Hi,
I have an email that matched KAM_SENDGRID because it also matched
SPF_HELO_NONE, despite it apparently being a legitimate sendgrid
email. This is from SA trunk.
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS SPF: sender matches SPF record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from author's
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
1.5 KAM_SENDGRID Sendgrid being exploited by scammers
Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=167.89.39.250; helo=o1678939x250.outbound-mail.sendgrid.net;
envelope-from=bounces+3940809-b10a-43194=hotel.example....@em8909.cookspest.com;
receiver=<UNKNOWN>
X-Envelope-From:
<bounces+3940809-b10a-43194=hotel.example....@em8909.cookspest.com>
I'm noticing what I think are a lot of false positives for this rule.
Is there something more we should be doing to reduce the false
positives here, or is it really warranted?
The mail server does appear to have an SPF record:
# dig +short txt em8909.cookspest.com
u3940809.wl060.sendgrid.net.
"v=spf1 ip4:167.89.39.18 ip4:167.89.39.188 ip4:167.89.39.217
ip4:167.89.39.227 ip4:167.89.39.248 ip4:167.89.39.250 ip4:167.89
.39.45 ip4:167.89.39.75 ip4:167.89.39.79 ip4:208.117.61.64 -all"
Or perhaps it's because it's announcing itself as
o1678939x250.outbound-mail.sendgrid.net, which does not have an SPF
record?
Is it even possible for a sendgrid client to control their SPF record,
let alone SPF HELO?
Perhaps it's because Return-Path is null?
Return-Path: <>
