我有 postfix + spamassassin。
Spamassassin 应该检查发件人的 SPF,但我收到了以下垃圾邮件:
[电子邮件保护]= 这是我的 postfix 上的电子邮件
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
astra4450.dedicatedpanel.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.4 required=5.0 tests=BAYES_00,
HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_SBL,SPF_HELO_PASS,SPF_PASS,
TO_IN_SUBJ,TVD_PH_BODY_ACCOUNTS_PRE,T_KAM_HTML_FONT_INVALID,URIBL_BLOCKED,
URIBL_DBL_MALWARE,URIBL_PH_SURBL,URIBL_SBL,URIBL_SBL_A autolearn=no
autolearn_force=no version=3.4.0
Delivered-To: [email protected]
Received: from mail.hostify.vn (mail.hostify.vn [150.95.110.152])
by mx6.example.com (Postfix) with ESMTPS id A0C74100F20F14
for <[email protected]>; Wed, 13 Dec 2023 03:26:58 +0200 (EET)
Received: from localhost (localhost [127.0.0.1])
by mail.hostify.vn (Postfix) with ESMTP id 0FFB9166DF7
for <[email protected]>; Wed, 13 Dec 2023 08:26:57 +0700 (+07)
Received: from mail.hostify.vn ([127.0.0.1])
by localhost (mail.hostify.vn [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id EaHftMvBvz9k for <[email protected]>;
Wed, 13 Dec 2023 08:26:56 +0700 (+07)
Received: from localhost (localhost [127.0.0.1])
by mail.hostify.vn (Postfix) with ESMTP id 9CEAE167AA0
for <[email protected]>; Wed, 13 Dec 2023 08:26:56 +0700 (+07)
X-Virus-Scanned: amavisd-new at hostify.vn
Received: from mail.hostify.vn ([127.0.0.1])
by localhost (mail.hostify.vn [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id Y2hw8khgynlj for <[email protected]>;
Wed, 13 Dec 2023 08:26:56 +0700 (+07)
Received: from [88.209.206.208] (unknown [88.209.206.208])
by mail.hostify.vn (Postfix) with ESMTPSA id 9CF741675DA
for <[email protected]>; Wed, 13 Dec 2023 08:26:55 +0700 (+07)
From: Admin Helpdesk <[email protected]>
To: [email protected]
Subject: Password Verification For [email protected]
Date: 12 Dec 2023 17:26:54 -0800
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0012_CFC45DD6.E88DD181"
据我所知,SPF[电子邮件保护]是正确的,并且发件人在标题中被“欺骗”为[电子邮件保护]
然而,没有办法[电子邮件保护]是正确的。
今天我安装了一些叫做的工具pypolicyd-spf,但只要我能够检查,它也只检查mail from:SMTP 命令而不是电子邮件头。
我是否遗漏了什么或者使用了错误的工具?
答案1
这就是 SPF 的工作原理。来自发件人策略框架 (SPF) 简介 (RFC 7208,1):
本文档定义了一种协议,域所有者可以通过该协议授权主机在“MAIL FROM”或“HELO”身份中使用其域名。合规的域持有者发布发件人策略框架 (SPF) 记录,指定允许哪些主机使用其名称,合规的邮件接收者使用已发布的 SPF 记录在邮件交易期间测试使用给定“HELO”或“MAIL FROM”身份发送邮件传输代理 (MTA) 的授权。
DMARC(RFC 7489)另一方面允许发送者发布策略,规定接收者如何处理From未包含报头的消息对齐使用信封发件人(MAIL FROM)通过 SPF 或有效的 DKIM 签名。
答案2
假设如下:
helo spammer.com << [1]
mail from: [email protected] << [2]
rcpt to: [email protected]
data
from: [email protected] << [3]
to: [email protected]
subject: spam
spam
.
事实证明,SPF 应该仅检查 SMTP 连接的发件人:字段,例如 [2]。
通常这与 Return-Path 相同。
有时 SPF 会检查 helo 域[1]。
但是电子邮件 [3] 中的发件人:标题是绝不检查。
这意味着每个人都可以像这样欺骗发件人。
为了缓解您自己的域名,您可以执行 DMARC 并指定两个地址必须相同。
为了缓解您不拥有的域名的这种情况,您可以在 /etc/mail/spamassassin/local.cf 中增加以下分数
score SPF_FAIL 0 0 0 4.50
score SPF_SOFTFAIL 0 0 0 3.50
score SPF_HELO_FAIL 0 0 0 4.50
score SPF_HELO_SOFTFAIL 0 0 0 3.50
score HEADER_FROM_DIFFERENT_DOMAINS 0 0 0 4.50
请注意,这有点危险,因为有时某些域名的配置不是 100% 正确。