You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Sp...@nro.ca on 2017/06/02 14:33:39 UTC

frequent T_SPF_PERMERROR

Hi. I'm getting T_SPF_PERMERROR extremely often. Not exclusively, but
especially when spammers are faking my own domain names.

Here's an example from the good old xerox copier spam:

From copier@nro.ca  Fri May 26 08:26:18 2017
Return-Path: <co...@nro.ca>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on nro.ca
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.9 tests=T_SPF_PERMERROR
        autolearn=disabled version=3.4.1
Received: from static.vnpt.vn (static.vnpt.vn [113.163.197.219] (may be
forged))
        by nro.ca (8.15.2/8.15.2) with ESMTP id v4QCQGx7015855
        for <RE...@nro.ca>; Fri, 26 May 2017 08:26:16 -0400
Date: Fri, 26 May 2017 19:26:08 +0700
From: "copier@nro.ca" <co...@nro.ca>

When I test with sfpquery the result is fail like you would expect.
spfquery -s mfrom --id copier@nro.ca --ip 113.163.197.219

I've run external checks on my spf records and they seem fine (they haven't
changed in years), but this issue is not limited to my domains, other legit
mail from big domains has the same issue.

I built a clean new server back in March with SA 3.4.1 and Perl-5.24.1. All
my perl modules are up to date and the prerequisites seem to check out
except Mail-SPF-v2.9.0 It wouldn't install because it's failing tests. I had
to force it to install. spfquery worked so initially I thought maybe I was
okay.

The test failures are all returning temperror, along the lines of:

# Expected: 'none'
#      Got: 'temperror'

# Expected: 'fail'
#      Got: 'temperror'

That's a brief overview of the situation. If anyone has any hints about
where I should be looking or how I can test further it would be much
appreciated.

Re: frequent T_SPF_PERMERROR

Posted by Bill Cole <sa...@billmail.scconsult.com>.

On 5 Jun 2017, at 12:03, Benny Pedersen wrote:

> Mail::SPF uses SPF first, and failback to TXT if SPF does not exists

Changed in the latest version, almost 4 years ago.

Re: frequent T_SPF_PERMERROR

Posted by Benny Pedersen <me...@junc.eu>.

Bill Cole skrev den 2017-06-05 14:53:

> Remove your SPF (not TXT) record. The SPF record type is deprecated.
> The problem is that srs.bis.na.blackberry.com has no SPF record (only
> a TXT) making any SPF record including it invalid.

Mail::SPF::Query uses TXT only
Mail::SPF uses SPF first, and failback to TXT if SPF does not exists

imho spamassassin uses Mail::SPF now, and Mail::SPF::Query is depricated

where is it dokumented ?

Re: frequent T_SPF_PERMERROR

Posted by Bill Cole <sa...@billmail.scconsult.com>.

On 2 Jun 2017, at 19:05, SpamAssassin@nro.ca wrote:

> Thanks for the tip! I didn't know how to debug that stuff. Here's what
> happens with a spammer faking one of my own domains:
>
>> spamd[21654]: spf: query for 
>> isabelle.2323@nro.ca/41.203.191.125/!41.203.191.125!: result: 
>> permerror, comment: , text: Included domain 
>> 'srs.bis.na.blackberry.com' has no applicable sender policy
>
> Looks like Mail::SPF is broken on my system.

No, it probably is not. It may be outdated.

> srs.bis.na.blackberry.com has
> legit spf txt records. What's weird is that the spfquery command gives
> correct results.

Remove your SPF (not TXT) record. The SPF record type is deprecated. The 
problem is that srs.bis.na.blackberry.com has no SPF record (only a TXT) 
making any SPF record including it invalid.

Re: frequent T_SPF_PERMERROR

Posted by Sp...@nro.ca.

I never mentioned mailing lists. Here's the another version of my original
post so we're clear:

Latest Mail::SPF (2.9 circa 2013) builds but fails its test suite on my new
system. New linux, perl, perl modules, etc.

After forcing it to install, I later found that spamassassing is getting
T_SPF_PERMERROR returned a lot, not just for spoofs of my own domains, but
plenty of other domains.

Oddly enough, the spfquery tool it provides works fine.

I have since switched to the much older Mail::SPF::Query. Its build tests
fail as well. (looks like they test a domain that is no longer registered).

I am having good success using Mail::SPF::Query with spamassassin
The spfquery tool also appears to work.

This bug report from 2014 reflects my experience.
Bug #99890 for Mail-SPF: Mail-SPF-v2.9.0 fails Build test
https://rt.cpan.org/Public/Bug/Display.html?id=99890

My guess for the cause of the failure is other newer perl modules that have
been maintained beyond Mail::SPF, or maybe the dns resolver that SA passes
to the spf function is somehow different than the resolver that the spfquery
tool is using.

On Mon, 05 Jun 2017 23:31:58 +0200, you wrote:

>SpamAssassin@nro.ca skrev den 2017-06-05 16:33:
>
>> I would guess it is some kind of issue with newer dependencies or dns
>> resolution. If I wait long enough someone else will figure it out.
>
>if it just fails on forwarded emails eq on maillists, add forwarding ip 
>to trusted_networks solves spf fails
>
>but it also disable whitelist in dnswl for that forwarding ip
>
>not all maillists have spf, and spf does generic not being breaked on 
>maillists since envelope sender changes
>
>what part fails then ?

Re: frequent T_SPF_PERMERROR

Posted by Benny Pedersen <me...@junc.eu>.

SpamAssassin@nro.ca skrev den 2017-06-05 16:33:

> I would guess it is some kind of issue with newer dependencies or dns
> resolution. If I wait long enough someone else will figure it out.

if it just fails on forwarded emails eq on maillists, add forwarding ip 
to trusted_networks solves spf fails

but it also disable whitelist in dnswl for that forwarding ip

not all maillists have spf, and spf does generic not being breaked on 
maillists since envelope sender changes

what part fails then ?

Re: frequent T_SPF_PERMERROR

Posted by Sp...@nro.ca.

Mail::SPF version 2.009 is package "Mail-SPF-v2.9.0" which is what I
indicated I was using (and had to force install) in my first post. 

spfquery works, but whatever perl interface SA is using is not producing
correct results. Not just on my own domains, but on many others as well. My
dns spf records shouldn't matter for this issue.

Mail::SPF::Query may be ancient but from what I can tell it's working great
so far. I'll just keep using that until I find out why Mail::SPF isn't
producing proper results.

I would guess it is some kind of issue with newer dependencies or dns
resolution. If I wait long enough someone else will figure it out.

Re: frequent T_SPF_PERMERROR

Posted by Bill Cole <sa...@billmail.scconsult.com>.

And furthermore...

On 2 Jun 2017, at 19:05, SpamAssassin@nro.ca wrote:

> I started reading SPF.pm and saw that I could hack it to avoid using
> Mail::SPF and instead use (what seems to be) the less preferred
> Mail::SPF::Query

This is a wrong approach. SA will use whichever is installed but prefers 
Mail::SPF because it is not broken on modern Perl and is maintained, 
whereas Mail::SPF hasn't been right since Perl 5.10.1 and never will be, 
as it has not been touched since 2006.

> Installing Mail::SPF::Query had to be forced because most of its tests 
> fail
> but it looks like it is returning correct SPF evaluations.

Forcing installation of abandoned Perl modules that fail most of their 
tests is not a wise practice.

> It's recognizing mail sent via blackberry trusted relays, and giving 
> me fail
> results on spammers as it should.
>
> If I get the time I'll look into the guts of Mail::SPF and try to 
> figure out
> where it's going wrong.

Mail::SPF v2.009 is documented as having exactly one change:

--- 2.009 (2013-07-21 03:30)

   Mail::SPF:
   * Default to querying only TXT type RRs (query_rr_types = 
Mail::SPF::Server->
     query_rr_type_txt).  Experience has shown that querying SPF type 
RRs is
     impractical.

If you update to 2.009, your local issue may vanish even without 
removing your SPF record. However, anyone else still checking SPF 
records instead of or in preference to TXT records will still break on 
your record because it includes the Blackberry record which no longer 
exists (SOA implies that it may have been removed last week.)

Re: frequent T_SPF_PERMERROR

Posted by Sp...@nro.ca.

Thanks for the tip! I didn't know how to debug that stuff. Here's what
happens with a spammer faking one of my own domains:

>spamd[21654]: spf: query for isabelle.2323@nro.ca/41.203.191.125/!41.203.191.125!: result: permerror, comment: , text: Included domain 'srs.bis.na.blackberry.com' has no applicable sender policy

Looks like Mail::SPF is broken on my system. srs.bis.na.blackberry.com has
legit spf txt records. What's weird is that the spfquery command gives
correct results.

I started reading SPF.pm and saw that I could hack it to avoid using
Mail::SPF and instead use (what seems to be) the less preferred
Mail::SPF::Query

Installing Mail::SPF::Query had to be forced because most of its tests fail
but it looks like it is returning correct SPF evaluations. 

It's recognizing mail sent via blackberry trusted relays, and giving me fail
results on spammers as it should.

If I get the time I'll look into the guts of Mail::SPF and try to figure out
where it's going wrong.

Re: frequent T_SPF_PERMERROR

Posted by Seanster <Se...@Seanster.com>.

Thanks for the tip! I didn't know how to debug that stuff. Here's what
happens with a spammer faking one of my own domains:

>spamd[21654]: spf: query for isabelle.2323@nro.ca/41.203.191.125/!41.203.191.125!: result: permerror, comment: , text: Included domain 'srs.bis.na.blackberry.com' has no applicable sender policy

Looks like Mail::SPF is broken on my system. srs.bis.na.blackberry.com has
legit spf txt records. What's weird is that the spfquery command gives
correct results.

I started reading SPF.pm and saw that I could hack it to avoid using
Mail::SPF and instead use (what seems to be) the less preferred
Mail::SPF::Query

Installing Mail::SPF::Query had to be forced because most of its tests fail
but it looks like it is returning correct SPF evaluations. 

It's recognizing mail sent via blackberry trusted relays, and giving me fail
results on spammers as it should.

If I get the time I'll look into the guts of Mail::SPF and try to figure out
where it's going wrong.

Re: frequent T_SPF_PERMERROR

Posted by RW <rw...@googlemail.com>.

On Fri, 02 Jun 2017 10:33:39 -0400
SpamAssassin@nro.ca wrote:

> Hi. I'm getting T_SPF_PERMERROR extremely often. Not exclusively, but
> especially when spammers are faking my own domain names.
> 
> Here's an example from the good old xerox copier spam:
> 
> From copier@nro.ca  Fri May 26 08:26:18 2017
> Return-Path: <co...@nro.ca>
> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on nro.ca
> X-Spam-Level: 
> X-Spam-Status: No, score=0.0 required=5.9 tests=T_SPF_PERMERROR
>         autolearn=disabled version=3.4.1
> Received: from static.vnpt.vn (static.vnpt.vn [113.163.197.219] (may
> be forged))
>         by nro.ca (8.15.2/8.15.2) with ESMTP id v4QCQGx7015855
>         for <RE...@nro.ca>; Fri, 26 May 2017 08:26:16 -0400
> Date: Fri, 26 May 2017 19:26:08 +0700
> From: "copier@nro.ca" <co...@nro.ca>
> 


It worked correctly for me when I ran the return-path and received
header through spamassassin i.e. I got SPF_FAIL

Try running one of them through spamassassin -D spf