Pet peeve.. the way SPF records are being set.. And please everyone, stop using Macro's if you dont' absolutely need it..
Stop including all of Microsoft, Google, Amazon, Twilio ranges.. You should know where valid mail is coming from more accurately than that.
If they can forge your domain from all of the above, then your SPF is almost as bad as not having any..
too many people use SPF records simply because Gmail says you have to, rather then using it for what is was meant for.
SPF is not a be all end all, but if your are a target for phishing, if you are a big name enterprise, a bank, or responsible for large groups of the public population, please do your part with a little more diligence..
On 1/22/25 06:34, Tapio Peltonen via mailop wrote:
Is it just me or has the volume of SPF passing spam where the sending IP is not known by Spamhaus gone up in recent weeks? I used to get these very infrequently, but during last few weeks I've gotten new ones almost daily. Many of the sender addresses look legitimate, with tlds such as .com or .net or .de, and they very much look like cases where a spammer has got their hands on a formerly legitimate domain or hacked the dns provider. The sending IPs' reverse records point to very suspicious looking Chinese or Russian domains, some IDN and some regular. An example of such domain is vovlink.de, where the A record and the mail subdomain both point to 62.173.147.115, the reverse of which is the IDN орс.051.рус (xn--n1aed.051.xn--p1acf). Because the SPF config is "v=spf1 a mx -all" the spam passes the SPF check. I reached out to the abuse contact through the domain-contact.org website and actually got a reply, but the dns config is still unchanged and the host is still sending spam. Of course I block these manually when I come across them, but these used to be very infrequent. So I wonder if this is a larger phenomenon or is it just that some spammer has recently added my domains to the recipient list. The vovlink.de one did also send spam to my Gmail address, so I guess that IP has pretty hefty output volume. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
-- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic ------------------------------------------------------------------------ A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
