And it goes on with your standard Nigerian 419 scam. The nice wrinkle here is that the spammer found a form at ESRI's web site and used it to send me a link to one of their articles. Then they included their spam in the body of the message which is normally reserved for the user to say to their friend: "Hey, I thought you would like to read this because you're a big GIS nerd."From: awele2@live.com
To: kevin@pheared.net
Subject: ESRI article sent by a friend
awele2@live.com recommends this article from ESRI.
Included message:
Mr Awele Nwoboshi
Spring Bank Plc,
My Dear friend,
I got your contact through the internet and I decided to reach
you because presently...
Google didn't pick it up as spam, probably because this link sending mechanism is used widely and people probably have trained the filter to believe it is ham. Even the SPF isn't a slam dunk. It says it was a softfail:
Received-SPF: softfail (google.com: domain of transitioning awele2@live.com does not designate 198.102.62.104 as permitted sender) client-ip=198.102.62.104;Since I only recently started publishing an SPF record for pheared.net, I decided to look into this softfail and what exactly a transitioning domain is. Microsoft is publishing the following SPF record:
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning awele2@live.com does not designate 198.102.62.104 as permitted sender) smtp.mail=awele2@live.com
live.com. 2680 IN TXT "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com include:_spf-ssg-a.microsoft.com ~all"This record details which mail servers can send mail for live.com addresses (and there are quite a few more, because you have to follow all of the includes) but then at the end they specify "~all." This is the key, because it says to anyone checking the SPF record, that Microsoft isn't confident that they have listed all of the possible sources for live.com addresses, so if you get mail from somewhere else, don't fail it completely, just softfail it.
I'm also publishing ~all, but after this experience I'm wondering if I should change it to the harsher -all. One side-effect is that if you were a pheared.net user, you would get failed SPF checks if you ever used one of these services that fakes an e-mail from your address. I personally hate those and my users are subject to my whims so this isn't a strong argument. It would hurt anyone who sends legitimate mail from pheared.net without using our outgoing SMTP server. There might be some of that going on, but even I was able to fix my exim so that it forwards everything through google's outgoing servers.
0 comments:
Post a Comment