Hi!
A worker received a fake mail from his boss about sending money. The mail should have been spam because of the SPF record, but spamassassin did not make any mention of SPF_FAIL or anykind of SPF scores for some reason (not even SPF_PASS), but it works with other mail.
"ourdomain.tld" has a strict SPF record BTW with "-all".
ourdomain.tld's SPF record:
"v=spf1 +a +mx +ip4:1.1.1.1 +ip4:2.2.2.2 +a:mail.ourdomain.tld +a:cpanel.ourdomain.tld -all"
I have attached some headers to the bottom of the post (ourdomain.tld in ours).
What is the problem here? Why does spamassassin give no scores for this mail but give scores for others? Please give me some info!
BTW, does this mean that the boss's mail was hacked perhaps?
Thanks,
Dan
Return-Path: <[email protected]>
Received: from cpanel.ourdomain.tld
by cpanel.ourdomain.tld with LMTP
id OCtBOFs4gmGANwAAsFPSkA
(envelope-from <[email protected]>); Wed, 03 Nov 2021 08:20:59 +0100
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 03 Nov 2021 08:20:59 +0100
Received: from p3plsmtp13-04-2.prod.phx3.secureserver.net ([173.201.192.168]:36249 helo=p3plwbeout13-04.prod.phx3.secureserver.net)
by cpanel.ourdomain.tld with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.94.2)
(envelope-from <[email protected]>)
id 1miAZv-0003kU-0n
for [email protected]; Wed, 03 Nov 2021 08:20:59 +0100
Received: from p3plgemwbe13-01.prod.phx3.secureserver.net ([173.201.192.135])
by :WBEOUT: with SMTP
id iAVtmz6YJK2DCiAVtm8WbX; Wed, 03 Nov 2021 00:16:49 -0700
X-CMAE-Analysis: v=2.4 cv=SvlVVNC0 c=1 sm=1 tr=0 ts=61823761
a=658DuDfP+2yA7XDDahlR4A==:117 a=6HK6bwJaZ5QA:10 a=VKZVednWNgAA:10
a=IkcTkHD0fZMA:10 a=vIxV3rELxO4A:10 a=5KLPUuaC_9wA:10 a=M51BFTxLslgA:10
a=0kLeGl1B6BcbWwggTvAA:9 a=v0KE49cWkvcw2heF:21 a=_W_S_7VecoQA:10
a=QEXdDO2ut3YA:10
X-SECURESERVER-ACCT: [email protected]
X-SID: iAVtmz6YJK2DC
Received: (qmail 31548 invoked by uid 99); 3 Nov 2021 07:16:49 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 156.146.41.18
User-Agent: Workspace Webmail 6.12.9
Message-Id: <20211103001648.752[email protected]>
From: "IDA" <[email protected]>
X-Sender: [email protected]
Reply-To: "IDA" <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Salary
Date: Wed, 03 Nov 2021 00:16:48 -0700
X-Spam-Status: No, score=2.2
X-Spam-Score: 22
X-Spam-Bar: ++
X-Ham-Report: Spam detection software, running on the system "cpanel.ourdomain.tld",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content analysis details: (2.2 points, 4.7 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4930]
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
0.0 LOTS_OF_MONEY Huge... sums of money
X-Spam-Flag: NO
A worker received a fake mail from his boss about sending money. The mail should have been spam because of the SPF record, but spamassassin did not make any mention of SPF_FAIL or anykind of SPF scores for some reason (not even SPF_PASS), but it works with other mail.
"ourdomain.tld" has a strict SPF record BTW with "-all".
ourdomain.tld's SPF record:
"v=spf1 +a +mx +ip4:1.1.1.1 +ip4:2.2.2.2 +a:mail.ourdomain.tld +a:cpanel.ourdomain.tld -all"
I have attached some headers to the bottom of the post (ourdomain.tld in ours).
What is the problem here? Why does spamassassin give no scores for this mail but give scores for others? Please give me some info!
BTW, does this mean that the boss's mail was hacked perhaps?
Thanks,
Dan
Return-Path: <[email protected]>
Received: from cpanel.ourdomain.tld
by cpanel.ourdomain.tld with LMTP
id OCtBOFs4gmGANwAAsFPSkA
(envelope-from <[email protected]>); Wed, 03 Nov 2021 08:20:59 +0100
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 03 Nov 2021 08:20:59 +0100
Received: from p3plsmtp13-04-2.prod.phx3.secureserver.net ([173.201.192.168]:36249 helo=p3plwbeout13-04.prod.phx3.secureserver.net)
by cpanel.ourdomain.tld with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.94.2)
(envelope-from <[email protected]>)
id 1miAZv-0003kU-0n
for [email protected]; Wed, 03 Nov 2021 08:20:59 +0100
Received: from p3plgemwbe13-01.prod.phx3.secureserver.net ([173.201.192.135])
by :WBEOUT: with SMTP
id iAVtmz6YJK2DCiAVtm8WbX; Wed, 03 Nov 2021 00:16:49 -0700
X-CMAE-Analysis: v=2.4 cv=SvlVVNC0 c=1 sm=1 tr=0 ts=61823761
a=658DuDfP+2yA7XDDahlR4A==:117 a=6HK6bwJaZ5QA:10 a=VKZVednWNgAA:10
a=IkcTkHD0fZMA:10 a=vIxV3rELxO4A:10 a=5KLPUuaC_9wA:10 a=M51BFTxLslgA:10
a=0kLeGl1B6BcbWwggTvAA:9 a=v0KE49cWkvcw2heF:21 a=_W_S_7VecoQA:10
a=QEXdDO2ut3YA:10
X-SECURESERVER-ACCT: [email protected]
X-SID: iAVtmz6YJK2DC
Received: (qmail 31548 invoked by uid 99); 3 Nov 2021 07:16:49 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 156.146.41.18
User-Agent: Workspace Webmail 6.12.9
Message-Id: <20211103001648.752[email protected]>
From: "IDA" <[email protected]>
X-Sender: [email protected]
Reply-To: "IDA" <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Salary
Date: Wed, 03 Nov 2021 00:16:48 -0700
X-Spam-Status: No, score=2.2
X-Spam-Score: 22
X-Spam-Bar: ++
X-Ham-Report: Spam detection software, running on the system "cpanel.ourdomain.tld",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content analysis details: (2.2 points, 4.7 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4930]
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
0.0 LOTS_OF_MONEY Huge... sums of money
X-Spam-Flag: NO