SPF temp error

Aug 21, 2023 ·

Attackers can spoof domains that have no MX/SPF records, resulting in a DNS timeout. In O365 this fails closed (goes to spam), but in Gmail this fails open (lands in the inbox) and shows a red padlock Reproduce on Ubuntu 18.04: echo "test" | mail -s "Test" user@gmail.com -a"From: Support support@nomxdomain.com" Example headers: Received-SPF: temperror (google.com: error in processing during lookup of support@ltbit.com: DNS error) client-ip=<>; Authentication-Results: mx.google.com; spf=temperror (google.com: error in processing during lookup of support@nomxdomain.com: DNS error) smtp.mailfrom=support@nomxdomain.com

Sublime rule (View on GitHub)

 1name: "SPF temp error"
 2description: |
 3  Attackers can spoof domains that have no MX/SPF records, resulting
 4  in a DNS timeout. In O365 this fails closed (goes to spam), but in 
 5  Gmail this fails open (lands in the inbox) and shows a red padlock
 6  Reproduce on Ubuntu 18.04: 
 7  echo "test" | mail -s "Test" user@gmail.com -a"From: Support <support@nomxdomain.com>"
 8  Example headers:
 9  Received-SPF: temperror (google.com: error in processing during lookup of support@ltbit.com: DNS error) client-ip=<>;
10  Authentication-Results: mx.google.com; spf=temperror
11    (google.com: error in processing during lookup of support@nomxdomain.com: DNS error) smtp.mailfrom=support@nomxdomain.com  
12type: "rule"
13severity: "medium"
14source: |
15  type.inbound
16  and any(headers.hops,
17          any(.fields,
18              strings.ilike(.name, "Received-SPF") and strings.ilike(.value, "*spf=temperror*")
19          )
20  )  
21tactics_and_techniques:
22  - "Spoofing"
23detection_methods:
24  - "Header analysis"
25id: "2df7e839-8ffb-5d84-ac87-a45239d0d24b"