On Tue, 6 Oct 2015, Alex wrote:
Hi,
I've received a handful of messages that appear to be facebook
notifications, but fail SPF. They otherwise look completely legit -
links to profiles, only URLs to facebook.com and CDN caching sites,
and even appears to have been routed through facebook's outgoing mail.
All of that could be faked, but it would mean the payload is in the
actual facebook profiles themselves. Has anyone else found this to be
the case?
http://pastebin.com/jE8G5LXJ
Thanks,
Alex
That's because it's a forwarded message. That message was originally sent from
FB to "<tom.wil...@cox.net>" and it looks like he's got his '@cox.net' account
forwarded to "<tom.wil...@example.com>" (for what ever '@example.com' should
really be).
So that explicit forward breaks the SPF chain, thus triggering that SPF fail.
The valid DKIM signature indicates that the message is legit.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
