Categories
dualstack IPV6 smtp

Detecting phishing with spf macros

I run a test domain andritz.me with dual stack and mail enabled

SMTP server

ns.andritz.me 185.77.254.8 and 2a05:6740:40c0:4000:0:0:0:53

SPF record:

v=spf1 exists:i.%{i}.h.%{h}.o.%{o}.spf.andritz.me -all
%{ir} is replaced by the IP address of the sender
%{o} is replaced by the domain of the sending client
%{h} is replaced by the HELO/EHLO domain ns.andritz.me

So i need DNS entries for the exist queries according to https://tools.ietf.org/html/rfc7208

see 7.2. Macro Definitions

   The following macro letters are expanded in term arguments:

      s = <sender>
      l = local-part of <sender>
      o = domain of <sender>
      d = <domain>
      i = <ip>
      p = the validated domain name of <ip> (do not use)
      v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
      h = HELO/EHLO domain

But be careful to those IP addresses in reverse notation

https://tools.ietf.org/html/rfc7208#page-32 ( examples of macro expansion, i donot use %v

i.8.254.77.185.h.andritz.me.o.ns.andritz.me.spf.andritz.me

i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.andritz.me.o.ns.andritz.me.spf.andritz.me.

Both entries need to exist for each mailserver and respond to a A ( also for ipv6) query with any but valid value.

DNS A records are limited <250 characters )

https://www.kitterman.com/spf/validate.html you can use ipv4 or ipv6

02-Jan-2020 10:44:51.453 queries: info: client @0x7f3f30101180 66.39.4.57#8213 (0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.565 queries: info: client @0x7f3f30101180 66.39.4.57#2706 (5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.676 queries: info: client @0x7f3f30101180 66.39.4.57#1561 (6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.788 queries: info: client @0x7f3f30101180 66.39.4.57#40533 (7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.899 queries: info: client @0x7f3f3011e0a0 66.39.4.57#30752 (4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.011 queries: info: client @0x7f3f3011e0a0 66.39.4.57#3741 (0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.122 queries: info: client @0x7f3f3011e0a0 66.39.4.57#32473 (4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.234 queries: info: client @0x7f3f3011e0a0 66.39.4.57#20129 (0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.347 queries: info: client @0x7f3f3011e0a0 66.39.4.57#59149 (c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.459 queries: info: client @0x7f3f3011e0a0 66.39.4.57#57085 (0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.571 queries: info: client @0x7f3f3011e0a0 66.39.4.57#23099 (4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.683 queries: info: client @0x7f3f3011e0a0 66.39.4.57#26783 (0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.795 queries: info: client @0x7f3f3011e0a0 66.39.4.57#59831 (0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.907 queries: info: client @0x7f3f3011e0a0 66.39.4.57#11262 (0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.019 queries: info: client @0x7f3f3011e0a0 66.39.4.57#49170 (0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.131 queries: info: client @0x7f3f3011e0a0 66.39.4.57#27116 (0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.243 queries: info: client @0x7f3f3011e0a0 66.39.4.57#55092 (0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.355 queries: info: client @0x7f3f3011e0a0 66.39.4.57#33274 (0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.467 queries: info: client @0x7f3f3011e0a0 66.39.4.57#23164 (0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.581 queries: info: client @0x7f3f3011e0a0 66.39.4.57#13752 (0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.807 queries: info: client @0x7f3f3011e0a0 66.39.4.57#53153 (0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.034 queries: info: client @0x7f3f3011e0a0 66.39.4.57#49398 (0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.372 queries: info: client @0x7f3f3011e0a0 66.39.4.57#2880 (0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.714 queries: info: client @0x7f3f3011e0a0 66.39.4.57#24045 (3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.941 queries: info: client @0x7f3f3011e0a0 66.39.4.57#55280 (i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN A -E(0)D (185.77.254.8)

Other information found

https://spf-all.com/stats.html Currently only very domains utilzed that phishing protection.

https://duo.com/labs/tech-notes/detecting-phishing-with-spf-macros

https://www.dmarcanalyzer.com/spf/checker/

Categories
IPV6

Ripe79 in Rotterdam, Netherlands

Looking forward to see you https://ripe79.ripe.net

 

Categories
IPV6

Mobile phones in Austria with IPv6

Mobile phones in Austria T-Mobile/Magenta finally started in June 2019 in Austria with IPv6. You can test it on your (Austrian) phone with either https://test-ipv6.com

https://stats.labs.apnic.net/ipv6/AS8412?c=AT&p=1&v=1&w=30&x=1

When will A1.net and Drei.at join?

Categories
Uncategorized

Ripe78 in Reykjavík, Iceland

This time i cannot attend in person, but looking forward to participate remote

 

Categories
Uncategorized

Ripe77 in Amsterdam

https://ripe77.ripe.net/

I attended Ripe77 in Amsterdam. Feels good to meet people from all around

Special Thanks to ISC for pointing me to FW issues with checkpoint. After patching we passed EDNS01 tests fine.

https://dnsflagday.net/

https://ednscomp.isc.org/ednscomp/33d9a80ea8