Why does Sberbank have an incorrect SPF record for a domain?

    Briefly: the main domain of Sberbank (sberbank.ru) has an incorrect SPF record. This leads to the fact that attackers have the opportunity to do fake email campaigns on behalf of Sberbank. The record itself is configured well, fit, but with an error that reduces all efforts to zero.

    > host -t txt sberbank.ru
    sberbank.ru descriptive text "v=spf1 mx mx:shark11.sberbank.ru mx:shark12.sberbank.ru mx:shark13.sberbank.ru mx:shark14.sberbank.ru mx:email1.sberbank.ru -all"
    

    Happy ending: during the day the record was fixed, now it complies with the RFC.

    > host -t txt sberbank.ru
    sberbank.ru descriptive text "v=spf1 mx -all"
    

    Well, for those who can read it, welcome to cat.

    Why do i need SPF?


    SPF helps combat counterfeit sender addresses. Do not confuse SPF with DMARC, SPF only allows you to establish whether a given IP address could send mail on behalf of that domain (with support for a number of exceptions and reverses).

    There is an opinion that SPF is unnecessary and harmful , but as practice shows, today SPF is the main mechanism in DMARC and so far there is nothing of the kind on the horizon.

    How it works?


    The mail server, accepting mail, looks at the sender’s address, and then goes and requests special records from the sender’s domain, where in a tricky language it is stated which IP can send mail to this domain and which not. As a result, a decision is made whether to accept this letter or not, and maybe be accepted and counted as spam.

    So what really works?


    Well, in general, not really. Initially, SPF provided a type of record that allows Softfail. It's like a jamb, but excusable. That is, I say that mail from my domain can come from these addresses, then it is definitely normal. And if from some others, then this is nothing, excusable.

    Today, this apologetic postscript generally makes the SPF sense null and void, since spammers often fall into this apologetic postscript.

    What is Sberbank doing well?


    And the fact that they have an entry containing -all is just the prevention of an excusable Softfail. That is, the guys from Sberbank are as if telling us that mail from them can only go from the given addresses and nothing else. Well done, that's great.

    But what was Sberbank wrong about?


    And the fact that their record is not worded correctly. This causes a Permerror error, and then on most mail systems the record is not even checked, and the message is simply skipped.

    Agree, it’s stupid to make -all a hard record and at the same time make a mistake, making the whole record incorrect.

    But where is the mistake?


    RFC 7208 introduces some restrictions on the number of DNS queries that the mail server must make in order to obtain the necessary data in the SPF. It is the same RFC that limits the number of queries with an empty result or error.

    Parse the entry:

    "v=spf1 mx mx:shark11.sberbank.ru mx:shark12.sberbank.ru mx:shark13.sberbank.ru mx:shark14.sberbank.ru mx:email1.sberbank.ru -all"

    0. v = spf1

    Version of the SPF record, i.e. syntax

    1. mx

    Only servers listed as MX can send mail from the sberbank.ru domain

    > host -t mx sberbank.ru
    sberbank.ru mail is handled by 50 shark11.sberbank.ru.
    sberbank.ru mail is handled by 50 shark14.sberbank.ru.
    sberbank.ru mail is handled by 50 email1.sberbank.ru.
    sberbank.ru mail is handled by 50 shark12.sberbank.ru.
    sberbank.ru mail is handled by 50 shark13.sberbank.ru.

    Well, we see these five servers.

    2. mx: shark11.sberbank.ru

    Mail from the sberbank.ru domain can be sent by those servers that are listed as MX for the shark11.sberbank.ru domain

    STOP! Again.

    Those servers that are listed as MX for the shark11.sberbank.ru domain can send mail from the sberbank.ru domain

    > host -t mx shark11.sberbank.ru
    shark11.sberbank.ru has no MX record

    And this result counts as empty. And according to RFC, after the first two such errors, you need to stop analyzing the SPF record and find it erroneous. Which is happening.

    In short, the guys overdid it a bit.

    How to do it?


    "v=spf1 mx -all"


    Or did your colleagues do better?


    In fact, Sberbank itself rarely sends letters, or rather, in our mail system, for example, there are not so many of them. Many more of them come from the Sberbank AST site, let's look there.

    > host -t txt sberbank-ast.ru
    sberbank-ast.ru descriptive text "v=spf1 mx a:mail2.sberbank-ast.ru a:mail3.sberbank-ast.ru a:mail4.sberbank-ast.ru a:gw.sberbank-ast.ru a:mail7.sberbank-ast.ru ~all"

    And here, alas, Softfail. Which nullifies the value of the SPF record.

    UPDATE
    Colleagues from Sberbank AST reacted quickly. Now like this:

    > host -t txt sberbank-ast.ru
    "v=spf1 mx a:mail2.sberbank-ast.ru a:mail3.sberbank-ast.ru a:mail4.sberbank-ast.ru a:gw.sberbank-ast.ru a:mail7.sberbank-ast.ru -all"

    In fact, of course, it is somewhat redundant, since there is an indication of mx and

    > host -t mx sberbank-ast.ru
    sberbank-ast.ru descriptive text sberbank-ast.ru mail is handled by 5 mail4.sberbank-ast.ru.

    But switching from ~ all to -all is commendable.

    Also popular now: