0

I understand that for most users, the Envelope-from address is the most difficult part of an email to spoof because (I assume) it is checked by the receiving MTA i.e. if you attempt to spoof the "MAIL FROM" address the first MTA in the chain (normally your outbound SMTP provider) will reject it. This means the SPF check on the MAIL FROM will work as required.

However, if you are a spammer what is to stop you running your own MTA and putting whatever you like into the MAIL FROM header and therefore rendering SPF useless? You simply create an MTA that crafts the first envelope and pass it onto the next in the chain (the receiver's MTA)?

What have I missed here?

Anders
  • 64,406
  • 24
  • 178
  • 215
David Scholefield
  • 1,824
  • 12
  • 21
  • You are probably missing how SPF works. SPF will check the sender's IP. So if SPF states that example.com can only send emails from IP 1.2.3.4, then you won't be able to send an email with "MAIL FROM anything@example.com" from another IP. – reed Feb 01 '21 at 11:58
  • I think I know how SPF works - my question is how does the SPF checker know which the sending IP was if it's not captured and forwarded by the first MTA in the chain, and if the spammer controls that then they could put in any IP they wanted into the first receive/forward couldn't they? – David Scholefield Feb 01 '21 at 14:39
  • By "sender" I meant the preceding MTA, not the very first machine in the chain. When the receiver sees a "MAIL FROM anything@example.com", that connection must come from an IP that is allowed in the SPF of example.com. That is usually possible only if you have an account on example.com. – reed Feb 01 '21 at 16:30
  • 1
    *".... if the spammer controls that then they could put in any IP they wanted into the first receive/forward ..."* - the receiving MTA looks at the actual source IP address of the sender at the TCP level. It does not extract the IP address from some `Received` header. – Steffen Ullrich Feb 01 '21 at 20:42
  • "the receiving MTA looks at the actual source IP address of the sender at the TCP level" when you say 'receiving' MTA, which one? An email may go through a series of them - do you mean the first one that receives the email from the sending client, or the final one that hands off to the receiving client? If it's the first one in the chain that receives from the sending client and it's 'owned' by the spammer/sending client then it can ignore the sender's IP and rewrite it with a spoofed one. For the final MTA/receiver it doesn't know if the IP address written by the first MTA is genuine or not. – David Scholefield Feb 01 '21 at 21:36
  • Whichever is configured to check for SPF, possibly many. Regarding SPF, every MTA is only interested in its own incoming connections and the MAIL FROM address it receives. – Esa Jokinen Feb 08 '21 at 13:44

0 Answers0