SOLVED Spamassassin did no SPF check for this mail, but should have done it

[dandadude]

Hi!

A worker received a fake mail from his boss about sending money. The mail should have been spam because of the SPF record, but spamassassin did not make any mention of SPF_FAIL or anykind of SPF scores for some reason (not even SPF_PASS), but it works with other mail.
"ourdomain.tld" has a strict SPF record BTW with "-all".

ourdomain.tld's SPF record:
"v=spf1 +a +mx +ip4:1.1.1.1 +ip4:2.2.2.2 +a:mail.ourdomain.tld +a:cpanel.ourdomain.tld -all"

I have attached some headers to the bottom of the post (ourdomain.tld in ours).
What is the problem here? Why does spamassassin give no scores for this mail but give scores for others? Please give me some info!

BTW, does this mean that the boss's mail was hacked perhaps?

Thanks,
Dan

Return-Path: <[email protected]>
Received: from cpanel.ourdomain.tld
by cpanel.ourdomain.tld with LMTP
id OCtBOFs4gmGANwAAsFPSkA
(envelope-from <[email protected]>); Wed, 03 Nov 2021 08:20:59 +0100
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 03 Nov 2021 08:20:59 +0100
Received: from p3plsmtp13-04-2.prod.phx3.secureserver.net ([173.201.192.168]:36249 helo=p3plwbeout13-04.prod.phx3.secureserver.net)
by cpanel.ourdomain.tld with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.94.2)
(envelope-from <[email protected]>)
id 1miAZv-0003kU-0n
for [email protected]; Wed, 03 Nov 2021 08:20:59 +0100
Received: from p3plgemwbe13-01.prod.phx3.secureserver.net ([173.201.192.135])
by :WBEOUT: with SMTP
id iAVtmz6YJK2DCiAVtm8WbX; Wed, 03 Nov 2021 00:16:49 -0700
X-CMAE-Analysis: v=2.4 cv=SvlVVNC0 c=1 sm=1 tr=0 ts=61823761
a=658DuDfP+2yA7XDDahlR4A==:117 a=6HK6bwJaZ5QA:10 a=VKZVednWNgAA:10
a=IkcTkHD0fZMA:10 a=vIxV3rELxO4A:10 a=5KLPUuaC_9wA:10 a=M51BFTxLslgA:10
a=0kLeGl1B6BcbWwggTvAA:9 a=v0KE49cWkvcw2heF:21 a=_W_S_7VecoQA:10
a=QEXdDO2ut3YA:10
X-SECURESERVER-ACCT: [email protected]
X-SID: iAVtmz6YJK2DC
Received: (qmail 31548 invoked by uid 99); 3 Nov 2021 07:16:49 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 156.146.41.18
User-Agent: Workspace Webmail 6.12.9
Message-Id: <[email protected]mail13.godaddy.com>
From: "IDA" <[email protected]>
X-Sender: [email protected]
Reply-To: "IDA" <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Salary
Date: Wed, 03 Nov 2021 00:16:48 -0700
X-Spam-Status: No, score=2.2
X-Spam-Score: 22
X-Spam-Bar: ++
X-Ham-Report: Spam detection software, running on the system "cpanel.ourdomain.tld",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content analysis details: (2.2 points, 4.7 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4930]
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
0.0 LOTS_OF_MONEY Huge... sums of money
X-Spam-Flag: NO

 

[dandadude]

It seems that spamassassin only cared about "schachters.com" domain (and not the one in the FROM address) when checking SPF, because that has no SPF record.

exim_mainlog doesn't include the "FROM" address either, please check:

2021-11-03 08:20:59 1miAZv-0003kU-0n H=p3plsmtp13-04-2.prod.phx3.secureserver.net (p3plwbeout13-04.prod.phx3.secureserver.net) [173.201.192.168]:36249 Warning: "SpamAssassin as ourdomaintld detected message as NOT spam (2.2)"
2021-11-03 08:20:59 1miAZv-0003kU-0n H=p3plsmtp13-04-2.prod.phx3.secureserver.net (p3plwbeout13-04.prod.phx3.secureserver.net) [173.201.192.168]:36249 Warning: Message has been scanned: no virus or other harmful content was found
2021-11-03 08:20:59 1miAZv-0003kU-0n <= [email protected] H=p3plsmtp13-04-2.prod.phx3.secureserver.net (p3plwbeout13-04.prod.phx3.secureserver.net) [173.201.192.168]:36249 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3875 id=[email protected]mail13.godaddy.com T="Fizet\351s" for [email protected]
2021-11-03 08:21:00 1miAZv-0003kU-0n => jl ([email protected]) <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> OCtBOFs4gmGANwAAsFPSkA Saved"
2021-11-03 08:21:00 1miAZv-0003kU-0n Completed

So my problem is that it doesn't care about the FROM header, but it should!!! That causes it to not be spam.
Is this normal behavior?

Thx

 

[cPanelAnthony]

Hello! Using "-all" makes it strict, so this email should have failed the spam check and gotten marked. Could you please open a support ticket using the link in my signature so we can investigate? Or, if you don't have access, you can ask your hosting provider to open a ticket with cPanel.

 

[dandadude]

Hello! Using "-all" makes it strict, so this email should have failed the spam check and gotten marked. Could you please open a support ticket using the link in my signature so we can investigate? Or, if you don't have access, you can ask your hosting provider to open a ticket with cPanel.

Thanks very much, I have made the ticket and also received answers.

The conclusion is this:
"In the SpamAssassin documentation at https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_SPF.html it says that Envelope-From, Return-Path, and X-Envelope-From are used for SPF checks. It leaves open the possibility of other headers being used"

The problem is that in this case a simple "From" header can be forged easily causing big damage like money sending instructions from the boss etc (like it was by us).

If Spamassassin is not capable of solving this, what other options do we have? There should clearly be a solution for this, because this is insane

 

[cPanelAnthony]

Hello! I'm not sure if there's an easy solution. With that being said, could you provide the ticket ID? I would like to review it along with the internal notes left by the cPanel team. Thank you!

 

[dandadude]

@cPanelAnthony:
Thanks very much, here is the ID: 94381410

 

[cPanelAnthony]

It looks like the SpamAssassin score needed to be increased on a couple of rules. It also seems that we suggested that your user decrease their required spam score from 4.7 to 4. I'm glad this was resolved!

 

[dandadude]

@cPanelAnthony:

Actually this is not a good resolution at all (I accepted it because I needed to), because no SPF scores were created by spamassassin inspite of that the "From" header contained an address that had a strict (-all) SPF record and the mail was not sent from any of the allowed IP addresses.
My understanding is that according to the URL referred, spamassassin does not care about the "From" header, thus this can be forged if needed, it only takes in account "Envelope-From, Return-Path, and X-Envelope-From" headers.
Do I understand right? If yes, is this a normal thing that "From" can be forged? I am counting on you, because you said earlier that this shouldn't be happening, "From" should not be forgable

Thanks,
Daniel

 

[cPanelAnthony]

I believe I understand! "From" headers are the most commonly forged; it's definitely not rare to see this. I thought the ~all would affect the "from" headers, but it seems Mary was correct in the ticket. As the "From" headers are easily forged, it takes into account the other headers.

I apologize for any inconvenience.

 

[NetVicious]

I solved this kind of forged emails modifying the score assigned to the HEADER_FROM_DIFFERENT_DOMAINS spamassassin rule.

You can do it on cPanel. Spam Filters / Show additional configurations / Configure calculated spam scores settings

There you can add rules with a specific score.

I placed the HEADER_FROM_DIFFERENT_DOMAINS with a 9,9 and my system directly deletes messages above 9
The FROMNAME_SPOOFED_EMAIL it's another good rule to place a higher score to avoid spammers spoofing emails.