How is this email subverting SPF checks?

Solution 1:

In this case they probably said to your server something like this:

EHLO www.tchile.com
MAIL FROM: [email protected] 
RCPT TO: [email protected]
DATA
Date: Thu, 13 Oct 2016 04:03:54 -0300
Message-Id: <[email protected]>
To: [email protected]
Subject: CANCELLATION_PROCESS.
From: KIWI BANK <[email protected]>
Reply-To: 
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=029F3E3270D5187AA69203962BF830E3
X-Virus-Scanned: ClamAV using ClamSMTP

The contents of mail...
.

The SMTP conversation (aka "the envelope") can have different From/To than email headers. SPF doesn't check the header, however it's always the header which is actually displayed to end-user! Yes, SMTP is that broken. Yes, SPF is that broken.

You will be best served by checking DMARC instead of only checking SPF. DMARC by default checks SPF but it also checks the alignment of From header with SMTP MAIL FROM (domains need to match - it ignores the username part). As a bonus you could also get DKIM support, which is a very useful addendum to SPF.

The DMARC would depend on DNS TXT record set at _dmarc.kiwibank.co.nz. but currently there is none. Per current state of Internet regulations that means the owner of kiwibank.co.nz. doesn't care at all about being protected against such spoofs. But you could in some implementations enforce DMARC for all incoming emails.

Solution 2:

So, after some reading - it appears that the Envolope-From is correct, but the "From" has been faked. Is there any way I can correct/mitigate this without breaking "general" email?

Verifying the From header will break mailing lists:

1. foo@yourbank sends a mail to cat-picture-sharing-list@bar.

2. The mailing list will take the mail,

   • replace the Envelope-From with something akin to cat-picture-sharing-list-bounce@bar,
   • possibly modify the Reply-To header and
   • re-send the mail to all recipients (e.g. you).

Now your mail server gets a mail with

Envelope-From: cat-picture-sharing-list-bounce@bar
From: foo@yourBank

sent from bar's mail servers.

I note that I use Postfix, Spamassassin and policyd (postfix-policyd-spf-perl) - and if its really so easy to bypass, whats the point of SPF?

1. Lots of spammers don't bother to send a "correct" Envelope-From.
2. Your bank won't get (most of) the backscatter for this spam mail, since NDRs are (or: should be) sent to the Envelope-From address.
3. Scoring based on Envelope-From gets more reliable. If you (or some scoring provider that you trust) assign all mails with Envelope-From=...@yourbank a highly negative spam score, spammers cannot abuse that.