← Back to Explore
sublimemediumRule
SPF temp error
Attackers can spoof domains that have no MX/SPF records, resulting in a DNS timeout. In O365 this fails closed (goes to spam), but in Gmail this fails open (lands in the inbox) and shows a red padlock Reproduce on Ubuntu 18.04: echo "test" | mail -s "Test" user@gmail.com -a"From: Support <support@nomxdomain.com>" Example headers: Received-SPF: temperror (google.com: error in processing during lookup of support@ltbit.com: DNS error) client-ip=<>; Authentication-Results: mx.google.com; spf=temperror (google.com: error in processing during lookup of support@nomxdomain.com: DNS error) smtp.mailfrom=support@nomxdomain.com
Detection Query
type.inbound
and any(headers.hops,
any(.fields,
strings.ilike(.name, "Received-SPF")
and strings.ilike(.value, "*spf=temperror*")
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "SPF temp error"
description: |
Attackers can spoof domains that have no MX/SPF records, resulting
in a DNS timeout. In O365 this fails closed (goes to spam), but in
Gmail this fails open (lands in the inbox) and shows a red padlock
Reproduce on Ubuntu 18.04:
echo "test" | mail -s "Test" user@gmail.com -a"From: Support <support@nomxdomain.com>"
Example headers:
Received-SPF: temperror (google.com: error in processing during lookup of support@ltbit.com: DNS error) client-ip=<>;
Authentication-Results: mx.google.com; spf=temperror
(google.com: error in processing during lookup of support@nomxdomain.com: DNS error) smtp.mailfrom=support@nomxdomain.com
type: "rule"
severity: "medium"
source: |
type.inbound
and any(headers.hops,
any(.fields,
strings.ilike(.name, "Received-SPF")
and strings.ilike(.value, "*spf=temperror*")
)
)
tactics_and_techniques:
- "Spoofing"
detection_methods:
- "Header analysis"
id: "2df7e839-8ffb-5d84-ac87-a45239d0d24b"