On 10/6/2015 5:01 PM, Jered Floyd wrote:
Ah; good eyes!
That KAM_FACEBOOK rule is dangerous.
The behavior of forwarding content which effectively is the same as a
forgery is where the danger lies... If this is behavior that users are
performing, of course then there needs to be appropriate reaction but
overall, forwarding emails is going to cause issues with a ton of
domains and should be discouraged entirely.
Regards,
KAM
--Jered
----- On Oct 6, 2015, at 4:33 PM, David B Funk dbf...@engineering.uiowa.edu
wrote:
On Tue, 6 Oct 2015, Alex wrote:
Hi,
I've received a handful of messages that appear to be facebook
notifications, but fail SPF. They otherwise look completely legit -
links to profiles, only URLs to facebook.com and CDN caching sites,
and even appears to have been routed through facebook's outgoing mail.
All of that could be faked, but it would mean the payload is in the
actual facebook profiles themselves. Has anyone else found this to be
the case?
http://pastebin.com/jE8G5LXJ
Thanks,
Alex
That's because it's a forwarded message. That message was originally sent from
FB to "<tom.wil...@cox.net>" and it looks like he's got his '@cox.net' account
forwarded to "<tom.wil...@example.com>" (for what ever '@example.com' should
really be).
So that explicit forward breaks the SPF chain, thus triggering that SPF fail.
The valid DKIM signature indicates that the message is legit.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
--
*Kevin A. McGrail*
CEO
Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422
http://www.pccc.com/
703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>
