dmarc=passed (v=DMARC1 p=reject rua=mailto:dmarc@xxxxx.com ruf=mailto:dmarc@xxxx.com fo=0 adkim=r aspf=r pct=100 rf=afrf ri=604800 sp=reject); spf=pass smtp.mailfrom="slee@xxxxt.com"
X-SmarterMail-SpamAction: None | NoAction
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Contact)
X-SmarterMail-Spam: DMARC [passed]: 0, Reverse DNS Lookup [ReverseFailed]: 5, Null Sender: 0, HONEYPOT [passed]: 0, Cyren [Confirmed]: 60, CyrenIP [MEDIUM]: 5, SpamAssassin [raw:23]: 142, SPF [Pass]: -4, DKIM [None]: 0, _ARC: none, Senderscore: 0, Spamcop.net: 0, uceprotect: 20, MailSpike Whitelist: 0, Mailspike.net L5 L4: 0, Spamhaus - Domain Block: 0, HostKarma - Black List: 40, HostKarma - White List: 0, Spamhaus - Block List: 40, Sorbs.net: 0, Spamhaus - Exploits: 0, Surriel.com: 40, Truncate DNSBL: 30, HostKarma - Brownlist: 10, SEM-BL Spam Eat Monkey: 0, RATS-Spam: 0, Barracudacentral.org: 0, virus.rbl.jp: 0, BONDEDSENDER: 0, Msrbl.net: 0, CBL - Abuse Seat: 30, SURBL - Spam Assassin: 0
Message-Id: <621B736F180A07047D15097E6C61621B@T7I0D3S>
Subject: Security status not satisfied.

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273

5 Replies

Reply to Thread
0
Christian Schmit Replied
We are on build 8874 and are experiencing the same problem. The subject of the email even looks to be the same as in our case. We have an open ticket with ST for this issue.
0
Brian Bjerring-Jensen Replied
We get the same

[2024.04.27] 22:03:22.311 [16439041] SpamCheck Processing Thread Started
[2024.04.27] 22:03:22.312 [16439041] Filetype Checks started.
[2024.04.27] 22:03:22.312 [16439041] Filetype Checks completed.
[2024.04.27] 22:03:22.312 [16439041] ClamD Checks started.
[2024.04.27] 22:03:23.350 [16439041] ClamD Checks completed.
[2024.04.27] 22:03:23.350 [16439041] Microsoft Defender Checks started.
[2024.04.27] 22:03:23.350 [16439041] Microsoft Defender Checks completed.
[2024.04.27] 22:03:23.350 [16439041] Spam checks to run: Reverse Dns Lookup, Null Sender, SpamAssassin, _SPF, _DKIM, _ARC, Custom Rules, SURBL, DNSBL, SEM-URI, SPAMHAUS ZEN, SPAMRATS ALL, SORBS SPAM, UCEProtect Level 1, BARRACUDA, SPAMHAUS PBL, SPAMHAUS SBL, SPAMHAUS XBL, Spamhaus DBL, URIBL Black, URIBL Grey, URIBL Red, DOMAIN SPAM
[2024.04.27] 22:03:23.350 [16439041] Found 21 spam checks to run: Reverse Dns Lookup, Null Sender, SpamAssassin, _SPF, _DKIM, _ARC, Custom Rules, SURBL, DNSBL, SEM-URI, SPAMHAUS ZEN, SPAMRATS ALL, SORBS SPAM, UCEProtect Level 1, BARRACUDA, SPAMHAUS PBL, SPAMHAUS SBL, SPAMHAUS XBL, Spamhaus DBL, URIBL Black, URIBL Grey, URIBL Red, DOMAIN SPAM
[2024.04.27] 22:03:23.350 [16439041] Spam check args: from: emailaddr; messageID: 16439041; messagePath: C:/SmarterMail/Spool/16439041.eml; sender: emailaddr; sendersDomain: domain; sendersIp: 167.249.188.36; returnPath: emailaddr; sendersEhlo: 167-249-188-036.henet.com.br
[2024.04.27] 22:03:23.709 [16439041] [167.249.188.36] Valid reverse DNS entry found: 167-249-188-036.henet.com.br
[2024.04.27] [16439041] [167.249.188.36] 167-249-188-036.henet.com.br does not contain any entries that match this ip. Error: Non-Existent Domain
[2024.04.27] 22:03:24.519 [16439041] Running SPF check
[2024.04.27] 22:03:24.519 [16439041] Finished SPF check; result = Pass
[2024.04.27] 22:03:24.519 [16439041] [DKIM] Performing DKIM check...
[2024.04.27] 22:03:24.520 [16439041] [DKIM] Result: NoSignature.
[2024.04.27] 22:03:24.520 [16439041] [ARC] Performing ARC verification...
[2024.04.27] 22:03:34.598 [16439041] Spam Checks took 11248 ms
[2024.04.27] 22:03:34.599 [16439041] Spam Checks completed.
[2024.04.27] 22:03:34.599 [16439041] SpamCheck Processing Thread Completed


This guy sends from the domain and the SPF record exist but lets an brazilian server send on behalf of the domain. MAJOR security flaw!

This is not good.


0
Brian Bjerring-Jensen Replied
Lodged a ticket

05C-2DC2C1C2-0B26
0
J Lee Replied
Seems like this should be a priority add to the next upgrade Fix list
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
0
Jorel Haggard Replied
Employee Post
In our most recent release, Build 8888, we have an SPF-related fix. Give it a try and hopefully we see those issues resolved! 
Jorel Haggard System/Network Administrator SmarterTools Inc. www.smartertools.com

Reply to Thread