Categories
dualstack IPV6 smtp

Detecting phishing with spf macros

I run a test domain andritz.me with dual stack and mail enabled

SMTP server

ns.andritz.me 185.77.254.8 and 2a05:6740:40c0:4000:0:0:0:53

SPF record:

v=spf1 exists:i.%{i}.h.%{h}.o.%{o}.spf.andritz.me -all
%{ir} is replaced by the IP address of the sender
%{o} is replaced by the domain of the sending client
%{h} is replaced by the HELO/EHLO domain ns.andritz.me

So i need DNS entries for the exist queries according to https://tools.ietf.org/html/rfc7208

see 7.2. Macro Definitions

   The following macro letters are expanded in term arguments:

      s = <sender>
      l = local-part of <sender>
      o = domain of <sender>
      d = <domain>
      i = <ip>
      p = the validated domain name of <ip> (do not use)
      v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
      h = HELO/EHLO domain

But be careful to those IP addresses in reverse notation

https://tools.ietf.org/html/rfc7208#page-32 ( examples of macro expansion, i donot use %v

i.8.254.77.185.h.andritz.me.o.ns.andritz.me.spf.andritz.me

i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.andritz.me.o.ns.andritz.me.spf.andritz.me.

Both entries need to exist for each mailserver and respond to a A ( also for ipv6) query with any but valid value.

DNS A records are limited <250 characters )

https://www.kitterman.com/spf/validate.html you can use ipv4 or ipv6

02-Jan-2020 10:44:51.453 queries: info: client @0x7f3f30101180 66.39.4.57#8213 (0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.565 queries: info: client @0x7f3f30101180 66.39.4.57#2706 (5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.676 queries: info: client @0x7f3f30101180 66.39.4.57#1561 (6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.788 queries: info: client @0x7f3f30101180 66.39.4.57#40533 (7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.899 queries: info: client @0x7f3f3011e0a0 66.39.4.57#30752 (4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.011 queries: info: client @0x7f3f3011e0a0 66.39.4.57#3741 (0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.122 queries: info: client @0x7f3f3011e0a0 66.39.4.57#32473 (4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.234 queries: info: client @0x7f3f3011e0a0 66.39.4.57#20129 (0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.347 queries: info: client @0x7f3f3011e0a0 66.39.4.57#59149 (c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.459 queries: info: client @0x7f3f3011e0a0 66.39.4.57#57085 (0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.571 queries: info: client @0x7f3f3011e0a0 66.39.4.57#23099 (4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.683 queries: info: client @0x7f3f3011e0a0 66.39.4.57#26783 (0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.795 queries: info: client @0x7f3f3011e0a0 66.39.4.57#59831 (0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.907 queries: info: client @0x7f3f3011e0a0 66.39.4.57#11262 (0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.019 queries: info: client @0x7f3f3011e0a0 66.39.4.57#49170 (0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.131 queries: info: client @0x7f3f3011e0a0 66.39.4.57#27116 (0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.243 queries: info: client @0x7f3f3011e0a0 66.39.4.57#55092 (0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.355 queries: info: client @0x7f3f3011e0a0 66.39.4.57#33274 (0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.467 queries: info: client @0x7f3f3011e0a0 66.39.4.57#23164 (0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.581 queries: info: client @0x7f3f3011e0a0 66.39.4.57#13752 (0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.807 queries: info: client @0x7f3f3011e0a0 66.39.4.57#53153 (0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.034 queries: info: client @0x7f3f3011e0a0 66.39.4.57#49398 (0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.372 queries: info: client @0x7f3f3011e0a0 66.39.4.57#2880 (0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.714 queries: info: client @0x7f3f3011e0a0 66.39.4.57#24045 (3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.941 queries: info: client @0x7f3f3011e0a0 66.39.4.57#55280 (i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN A -E(0)D (185.77.254.8)

Other information found

https://spf-all.com/stats.html Currently only very domains utilzed that phishing protection.

https://duo.com/labs/tech-notes/detecting-phishing-with-spf-macros

https://www.dmarcanalyzer.com/spf/checker/