垃圾邮件发送者绕过 SPF

垃圾邮件发送者绕过 SPF

我运营的邮件主机上的一个用户一直收到大量“来自他自己”的垃圾邮件。在域 (wickenburg.us) 上设置并验证了 SPF 后,这种情况不应该发生。我的其他域都没有发生这种情况(尽管这可能更多的是垃圾邮件发送者的机会,而不是技术问题)。

SPF 记录简单而严格:v=spf1 a mx ip4:96.125.170.48 -all

底线是,所有“来自” wickenburg.us 的邮件都必须来自 96.125.170.48,就是这样。

检查有问题的来信的完整标题,我发现每个邮件都包含以下行:

Received-SPF: pass (domain of gmail.com designates <spammer's IP> as permitted sender)

“信封来自”始终指定为<>

我对此感到很困惑。我从未授权 Google 任何权力来决定我的域名是否为有效电子邮件,我的域名安排也与 Google 无关。任何人询问或相信 Google 对此事的看法似乎违反了 SPF 的整个设计。

我需要做什么来解决这个问题?

编辑:这是所要求的一组完整标题的示例。

Return-Path: <>
Delivered-To: [email protected]
Received: from server.wickenburg.us
    by server.wickenburg.us with LMTP
    id NQs7NHvUvmRPaQAAeQzYKg
    (envelope-from <>)
    for <[email protected]>; Mon, 24 Jul 2023 12:43:55 -0700
Return-path: <>
Envelope-to: [email protected]
Delivery-date: Mon, 24 Jul 2023 12:43:55 -0700
Received: from [195.133.32.101] (port=53352 helo=r97.email.lefebvreelderecho.com)
    by server.wickenburg.us with esmtp (Exim 4.96)
    id 1qO1TI-00070c-0F
    for [email protected];
    Mon, 24 Jul 2023 12:43:55 -0700
Received: by 2002:a54:200c:0:b0:228:543a:1f5a with SMTP id t12csp1618203ecn;
        Mon, 24 Jul 2023 11:29:26 -0700 (PDT)
X-Google-Smtp-Source: APBJJlGFskBq6vD+JptCL7CTitvNTO7/IPxEzuHDPKvHvDjtELTC/rAvYUkkInNXwcGoYqFWzD6p
X-Received: by 2002:a05:6a00:18aa:b0:686:290b:91f7 with SMTP id x42-20020a056a0018aa00b00686290b91f7mr7885971pfh.22.1690223366335;
        Mon, 24 Jul 2023 11:29:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690223366; cv=none;
        d=google.com; s=arc-20160816;
        b=oFTBlj60DutemJU6/VIqaY5SlSLFHaF2lAoDo6mni61DWkkjOgpQ3QUvcTTMtzBOES
         5VwcBZATGpcm1wlErizZ4O/gdyvOFoyB6Tev6tXx2fgISqATbtxeswCrvmQRR7kBw0KY
         oUSpsot28s39ike2WDzqjroLgKH8Z+Z8V7/ETMqJZkX8met8OJ0D6dZ2NC4UVw0GGae0
         U4vlblGbVfQJV+PYHsZPzkkGjNYVQW1jpJT4ytrvMl+UMCaFLFEkxnb1yWr5mviGflzk
         dev+HCwBUmImeYopm6wPWpoT1+Roo9x0y2KiyJJHln6RkKl8nqELyCQbqsmUgsjmJL5H
         tcGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=references:mime-version:subject:message-id:to:from:date
         :dkim-signature;
        bh=wO2NmQIfIA1TETnGAB3LAbdcIcFxJYvNim6ZNUQ7fAQ=;
        fh=jiXLAKdjm0XSnS+zteR+sipnHmR6ae2WQlH3Cpp0Kls=;
        b=nUOq8UzXt9MqhWFF/gfA3ZgRzEC3zOcfx86XAyi+JrsLSSclJpOPsRmWqUNb+3FU5j
         naiZPQabYnOu+Xr1XUrZLWuxZvZQjN6uyQAQ8rkbAGhCgR9WtYUM87GaAu09NwFG9WNV
         cT9JuUzhD76PMvatK24eXP8dsE10XJFgOVjL9bKjxIcq3sFtZ7IFmh9+soZAtDyoFjRq
         MiDvrDS1kaTzlnrJcGXAuIfOGR0aQj1ko7hapKvjwmxYS+P3zmUdaECGGUGTtArfdFyP
         TL/OhFZpWXwwKnIqnbNA4qO3c++YOMPNvCqTO4N5BihZ+7/cfB/UJ61AIt/uj1m2tSLx
         EsSg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=a2048 header.b=gHShi1Su;
       spf=pass (google.com: domain of [email protected] designates 98.137.65.83 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=aol.com
Received: from sonic313-20.consmr.mail.gq1.yahoo.com (sonic313-20.consmr.mail.gq1.yahoo.com. [98.137.65.83])
        by mx.google.com with ESMTPS id j17-20020a056a00235100b0067ea76a7c59si10056277pfj.50.2023.07.24.11.29.26
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 24 Jul 2023 11:29:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 98.137.65.83 as permitted sender) client-ip=98.137.65.83;
Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=a2048 header.b=gHShi1Su;
       spf=pass (google.com: domain of [email protected] designates 98.137.65.83 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=aol.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1690223365; bh=wO2NmQIfIA1TETnGAB3LAbdcIcFxJYvNim6ZNUQ7fAQ=; h=Date:From:To:Subject:References:From:Subject:Reply-To; b=gHShi1SuWLTUbadusZH0I3/pF9Zov75eYIkvrEzC07efzFmOsjNZFLzppRKVCoQxnbBr1tK+aXBcBlf8xaYme6dhmr0UqvW3WWW6aKMHeVzvqGkjvbEwlStG+NClJr8UEonNTDT1FipCG96FLDHcnBoLn3a6t7o71ExU3KNK329DgZsJIDtwP+wTCjp9KnG0E7YlE7HrUIQz1f+Z6Hw01Hkxc1RC5Wc6DjdAsbFn9b26XRYRdLgcQ9/dpqhO3/sFD5Y5g7xovpVCQ0EqxYv08JAzIXW/K76f88HRVii6uXCw0PfRR5kzuIUGLGutZGc8MYX+/eCAvAyiSEBDYaLUMA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1690223365; bh=w4zS8DeoeACKhNY4awKRnv6pKMGcrBajz8nL7G9ZiKU=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=rF2pfIyVoSWtHaVXNnmlmDfUUwAGkUeSxtzbwcvyRsJyERPaLz4eg6sXxttV6gTc88cdhbh8HKGkkQpsyv59hh16znm14b7gK0ruYUXvL7eqQl7bSexTfEMQpJ7AYl13N5RixcgxC3gPpp6WXdPgZeoXMEsAmT28WOTub9JvPwPJfAsIEq1KW0bON9FfluQI8BoLW7I91t2VB/FQH7FozPJp30kSDDGCkOQHZo5E62G53NVeOjH59B9XBjcrL+yExFV12wL2/LiSud7WYfCn2sce9C0QTN7qT8DAGMGBz9rbeIsh4zz0o+SGKgmD/WEknHWJriOHJF2/awkEHJDR7A==
X-YMail-OSG: 7puKTTQVM1lPe8geVVKv5FKML0FkhsO7xFWqSAvwfjvN7UPm9.30zmsM3Cu3ev_ 3xrsfN_yQsXxdMpPv9gO6t2hLtjFDAjOIhooeRqB24K0daosHkB.ZOOHvoOZ4livS2jtO9JgRkFg y6rrztrGmlg84rf3ratkrsRog14ChShf5QD.ZbLahW9xZ8.X5Xf5nOsM2nYrBMnGCIYO4a.3KKo_ JhorKQBc4usw47v014qlU1YenVUCWTtPueu7Hq1gTbq3_ow8lJBS6uIttw3zmGgQ5G8JlfHxjG.S H2fq59J0zy9rwOPRRh2SRiYa4ChtUsgZXjwS_.2gcgjEKOR1GZJp8ZyGEkYfPyyf5k_DUW4L6ChQ vp35TzHa_YX1LYRBtq.F9GHyjj48T13HDgqEr64zS7pG3K.VYUpjmh9YY5PKAlJzcdXQKw92_Uoe zJm6Y4z7lIpvk57hb.m4xpOWyTz3CSnu4Vuwc9E8K4Own16ay0RVn5NSoOTzDpfSrJeQLeyNIqjT cgbAfM7oJE8yzD9zTT2lB5czc67gFThvpO233fq_d2J8Upn00XhDHehjq3tyY8DcAC_gDQN6Snr9 ezJq3_Ltc_CXWpuake0s21xMM_bzziXTAW0OLDkktGrRbXNf2St6dhTVfb5h_LEUyHIm2tI5vwD8 J6Vlgaw.yDVf3hmgc434fILSmAoBF6YsL_JEzjNUqGArr6duKbA0C6mJUBDhOAtwJmQmpX2qnM2t U5QGi90V4e6icCHW99A5b.Cd8xhVsrkTAjHFjH.FpouEy_YXaL7qqLcwofoOSxKIF6MN1R3vYpHe UblGjGvlP43wVTeobWZyrJIRwu1JHjDQCAKqP50No4l5pAq42tMDvlk.xXHZMpNOYyitVbnr0h4z 6tKrAxwCg5PC3k7Uu1rbJQYUJ8G.AmN0gGEwIcwx3GJK9UN19Y.7hmjOgBYkW2vbOOAkkCZmQRxF LtO8I7749mnf8XuhQepnVkJEMADJM4ehCiNXNKe8PjKwsEJdECCs8TbBmKpl7PLFfbm2x0i93m7f LSJVyiRPsdNU8T1o1iYtsVILPcmc4l38Q4W4UelrlVlaM5QF8qjpV2RnSt3we0beVoAK_OCbWwBQ At2BbtXAAlZs39tUfghWGlffNJRN5SqvQ1Mj_1wmQUgVPjnPw5hQB2WiaEpiA2.TImTPKahE5QPv H2Qm9VnAvYapI1LIIU8XtRduh4GuuhoO0I3uzuVbrlHsY3_1LXQ6TDsACudfHQ7wd0rkUSagIfc8 WOGYk0koei37nXoCoQynpzF3vZqmYqdXt2JQtWxiQn.eYPIOVphBVXt.38b0Vg13TVDyTswTyni5 MlFxmylTmUZ_z2pjM.J6c0uJTuPTPngLfKq1t_oYwBOPK_vJvAuMs2igGEiphUKpAYrlDTltjcCB giW65zX6ptzH9XHPDhMYmERihn8Eb9xBBEq9gULIqUxtXPGD_5Bo74nxuUe.hJErsFoX1f1ha86h n9A5KlNBHv.WdGtnGvD7POFcuQvua1V.9DjDNRvE4Bb5OuHjfeyxnJ1ptRdmpcuAOQyqSfDkaTjl NPXHNUcIa_yrd7qo9_UDJ0YZggeDa8ZLlwcsxpmdSJJNFzuBMq4ReS1lUFXaMAbsqtBt2SsqJ_qy ptd39hUt0O0eUt0bzcOIpRCz3tpHAMeV6pZTHP9MFIff3wylfw0CqsQOMb72AH0IBhapQVQondul tDsQeVZ0MONMsg2Ht5ZZFXo4ZMPTNgbavAIBEHwiCEpMxQi158gBHl29QMkNQoHXpf7GQk_zvL_r EHrXSMYpCLEf6C4Dzx7DtLZNLEUxrD22Bv5rjRfJ_eAyG0eieagEElpJw9vOzCmR1HWibbHcCwJZ 7cLimvB7m1M08bfnRCsDHDRNqKvPW85M7ArkIn_z.0uY9TTRsQJP4RoY9ZHORXpUOs5_gw9C_zF4 NnwNhSzNZTUZExMw6Fv9drwb7M4374d0CNEVvc3beA.9GOsvCAdEHc.ZeYAjtIrWg2l3kEytNTXr 99_2s0DPsdh2yTxQNn.hjZV.OPJXOu.YslCU10bXhda6SXmkksxiflWX.Je6uMOympV75O95V9yx 8pPt0LB4JOZksmWX2eqagURWZyWoo4UePK3WOEOEjXXIYcn4-
X-Sonic-MF: <[email protected]>
X-Sonic-ID: 456c4d8d-0730-4054-accf-2cbd298fff0b
Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.gq1.yahoo.com with HTTP; Mon, 24 Jul 2023 18:29:25 +0000
Date: [email_date]
From: DEWALT GENERATOR Rewards <[email protected]>
To: DEWALT GENERATOR Rewards <[email protected]>
Message-ID: <[email protected]>
Subject: You have won an Portable Power Station
MIME-Version: 1.0
Content-Type: text/html;
X-Mailer: WebService/1.1.21647 AolMailNorrin
Content-Length: 518
X-Spam-Status: No, score=-83.3
X-Spam-Score: -832
X-Spam-Bar: ---------------------------------------------------
X-Ham-Report: Spam detection software, running on the system "server.wickenburg.us",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Portable Power Station View in a web browser ANSWER & WIN 
 Content analysis details:   (-83.3 points, 8.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
                             bl.spamcop.net
              [Blocked - see <https://www.spamcop.net/bl.shtml?195.133.32.101>]
 -0.0 USER_IN_WELCOMELIST    User is listed in 'welcomelist_from'
 -100 USER_IN_WHITELIST      DEPRECATED: See USER_IN_WELCOMELIST
  1.0 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                             [score: 1.0000]
  5.0 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                             [score: 1.0000]
  1.1 INVALID_DATE           Invalid Date: header (not RFC 2822)
  2.2 KAM_STORAGE_GOOGLE     URI: Google Storage API being abused by
                             spammers
  0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
  0.8 KAM_INFOUSMEBIZ        Prevalent use of
                             .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life
                              domains in spam/malware
  3.0 KAM_DMARC_REJECT       DKIM has Failed or SPF has failed on the
                             message and the domain has a DMARC reject
                             policy
  0.0 KAM_DMARC_STATUS       Test Rule for DKIM or SPF Failure with Strict
                             Alignment
  0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
  2.0 RDNS_NONE              Delivered to internal network by a host with no rDNS
X-Spam-Flag: NO

编辑于 23-07-29:在 EXIM 中启用“允许对传入消息进行 DKIM 验证”和“拒绝 DKIM 失败”后,此垃圾邮件仍然漏网。今天的另一个示例:

Return-Path: <>
Delivered-To: [email protected]
Received: from server.wickenburg.us
    by server.wickenburg.us with LMTP
    id aP37DDdixWQvYwAAeQzYKg
    (envelope-from <>)
    for <[email protected]>; Sat, 29 Jul 2023 12:02:15 -0700
Return-path: <>
Envelope-to: [email protected]
Delivery-date: Sat, 29 Jul 2023 12:02:15 -0700
Received: from [194.169.163.37] (port=48087 helo=judithwilliams.com)
    by server.wickenburg.us with esmtp (Exim 4.96)
    id 1qPpCi-0006ap-2c
    for [email protected];
    Sat, 29 Jul 2023 12:02:15 -0700
Received: from njmta-20.sailthru.com (173.228.155.20) by theskimm-d.sailthru.com id h568ie30nt87 for <[email protected]>; Sun, 2 Apr 2023 10:23:40 -0400 (envelope-from <[email protected]>)
Received: from nj1-farmelon.flt (172.18.20.31) by njmta-20.sailthru.com id h567uo1qqbs5 for <[email protected]>; Sun, 2 Apr 2023 10:21:46 -0400 (envelope-from <[email protected]>)
Date: Sat, 29 Jul 2023 20:55:21 +0200
From: Ninja Foodi Dual Air Fryer Shipment <[email protected]>
To:jones<[email protected]>
Message-ID: <[email protected]>
Subject: Celebrating KOHL'S anniversary with an Ninja Foodi Dual Air Fryer
Content-Type: text/html;
X-Feedback-ID: 7595:31029321:campaign:sailthru
X-TM-ID: 20230402102146.31029321.5494280
X-Info: Message sent by sailthru.com customer theSkimm, Inc
X-Info: We do not permit unsolicited commercial email
X-Info: Please report abuse by forwarding complete headers to
X-Info: [email protected]
X-Mailer: sailthru.com
X-JMailer: nj1-farmelon.flt
X-Unsubscribe-Web: https://link.theskimm.com/oc/6425b794e3ea9af00b0a1cabih2dl.39rew/65c2f250
List-Unsubscribe: <https://link.theskimm.com/oc/6425b794e3ea9af00b0a1cabih2dl.39rew/65c2f250>, <mailto:[email protected]>
X-rpcampaign: stlgd31029321
X-IncomingHeaderCount: 23
X-MS-Exchange-Organization-ExpirationStartTime: 02 Apr 2023 14:28:55.6663
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 288d6423-ae50-4862-9ac8-08db33869718
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic:
 CO1PEPF00001A5F:EE_|DM4PR15MB5994:EE_|PH0PR15MB4479:EE_
X-MS-Exchange-Organization-AuthSource:
 CO1PEPF00001A5F.namprd05.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-UserLastLogonTime: 4/1/2023 10:53:49 PM
X-MS-Office365-Filtering-Correlation-Id: 288d6423-ae50-4862-9ac8-08db33869718
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 192.64.237.81
X-SID-PRA: [email protected]
X-SID-Result: PASS
X-MS-Exchange-Organization-SCL: 2
X-Microsoft-Antispam: BCL:1;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2023 14:28:55.4163
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 288d6423-ae50-4862-9ac8-08db33869718
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-AuthSource:
 CO1PEPF00001A5F.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR15MB5994
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.1967716
X-MS-Exchange-Processed-By-BccFoldering: 15.20.6254.030
X-Microsoft-Antispam-Mailbox-Delivery:
    abwl:0;wl:0;pcwl:0;kl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000305)(90000117)(90010023)(91010020)(91040095)(9050020)(9100338)(4810010)(4910033)(8820095)(9910022)(9545005)(10170022)(9320005);
X-Message-Info:
    qZelhIiYnPkx84CNH6AeQs2r1mfbx475RiI5K0+Xb2fvrntBfTJ10N2zNIvcvtf7VgXmo/rIiDQIXO6S3rtSdn/H4xrzDv+I2RFpBW+pxB4yhwf8VqBxAb2oTJ+jKAPjknpLKx0rGhWF/Oowozp6RA==
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0tMQ==
X-Microsoft-Antispam-Message-Info:
    =?utf-8?B?Mnl1bmdsSDZzUmVmV3BTMVk4SHdPZEtHK3IrZzd3OTZhMFNUQW5kd2ZuSjZl?=
 =?utf-8?B?dVFNSThmd3V4S3RBMTMzamVYLzBBK2FhT2VlKzllNXBuTnZpU2lHektDY0s0?=
 =?utf-8?B?c244d1FLM2diZjF4YS9TRnFEZ1Q3OUUyWXVzRzkxY21IMlgreGJhWmx0a0tq?=
 =?utf-8?B?T3NGK1YvRUV1V3ZPeHNON3FlUjhQcVpNM2VXNFhnaEFMQ3hxODlORkNUMkVk?=
 =?utf-8?B?WU1Yc1lSRno0NTZuMmhNdVlNQXB6ZDAvSFRJVGtnUVNrekJkcnQ5SGJvektM?=
 =?utf-8?B?Rk1wZ2xsWHg0ZnlVOS9GNjYweW90clFDOHR5QlpDMFpEVlZOMHMzNjFGREFF?=
 =?utf-8?B?cmpYV3A5NVdHTFF4Z1FYbFIzY2ZtNk9jTGx2cGgvb3RCTmx3ZFFyZ3pPMHoy?=
 =?utf-8?B?ajEyVFlQaGw2cEU4WGJBUUthbTdPd28xakEwWnpUUE80M2lPUE5ueHVGMlhX?=
 =?utf-8?B?TlZhMHZPeHNNMjVDSEdVRDc4VzI3NHhJZTd1YktVL0JiTVk3eXZ6UXRucHQy?=
 =?utf-8?B?UFdWaWI2dEMrdSsvWWZ2UGJXMktKWEJwNkN6MTMvOUEycDl0aDROa2cxdSs4?=
 =?utf-8?B?Szk1T3ZZd3NrR3NQYjJOYlNNTittN0lCRCtzNVBiZllDNnlXMXVJVVZPYnQr?=
 =?utf-8?B?eTRHZEthVkZJUmJJL1VRTm4rL2pkOFQyWGJldkdoajBsQ1BLWjkybjNoeGRl?=
 =?utf-8?B?T09Kc3NXL3NWNFptbXNBWmxNalVFN2dSUEU1cnJ6RlJBc3N5SHl6cjI4cm5Y?=
 =?utf-8?B?U04rNFVXQXRTeDVlV1VYS01EdlhITnZGQ2V4MHk3Tlc3UUFvNFVON3poNjhF?=
 =?utf-8?B?aGQweVB4cUZMbVJjbGp3RkpIRy9lb3VsSG9xV0lzRE1ReHJDN1NuMVJlNHFT?=
 =?utf-8?B?ZDZIWHBKYmVvbnVWMDZNM1FIdTV2VXVRTFdVVnlBYWhXdDJnK0t1R2xGUmhO?=
 =?utf-8?B?ckxacDlpc3FSdFB2QnBvL1c4QWdIZHZqTTAvMVZwWCtoWFdKNHZkbGQvZHNV?=
 =?utf-8?B?Mm4xVTdIcGxrUjYyR1RkSFAxUzRkdDJaa2R5cUdDNmZGYXdjT245VzZtTmVO?=
 =?utf-8?B?ajJmMEIzWW1wd0NoaVMvMXdvZG4rYitCSkJjSXF5N0pMVUtZRTlBYnQ4blJW?=
 =?utf-8?B?VERyN2JYQnRTc0d3a2VmQk9lSlRNYitmc3hqWXZXRlZieTVubHlidk44Vi9N?=
 =?utf-8?B?T1JEdFUvdXdKV28vVGNXZS8vNk1Ield4QXVDK2pWV2hlMGpUYmVIdE9LbWZs?=
 =?utf-8?B?dGh2K1dtTGJYNVlNUXR2dlFQUU1DVDAyYng2d2dVcVZHRFVVRXhsOW9uSzlT?=
 =?utf-8?B?Nk1RaXo4NXppdkdYVkUwSzl6MTBDU0NpdERWcUJSbndTb2VPbGpyRkw4Witu?=
 =?utf-8?B?U3pDaDA5N1RtVU51Q1FuMXR0K1BkUDRJVVhib1hkNFBmT3BXS0pESnV6enNZ?=
 =?utf-8?B?YkxYYi9sMTVNTk1zNUtyWlhqZS9ncWRBZ3JZT1JsalpWYko4QlBRUDlBSVVV?=
 =?utf-8?B?MExjbDRkbnNwOTdkVHRQSkJPcEl5RFk0VDFJcHpNTlljeGhpcTQreFIycVhZ?=
 =?utf-8?B?WmFsWVQ0NWZjbFUwejZsc2ZSR3piSEhENHEyRFhWc0p1YWdXYnE3ZkQzZUVH?=
 =?utf-8?B?bStzVEpya3FmR3hlMytCV1J2bEJFczBibGdFb0FXZVI5UnMrVUsrb3MxSm1Y?=
 =?utf-8?B?cDEwYkZWQmxDa0p6VlpyTklLcFRvbEZvbjg2ekZkOExFMzF5aHFGdFhTdkMr?=
 =?utf-8?B?MTlyNVJCMk5RSnBHakI5Z2RpK3RQeXFZWnFuM2tKL01WanRLOExjbG0yOU9j?=
 =?utf-8?B?WEU2MDBZVUp0M0RrNm9GQTdQYS90cmgrQk82amkzNW1hWUQ1RFJiam1ZdnNB?=
 =?utf-8?B?RnpqNTlSVEJDWjMvWHFBN1pON1NHQ0N0SytBaTBRdk5lc2J3RHlIQTIvKzk5?=
 =?utf-8?B?Ukl2eXhuQ2RrWlEzSW56dmpXcE1RR1lpbzNLc3FLOGROSEtNdjZNSC84cEFq?=
 =?utf-8?B?TytxQXJZM1c5Q0oydTlqQm9WZU9EWit4cTFROWlQU1NXWGpTclVwRHBTanZ2?=
 =?utf-8?B?MXhidTJsV2lpQzlMMjBsMlY2RWY5OFg4MDNHRHlqU2t5L2JaVnljWDdGL2cz?=
 =?utf-8?B?SklNbGkvQTFjNDFRTXBpdG5qTDJ2VUJ5T1NNNG5UMjJnZkZqaUMyNE5XZXZM?=
 =?utf-8?B?eEpOQXNudDZ1OXBoZ0ZpSElhMmp1REhXWXc3M2ZtQUsyMzR5UlNIc3ZKN3l6?=
 =?utf-8?Q?qcKDW4HCjVPrHtn4gWjXVkbSpDYXPioQL4WfHFfG6w=3D?=
MIME-Version: 1.0
X-Spam-Status: No, score=-77.6
X-Spam-Score: -775
X-Spam-Bar: ---------------------------------------------------
X-Ham-Report: Spam detection software, running on the system "server.wickenburg.us",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Celebrating KOHL'S anniversary with an Ninja Foodi Dual Air
    Fryer If you no longer wish to receive these emails, you may unsubscribe
   by clicking here click here to remove yourself from our emails list 
 Content analysis details:   (-77.6 points, 8.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: baxarfnar.bond]
  0.6 URIBL_PH_SURBL         Contains an URL listed in the PH SURBL blocklist
                             [URIs: baxarfnar.bond]
  1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
                             bl.spamcop.net
              [Blocked - see <https://www.spamcop.net/bl.shtml?194.169.163.37>]
 -0.0 USER_IN_WELCOMELIST    User is listed in 'welcomelist_from'
 -100 USER_IN_WHITELIST      DEPRECATED: See USER_IN_WELCOMELIST
  1.0 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                             [score: 1.0000]
  5.0 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                             [score: 1.0000]
  1.5 SPF_HELO_SOFTFAIL      SPF: HELO does not match SPF record (softfail)
  2.2 KAM_STORAGE_GOOGLE     URI: Google Storage API being abused by
                             spammers
  0.0 HTML_IMAGE_RATIO_02    BODY: HTML has a low ratio of text to image
                             area
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.0 HTML_FONT_SIZE_LARGE   BODY: HTML font size is large
  0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
  1.8 PYZOR_CHECK            Listed in Pyzor
                             (https://pyzor.readthedocs.io/en/latest/)
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
  0.8 KAM_INFOUSMEBIZ        Prevalent use of
                             .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life
                              domains in spam/malware
  0.4 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML
                             tag
  0.0 KAM_DMARC_STATUS       Test Rule for DKIM or SPF Failure with Strict
                             Alignment
  2.0 RDNS_NONE              Delivered to internal network by a host with no rDNS
  3.0 KAM_DMARC_REJECT       DKIM has Failed or SPF has failed on the
                             message and the domain has a DMARC reject
                             policy
  2.7 GOOG_STO_NOIMG_HTML    Apparently using google content hosting to
                             avoid URIBL
X-Spam-Flag: NO

答案1

一般来说

SPF 仅保护信封发件人。您需要一个 DMARC 策略来保护From标头中使用的域。

理想情况下,你应该p=reject同时使用 DMARC 和 DMARC+SPF 和 DMARC+DKIM对齐以确保所有合法邮件都能发达。

正如评论中所述,您的 DNS 已正确设置为 SPF、DKIM 和 DMARC。这可以在执行检查的系统上保护您的域。


借助添加的完整标题来回答这个问题......

您的服务器未执行 SPF/DKIM/DMARC 检查

Received头和Authentication-Results标头始终添加在标头的开头,这意味着它们是按相反顺序添加的;第一个是最新的。这看起来像是Received您的服务器添加的第一个标头:

Received: from [195.133.32.101] (port=53352 helo=r97.email.lefebvreelderecho.com)
    by server.wickenburg.us with esmtp (Exim 4.96)
    id 1qO1TI-00070c-0F
    for [email protected];
    Mon, 24 Jul 2023 12:43:55 -0700

您的服务器似乎没有添加任何内容Authentication-Results,这表明它可能无法正确执行这些检查。该邮件实际上来自195.133.32.101,并且只有当它是wickenburg.us信封发件人时,SPF 检查才会起作用。因此,它只有在使用对齐的 DKIM 签名通过时才应该通过 DMARC。但是,您的服务器不检查 DKIM 或 DMARC。结果将位于此标头的正下方或正上方。

我不是 Exim 专家。文档第 58 章 - DKIM、SPF、SRS 和 DMARC包含有关如何设置传入邮件协议的所有相关说明。

礼物Authentication-Results是假的

您自己的Received标头下方的所有内容均来自上一跳,并且保持原样。您不应信任任何这些标头。它们可能都是假的,这首先导致了这种混乱。

信任标头将允许通过伪造身份验证结果绕过 OpenDMARC 检查

什么可以信任?

如果你已配置受信任的,则可以信任一些先前的身份验证标头已认证接收链(ARC)中间体(RFC 8617)。例如,如果您希望通过 Gmail 转发电子邮件,则可以信任经过加密签名的 ARC。此类伪造的标头将无法通过此检查。

ARC-SealARC-Message-Signature工作原理与 DKIM 签名类似;一旦您信任中间签名,您就可以使用ARC-Authentication-Results这些签名验证 ,然后信任它们而无需执行新的验证,这对于 DMARC+SPF 方案来说会因为转发而失败。由于 DKIM 签名通常可以在转发后继续存在,因此即使没有 ARC 的帮助,DMARC+DKIM 也可以正常工作。

答案2

检查邮件头,您可能会看到两个不同的发件人地址。

From:条目将与您的用户的电子邮件匹配,但该标题条目仅用于电子邮件客户端显示电子邮件地址,而不会被向您发送电子邮件的服务器使用。

另一个地址将使用完全不同的域,并且在该域上,发件人的 IP 地址将与其域的 SPF 记录匹配。我怀疑,如果您检查电子邮件到达用户的路径,您会发现发件人的电子邮件是通过 Gmail 发送的,这就是为什么您会看到来自他们的 SPF 结果,然后到达最终目的地。

因此,您为该域设置的 SPF 记录永远不会被查看,因为就检查它的服务器而言,该电子邮件不是来自wickenburg.us其他地方。

就上下文而言,你经常会在合法的电子邮件中看到同样的情况。例如来自亚马逊的电子邮件。我昨天收到了一封来自他们的邮件,我的客户端中的电子邮件显示它来自

From: "Amazon.co.uk" <[email protected]>

但深入研究标题后,我发现实际的发件人地址(例如,服务器查看以确定如何处理电子邮件的地址)是

20230724082216068fc30d3fcf4ede9fbe164dda0p0eu-C182GINBTAROME@bounces.amazon.co.uk

这是电子邮件的工作方式以及电子邮件客户端处理方式的一个非常令人讨厌的副作用。就我个人而言,我希望看到电子邮件客户端采取一些措施,让用户更容易看到和检查两个地址是否匹配,尤其是当使用的域名不同时。这样做有正当的理由,但应该更加透明……尤其是因为没有切实可行的方法来改变服务器处理它们的方式。

相关内容