spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex <mysqlstud...@gmail.com>
Subject Re: Investigating facebook spam
Date Tue, 06 Oct 2015 21:04:24 GMT
Hi,

>> I've received a handful of messages that appear to be facebook
>> notifications, but fail SPF. They otherwise look completely legit -
>> links to profiles, only URLs to facebook.com and CDN caching sites,
>> and even appears to have been routed through facebook's outgoing mail.
>>
>> All of that could be faked, but it would mean the payload is in the
>> actual facebook profiles themselves. Has anyone else found this to be
>> the case?
>>
>> http://pastebin.com/jE8G5LXJ
>>
>> Thanks,
>> Alex
>
>
> That's because it's a forwarded message. That message was originally sent
> from
> FB to "<tom.wilson@cox.net>" and it looks like he's got his '@cox.net'
> account
> forwarded to "<tom.wilson@example.com>" (for what ever '@example.com' should
> really be).
>
> So that explicit forward breaks the SPF chain, thus triggering that SPF
> fail.
> The valid DKIM signature indicates that the message is legit.

That's it, thanks so much. I was thinking SPF was broken because of
some kind of routing problem, but didn't realize it was forwarded.

Is it just the routing from mx-out.facebook.com to the cox.net server
then to the example.com server that explains this forwarding, instead
of directly from facebook to example.com that shows this?

I'll work with KAM to have the rule addressed.

Thanks everyone for your ideas.
Alex

Mime
View raw message