Categories
dualstack IPV6 smtp

Detecting phishing with spf macros

I run a test domain andritz.me with dual stack and mail enabled

SMTP server

ns.andritz.me 185.77.254.8 and 2a05:6740:40c0:4000:0:0:0:53

SPF record:

v=spf1 exists:i.%{i}.h.%{h}.o.%{o}.spf.andritz.me -all
%{ir} is replaced by the IP address of the sender
%{o} is replaced by the domain of the sending client
%{h} is replaced by the HELO/EHLO domain ns.andritz.me

So i need DNS entries for the exist queries according to https://tools.ietf.org/html/rfc7208

see 7.2. Macro Definitions

   The following macro letters are expanded in term arguments:

      s = <sender>
      l = local-part of <sender>
      o = domain of <sender>
      d = <domain>
      i = <ip>
      p = the validated domain name of <ip> (do not use)
      v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
      h = HELO/EHLO domain

But be careful to those IP addresses in reverse notation

https://tools.ietf.org/html/rfc7208#page-32 ( examples of macro expansion, i donot use %v

i.8.254.77.185.h.andritz.me.o.ns.andritz.me.spf.andritz.me

i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.andritz.me.o.ns.andritz.me.spf.andritz.me.

Both entries need to exist for each mailserver and respond to a A ( also for ipv6) query with any but valid value.

DNS A records are limited <250 characters )

https://www.kitterman.com/spf/validate.html you can use ipv4 or ipv6

02-Jan-2020 10:44:51.453 queries: info: client @0x7f3f30101180 66.39.4.57#8213 (0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.565 queries: info: client @0x7f3f30101180 66.39.4.57#2706 (5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.676 queries: info: client @0x7f3f30101180 66.39.4.57#1561 (6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.788 queries: info: client @0x7f3f30101180 66.39.4.57#40533 (7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.899 queries: info: client @0x7f3f3011e0a0 66.39.4.57#30752 (4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.011 queries: info: client @0x7f3f3011e0a0 66.39.4.57#3741 (0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.122 queries: info: client @0x7f3f3011e0a0 66.39.4.57#32473 (4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.234 queries: info: client @0x7f3f3011e0a0 66.39.4.57#20129 (0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.347 queries: info: client @0x7f3f3011e0a0 66.39.4.57#59149 (c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.459 queries: info: client @0x7f3f3011e0a0 66.39.4.57#57085 (0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.571 queries: info: client @0x7f3f3011e0a0 66.39.4.57#23099 (4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.683 queries: info: client @0x7f3f3011e0a0 66.39.4.57#26783 (0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.795 queries: info: client @0x7f3f3011e0a0 66.39.4.57#59831 (0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.907 queries: info: client @0x7f3f3011e0a0 66.39.4.57#11262 (0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.019 queries: info: client @0x7f3f3011e0a0 66.39.4.57#49170 (0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.131 queries: info: client @0x7f3f3011e0a0 66.39.4.57#27116 (0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.243 queries: info: client @0x7f3f3011e0a0 66.39.4.57#55092 (0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.355 queries: info: client @0x7f3f3011e0a0 66.39.4.57#33274 (0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.467 queries: info: client @0x7f3f3011e0a0 66.39.4.57#23164 (0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.581 queries: info: client @0x7f3f3011e0a0 66.39.4.57#13752 (0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.807 queries: info: client @0x7f3f3011e0a0 66.39.4.57#53153 (0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.034 queries: info: client @0x7f3f3011e0a0 66.39.4.57#49398 (0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.372 queries: info: client @0x7f3f3011e0a0 66.39.4.57#2880 (0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.714 queries: info: client @0x7f3f3011e0a0 66.39.4.57#24045 (3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.941 queries: info: client @0x7f3f3011e0a0 66.39.4.57#55280 (i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN A -E(0)D (185.77.254.8)

Other information found

https://spf-all.com/stats.html Currently only very domains utilzed that phishing protection.

https://duo.com/labs/tech-notes/detecting-phishing-with-spf-macros

https://www.dmarcanalyzer.com/spf/checker/

Categories
dualstack IPV6

Moving to IPv6

 

http://www.trainsignal.com/blog/ipv6-implementation

Apache IPv6 Configuration: Dual Stacked IPv4 & IPv6 Virtual Hosts

http://www.cyberciti.biz/faq/ipv6-apache-configuration-tutorial

nc_addfooter

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close