Am 06.10.2015 um 19:45 schrieb Joe Quinn:
On 10/6/2015 1:38 PM, Alex wrote:Hi, I've received a handful of messages that appear to be facebook notifications, but fail SPF. They otherwise look completely legit - links to profiles, only URLs to facebook.com and CDN caching sites, and even appears to have been routed through facebook's outgoing mail. All of that could be faked, but it would mean the payload is in the actual facebook profiles themselves. Has anyone else found this to be the case? http://pastebin.com/jE8G5LXJ Thanks, AlexI would say that because it passes DKIM with a signature from facebookmail.com, it's likely legitimate and they just suck at SPF (wouldn't be the first time a multi-billion dollar company can't get anti-forgery right). The rDNS of cox.net seems odd for a CDN, but there's not really any standard and I don't know offhand if that's the hostname format they use or not
facebook is using a strict SPF policy! [root@mail-gw:~/training]$ cat spam/*.eml | grep "cox\.net" | wc -l 106 [root@mail-gw:~/training]$ cat ham/*.eml | grep "cox\.net" | wc -l 3 0 47370 SPAM 0 20071 HAM 0 2207022 TOKENOct 6 19:55:53 mail-gw postfix/qmgr[10786]: 3nVmgF15WNz29: from=<notification+kr4mnx2kb...@facebookmail.com>, size=10644, nrcpt=1 (queue active) Oct 6 19:55:53 mail-gw spamd[10351]: spamd: processing message <ca8cf0d4d95839d30e31071c4b55a...@www.facebook.com> for sa-milt:189 Oct 6 19:55:53 mail-gw spamd[10351]: spamd: result: . -198 - CUST_DNSBL_15,CUST_DNSBL_27,CUST_DNSWL_2,CUST_DNSWL_3,CUST_DNSWL_6,SHORTCIRCUIT,SHORTCIRCUIT_NET_HAM,USER_IN_DKIM_WHITELIST,USER_IN_SPF_WHITELIST
signature.asc
Description: OpenPGP digital signature
