SPF temp error
Attackers can spoof domains that have no MX/SPF records, resulting in a DNS timeout. In O365 this fails closed (goes to spam), but in Gmail this fails open (lands in the inbox) and shows a red padlock Reproduce on Ubuntu 18.04: echo "test" | mail -s "Test" user@gmail.com -a"From: Support support@nomxdomain.com" Example headers: Received-SPF: temperror (google.com: error in processing during lookup of support@ltbit.com: DNS error) client-ip=<>; Authentication-Results: mx.google.com; spf=temperror (google.com: error in processing during lookup of support@nomxdomain.com: DNS error) smtp.mailfrom=support@nomxdomain.com
Sublime rule (View on GitHub)
1name: "SPF temp error"
2description: |
3 Attackers can spoof domains that have no MX/SPF records, resulting
4 in a DNS timeout. In O365 this fails closed (goes to spam), but in
5 Gmail this fails open (lands in the inbox) and shows a red padlock
6 Reproduce on Ubuntu 18.04:
7 echo "test" | mail -s "Test" user@gmail.com -a"From: Support <support@nomxdomain.com>"
8 Example headers:
9 Received-SPF: temperror (google.com: error in processing during lookup of support@ltbit.com: DNS error) client-ip=<>;
10 Authentication-Results: mx.google.com; spf=temperror
11 (google.com: error in processing during lookup of support@nomxdomain.com: DNS error) smtp.mailfrom=support@nomxdomain.com
12type: "rule"
13severity: "medium"
14source: |
15 type.inbound
16 and any(headers.hops,
17 any(.fields,
18 strings.ilike(.name, "Received-SPF") and strings.ilike(.value, "*spf=temperror*")
19 )
20 )
21tactics_and_techniques:
22 - "Spoofing"
23detection_methods:
24 - "Header analysis"
25id: "2df7e839-8ffb-5d84-ac87-a45239d0d24b"