Incoming mail sender verification

boddie

This might be a stupid question (or set of questions), but here goes...

Why do I occasionally receive messages from people spoofing my own mail address or one bearing my domain? Given that there are measures in place to prevent others receiving messages from people spoofing my address or addresses from my domain, using things like DKIM and SPF (the latter I just enabled after forgetting to do so when migrating from Webfaction), why do the Opalstack mail servers seem to deliver such spoofed messages to me? Would it not be natural to not allow outsiders to send messages "into" my domain when those messages can only genuinely originate from my domain? Does the incoming mail processing rely on general DKIM or SPF usage instead?

The headers include stuff like this:

Received: from ip-5-172-235-187.multi.internet.cyfrowypolsat.pl (ip-5-172-235-187.multi.internet.cyfrowypolsat.pl [5.172.235.187]) by mx2.us.opalstack.com (Postfix) with ESMTP id 31E2624E11E for <ME@MY_DOMAIN>; Mon, 6 Sep 2021 07:46:15 +0000 (UTC)

Here, ME@MY_DOMAIN replaces my actual address, of course. Usually, the From header contains my address or a one (potentially fictional) in my domain, and the Return-Path header may or may not feature an address in my domain.

I remember asking the same set of questions at my employer, having received yet another fake "e-mail administrator needs your password" mail, wondering why any mail server would take receipt of a mail from outside the domain bearing various details purporting to be from the domain, and I got a rather angry "do not pretend you know our job better than we do", but I would hope that this question might have an answer, especially since it all rather violates common sense.

sean

boddie we don't block mail that fails SPF checks but the failure does factor in to the spam score that the message receives.

I checked the mail logs for the message ID you included in your example and that message was assigned a very high spam score even without SPF. If you'd like to filter spam out of your inbox then instructions are here: Filtering Email

boddie

Thanks for the reply, Sean! I have been using spam filtering in my mail client for many years, and this works pretty well. I guess I could also incorporate spam scoring from the SMTP infrastructure into my filtering, although from back in my days with Webfaction, I wasn't entirely convinced that this was as reliable as just using SpamBayes locally.

However, I was just intrigued by the fact that someone can send a mail bearing details of my domain from some random mail server and yet the only mail server that should be eligible to originate such mails will happily receive that mail and deliver it, unlike other mail servers who will presumably test the SPF and DKIM indicators.

As I noted, this is effectively how all those "e-mail admin needs your password" scams are enabled, and yet nobody puts in a rule that tests the eligibility of the sender when delivering to the domain of the people whose identities the sender is spoofing. Why is this? Would it break everything? What am I missing?

sean

boddie As far as I know most email providers are doing this the same way that we are. I can't speak for the entire industry but our reasoning is that there are enough people out there who might set up their SPF incorrectly that blocking mail based on that would cause legit mail to be lost.

Another concern would be that actually bouncing messages that fail SPF would cause backscatter which will cause our mail servers to be blocked.

If you want to block or filter mail specifically due to SPF then try a procmail rule like:

:0:
* ^received-spf:.*fail
/dev/null

boddie

I definitely wouldn't want messages to be bounced. At Webfaction, I ended up configuring SPF precisely to stop other mail servers from sending backscatter at me. Setting it up meant that those other servers understood that the spam sent in my name was all spoofed and that they shouldn't pester me about it.

But I guess I have my answer of sorts. My idea was that since only Opalstack's mail server (or servers) is going to be the one sending mails from my domain and receiving mails for my domain, I just wondered why there wasn't an incoming rule of the form...

if message_is_external and from_address_domain == delivery_domain: . from_address has been spoofed

No SPF or DKIM or anything. Just relying on the basic knowledge about the role of the mail server and a particular domain. I guess the answer is just that nobody does this.