We recently started using EOP to filter our mail for an Exchange 2007 environment. We set up the X-Forefront-Antispam-Report rule to set the scl for messages tagged as spam to at least 6 (we recently changed it to 9 as some messages were still appearing in user's inboxes rather than the junk folder).
One issue we recently came across was a message sent with a spoofed from address. The message originates from a server not on our domain, or in our IP range, and not specified in our SPF records, and the from address is using our domain name. In the headers EOP tagged the SPF as a pass since the IP address of the originating server matched the SPF records of the originating server's FQDN. Neither the from, or reply-to addresses match that FQDN.
Are we wrong in thinking that if a from address is included that it should check the SPF records for the domain specified in that address rather than just the originating server information? That is ultimately one reason we configured SPF in the first place was to help with rejecting messages that spoof our domain.
Here are the headers in question:
Received: from na01-bl2-obe.outbound.protection.outlook.com (207.46.163.205) by ex-cas2.nsula.edu (10.10.20.223) with Microsoft SMTP Server (TLS) id 8.3.298.1; Mon, 10 Jun 2013 10:34:43 -0500 Received: from BLUPR05CA002.namprd05.prod.outlook.com (10.255.219.160) by BLUPR05MB037.namprd05.prod.outlook.com (10.255.210.145) with Microsoft SMTP Server (TLS) id 15.0.702.21; Mon, 10 Jun 2013 15:34:41 +0000 Received: from BY2FFO11FD025.protection.gbl (2a01:111:f400:7c0c::23) by BLUPR05CA002.outlook.office365.com (2a01:111:e400:83f::32) with Microsoft SMTP Server (TLS) id 15.0.702.21 via Frontend Transport; Mon, 10 Jun 2013 15:34:41 +0000 Received: from bosmailout15.eigbox.net (66.96.185.15) by BY2FFO11FD025.mail.protection.outlook.com (10.1.15.214) with Microsoft SMTP Server id 15.0.707.0 via Frontend Transport; Mon, 10 Jun 2013 15:34:40 +0000 Received: from bosmailscan18.eigbox.net ([10.20.15.18]) by bosmailout15.eigbox.net with esmtp (Exim) id 1Um47D-0004Lg-M5; Mon, 10 Jun 2013 11:34:39 -0400 Received: from bosimpout03.eigbox.net ([10.20.55.3]) by bosmailscan18.eigbox.net with esmtp (Exim) id 1Um47B-0001t6-KW; Mon, 10 Jun 2013 11:34:38 -0400 Received: from boswebmail09.eigbox.net ([10.20.16.9]) by bosimpout03.eigbox.net with NO UCE id mfPz1l00E0BjvkA01fPzxb; Mon, 10 Jun 2013 11:23:59 -0400 X-Authority-Analysis: v=2.0 cv=bNyU0YCZ c=1 sm=1 a=VPlmSNoSjRwk22eSPKD6cQ==:17 a=Q7zus9ReCAYA:10 a=kuCZ8jO7f7sA:10 a=8nJEP1OIZ-IA:10 a=oGIcDX3jAAAA:8 a=hFlREuPYAAAA:8 a=-mM_um03YY5SmUl26csA:9 a=wPNLvfGTeEIA:10 a=73YDsbcTHZsA:10 a=hdsnRn87qCUYT2jdlcOltA==:117 X-EN-OrigOutIP: 10.20.16.9 X-EN-IMPSID: mfPz1l00E0BjvkA01fPzxb Received: from [127.0.0.1] (helo=emailmg.startlogic.com) by boswebmail09.eigbox.net with esmtp (Exim) id 1Um46G-0000uF-Df; Mon, 10 Jun 2013 11:33:40 -0400 Received: from 41.203.67.54 (SquirrelMail authenticated user <potential real address removed>) by emailmg.startlogic.com with HTTP; Mon, 10 Jun 2013 11:33:40 -0400 Message-ID: <b3abdd9cfb4eaa9c30882bbdc2ee2daa.squirrel@emailmg.startlogic.com> Date: Mon, 10 Jun 2013 11:33:40 -0400 Subject: Notice From: Northwestern State University <noreply@nsula.edu> Reply-To: <suport20@mail2webmaster.com> User-Agent: SquirrelMail/1.4.19 MIME-Version: 1.0 X-Priority: 3 (Normal) Importance: Normal Sender: Northwestern State University <noreply@nsula.edu> To: Undisclosed recipients:; Return-Path: SRS0=uNdlXP=P2=nsula.edu=noreply@eigbox.net X-Forefront-Antispam-Report: CIP:66.96.185.15;CTRY:US;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(189002)(199002)(44976003)(74502001)(69226001)(50466002)(1671002)(46102001)(47736001)(54316002)(558084002)(47976001)(65816001)(221733001)(54356001)(56776001)(56816003)(76786001)(77096001)(63266003)(16406001)(74662001)(10356001)(23756003)(77982001)(76176001)(76796001)(47446002)(51856001)(43066001)(10646002)(63696002)(47776003)(881003)(59766001)(80022001)(74366001)(551544002)(74706001)(49866001)(76482001)(50986001)(20776003)(4396001)(79102001)(81342001)(74876001)(33646001)(81542001)(63076002);DIR:INB;SFP:;SCL:1;SRVR:BLUPR05MB037;H:bosmailout15.eigbox.net;RD:bosmailout15.eigbox.net;MX:1;A:1;LANG:en; Received-SPF: Pass (: domain of eigbox.net designates 66.96.185.15 as permitted sender) receiver=; client-ip=66.96.185.15; helo=bosmailout15.eigbox.net; X-OriginatorOrg: nsula.edu Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit
I removed the original account used to authenticate to the originating server (nirvanacreations.com.au domain). You can see it has from set to our domain (nsula.edu) and a reply to mail2webmaster.com. You can also see that it passes spf due to domain eigbox.net designating the originating server IP as a valid sender for that domain.
Our expectation is that EOP should see the from being @nsula.edu and do an SPF lookup at our domain and see that the IP address used isn't in our SPF record. It should then fail the SPF lookup.
Any ideas on why this is not working as we expect? Is this a bug?
Thanks for any help.
- Edited by Shawn parr Monday, June 17, 2013 4:01 PM Format headers to distinguish from message body