3

I am studying a little bit SPF and other spam/phishing prevention techniques that have been developed during the years, and I have a few question about SPF. I know the difference between the MAIL FROM verb and the FROM header, but I am having problems into understanding if and how SPF makes harder for a spammer/phisher to achieve it's goal.

What I do understand is that while it is usually desirable, for a spammer/phisher, to abuse the FROM header so that the mail seems to be coming from a legit source (this is what the user sees, after all), the MAIL FROM field is not shown to the user. For example, the phisher could register a real, valid domain to send mail from, and this would be bypassed. Another thing that comes to my mind is that, for example, mybank.com has a very simple SPF entry: mybank.com. IN TXT "v=spf1 a -all". In this case, a spammer could easily forge emails with the MAIL FROM set to secure.mybank.com, thus bypassing the SPF check as for secure.mybank.com there is no SPF entry (and the default is a pass, if no SPF entry exists). Also, he could abuse a completely non-existing domain, not a subdomain of something that exists.

In the last cases, the only thing that the receiver server could do would be to cross-validate the MAIL FROM verb and the FROM header to ensure they are the same, but again, the FROM header could be spoofed to admin@secure.mybank.com (I know that for that there is DMARC, but I'm considering a case where SPF only is implemented).

Mainly, I don't understand if SPF was born with the goal to make life harder for spammer/phishers, or if it was born to make sysadmin's life easier (since an appropriate SPF configuration could reduce the number of error messages received by a domain that is being abused). Even if it is the latter, I don't understand the main benefit for a spammer/phisher to use a legit MAIL FROM address.

Thanks in advance to anyone.

EDIT: I see that this question was marked as duplicate, and I may have missed a point, but I think that the other questions don't answer my main point, that is, what is the point of having SPF alone? Along with DMARC and DKIM it can be used to detect phishing attempts, but SPF alone can be easily bypassed by using a subdomain of an existing domain or a new domain. In my understanding, SPF can help in reducing UBE for sysadmins, but not a single user from spam/phish, and was looking for a confirmation or refutation for this.

Alessandro Guagnelli
  • 51
  • 3
  • 5
    This question is (mostly?) answered by [Security of SPF vs SPF and DKIM in email](http://security.stackexchange.com/questions/151241/security-of-spf-vs-spf-and-dkim-in-email), also [How spf records prevents the server from attackers?](http://security.stackexchange.com/questions/91604/how-spf-records-prevents-the-server-from-attackers/91605#91605). Also read the [introduction of the SPF RFC](https://tools.ietf.org/html/rfc7208#page-5) for what problem SPF is trying to solve. – Steffen Ullrich Feb 22 '17 at 06:02
  • Hi @SteffenUllrich, thanks for the interest and sorry if I didn't answer back sooner. I read the questions you posted, I actually found and read them before posting the question, but I still think that they don't answer my question (I may have missed something by the way). I understand that SPF can help finding spoofed email, but it looks like to me that an attacker have no interest in spoofing the **MAIL FROM** header, as it is ignored by most client. Am I missing something? – Alessandro Guagnelli Feb 28 '17 at 03:00
  • 1
    In short: SPF was never intended to make sure the visible From in the mail header is the right one. This was only later added with DMARC. It was only intended to detect spoofing of the SMTP envelope sender (i.e. MAIL FROM) because notifications about undeliverable mails get send back to this address and thus clutter the mailbox of the claimed sender. – Steffen Ullrich Feb 28 '17 at 04:43
  • Thanks again @SteffenUllrich, I thought that SPF had some other "effect" other then preventing to clutter the _fake_ sender mailbox. So, apart from that, do phishers/spammer have any benefit in sending emails with what appears to be a legit **MAIL FROM** sender? Again, the only thing that comes to my mind is that if you know that a sender is abused to send spam/phishing email, then it's reputation decreases and you can mark email from that sender as spam easily – Alessandro Guagnelli Feb 28 '17 at 07:29
  • 1
    SPF should be seen in addition to other checks, like checking if there is an MX for the senders domain. Combined this means that it is impossible for a spammer to abuse an existing domain (prevented by SPF) or to just make up a non-existing domain (prevented by MX check). Ideally this means that the spammer has to use its own domain which makes it easier to track the spammer. – Steffen Ullrich Feb 28 '17 at 07:49
  • Hi @SteffenUllrich. Now it is much more clear. Thank you again for taking your time explaining everything! – Alessandro Guagnelli Mar 02 '17 at 00:35

0 Answers0