You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ramprasad <ra...@netcore.co.in> on 2006/04/24 09:48:27 UTC
SPF for avoiding newsletter FPs
Hi,
We get considerable number of newsletter mails with "spammy" content.
How do people tackle Fp's from newsletters ? typically the stock
newsletters , the bank promotional newsletters etc
I would like know if this is possible ( I am using SA3.1 + Mailscanner +
postfix )
1) Maintain a list of newsletters ( this would grow with time )
2) For each of these newlsetter mails if their SPF records match give a
high negative score.
Atleast those newsletters from domains who *have* SPF records will not
have problems.
Thanks
Ram
Re: whitelist_from_spf is not working
Posted by Roger Taranto <ro...@danybrooks.com>.
On Tue, 2006-05-02 at 21:29, Matt Kettler wrote:
> jdow wrote:
> > From: "Matt Kettler" <mk...@comcast.net>
> >
> >> Ramprasad wrote:
> >>> Hi,
> >>> I am using SA 3.1.1 as a module in MailScanner.
> >>> I am not able to get whitelist_from_spf working.
> >>> In my local.cf I have
> >>> ifplugin Mail::SpamAssassin::Plugin::SPF
> >>> whitelist_from_spf *@netcore.co.in
> >>> endif
> >>>
> >>> A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf
> >>> checks are working ), but no USER_IN_SPF_WHITELIST
> >>> why, do I have to do anything else ??
> >>>
> >>
> >> Follow-up:
> >>
> >> Looking at your SPF records, you don't have 127.0.0.1 listed. Any mail
> >> generated locally on darkstar.netcore.co.in will NOT pass SPF because
> >> the actual IP address is 127.0.0.1, which isn't listed. SA. However, the
> >> HELO string is (darkstar.netcore.co.in). That presumably resolves to one
> >> of the listed IP addresses, which causes the SPF_HELO_PASS (I can't
> >> resolve darkstar right now so so I cannot verify this)
> >>
> >> Add 127.0.0.1, and any other local IPs, to your SPF record and you
> >> should be good to go.
> >>
> >> Personally, I do this at my work, but we use split-dns. The external
> >> view doesn't see 127.0.0.1, or any internal IP addresses, but the
> >> internal one (used by SA) does.
> >
> > Ahhmmmm, if he adds local host that would then allow ANY localhost
> > in the world to authenticate with his SPF, wouldn't it? Wouldn't
> > that be a bad thing?
>
> Only from localhost to localhost... ie: this could never happen over the
> internet, but you could send yourself mail on your own mailserver, forge
> his domain and have it pass SPF.
I have a related question: what about listing hosts in the 192.168
range? Would this be a bad thing?
The reason I ask is that my dad's SPF record is listed as ~all for his
externally-visible static IP address, but when machines internal to his
network connect to send mail, they look forged since they have a 192.168
address. Suggestions?
-Roger
Re: whitelist_from_spf is not working
Posted by Matt Kettler <mk...@comcast.net>.
jdow wrote:
> From: "Matt Kettler" <mk...@comcast.net>
>
>> Ramprasad wrote:
>>> Hi,
>>> I am using SA 3.1.1 as a module in MailScanner.
>>> I am not able to get whitelist_from_spf working.
>>> In my local.cf I have
>>> ifplugin Mail::SpamAssassin::Plugin::SPF
>>> whitelist_from_spf *@netcore.co.in
>>> endif
>>>
>>> A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf
>>> checks are working ), but no USER_IN_SPF_WHITELIST
>>> why, do I have to do anything else ??
>>>
>>
>> Follow-up:
>>
>> Looking at your SPF records, you don't have 127.0.0.1 listed. Any mail
>> generated locally on darkstar.netcore.co.in will NOT pass SPF because
>> the actual IP address is 127.0.0.1, which isn't listed. SA. However, the
>> HELO string is (darkstar.netcore.co.in). That presumably resolves to one
>> of the listed IP addresses, which causes the SPF_HELO_PASS (I can't
>> resolve darkstar right now so so I cannot verify this)
>>
>> Add 127.0.0.1, and any other local IPs, to your SPF record and you
>> should be good to go.
>>
>> Personally, I do this at my work, but we use split-dns. The external
>> view doesn't see 127.0.0.1, or any internal IP addresses, but the
>> internal one (used by SA) does.
>
> Ahhmmmm, if he adds local host that would then allow ANY localhost
> in the world to authenticate with his SPF, wouldn't it? Wouldn't
> that be a bad thing?
Only from localhost to localhost... ie: this could never happen over the
internet, but you could send yourself mail on your own mailserver, forge
his domain and have it pass SPF.
Re: whitelist_from_spf is not working
Posted by jdow <jd...@earthlink.net>.
From: "Matt Kettler" <mk...@comcast.net>
> Ramprasad wrote:
>> Hi,
>> I am using SA 3.1.1 as a module in MailScanner.
>> I am not able to get whitelist_from_spf working.
>>
>> In my local.cf I have
>>
>> ifplugin Mail::SpamAssassin::Plugin::SPF
>> whitelist_from_spf *@netcore.co.in
>> endif
>>
>> A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf
>> checks are working ), but no USER_IN_SPF_WHITELIST
>>
>> why, do I have to do anything else ??
>>
>
> Follow-up:
>
> Looking at your SPF records, you don't have 127.0.0.1 listed. Any mail
> generated locally on darkstar.netcore.co.in will NOT pass SPF because
> the actual IP address is 127.0.0.1, which isn't listed. SA. However, the
> HELO string is (darkstar.netcore.co.in). That presumably resolves to one
> of the listed IP addresses, which causes the SPF_HELO_PASS (I can't
> resolve darkstar right now so so I cannot verify this)
>
> Add 127.0.0.1, and any other local IPs, to your SPF record and you
> should be good to go.
>
> Personally, I do this at my work, but we use split-dns. The external
> view doesn't see 127.0.0.1, or any internal IP addresses, but the
> internal one (used by SA) does.
Ahhmmmm, if he adds local host that would then allow ANY localhost
in the world to authenticate with his SPF, wouldn't it? Wouldn't
that be a bad thing?
{O.O} Just sort of wondering.
Re: whitelist_from_spf is not working
Posted by Ramprasad <ra...@netcore.co.in>.
Matt,
Thanks for helping. Got whitelist_from_spf working ( with some help
from postfix guys )
I had to do the following IN postfix
In file /etc/postfix/main.cf
smtpd_data_restrictions = reject_unauth_pipelining,
check_sender_access regexp:/etc/postfix/add_x_envelope_from,
permit
that file contains
/^<>$/ PREPEND X-Envelope-From: <>
/^(.*)$/ PREPEND X-Envelope-From: <$1>
Now it works great
Thanks
Ram
Re: whitelist_from_spf is not working
Posted by Ramprasad <ra...@netcore.co.in>.
> Yes, but what box performs the SA scan? is it darkstar? or some other box? Does
> the box performing the SA scan see the masquerade, or is it also behind your
> firewall and thus sees the private IPs?
>
> You're not concerned with what outside machines see here. You are trying to
> diagnose why YOUR local SA box does not cause SPF_PASS for messages that you
> sent to your own domain.
Sorry, I must have been clearer in the first step. The MX for
mydomain points to a machine on the the internet, where I am running SA
+ Mailscanner + postfix. In my test environment, the mail originating
from my desktop goes to this internet box ( using the gateway ip allowed
in SPF ). So SPF_PASS *must* score for the mail.
But I think I know the problem .. I will have to test it out though.
I will have to configure postfix to put a X-Envelope-From header before
it queues the mail. SA is looking for this header , thats why it is
failing. Will write back if it works.
Thanks
Ram
Re: whitelist_from_spf is not working
Posted by Matt Kettler <mk...@evi-inc.com>.
Ramprasad wrote:
> On Tue, 2006-05-02 at 10:18 -0400, Matt Kettler wrote:
>> Ramprasad wrote:
>>> Hi,
>>> I am using SA 3.1.1 as a module in MailScanner.
>>> I am not able to get whitelist_from_spf working.
>>>
>>> In my local.cf I have
>>>
>>> ifplugin Mail::SpamAssassin::Plugin::SPF
>>> whitelist_from_spf *@netcore.co.in
>>> endif
>>>
>>> A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf
>>> checks are working ), but no USER_IN_SPF_WHITELIST
>>>
>>> why, do I have to do anything else ??
>>>
>> Follow-up:
>>
>> Looking at your SPF records, you don't have 127.0.0.1 listed. Any mail
>> generated locally on darkstar.netcore.co.in will NOT pass SPF because
>> the actual IP address is 127.0.0.1, which isn't listed. SA. However, the
>> HELO string is (darkstar.netcore.co.in). That presumably resolves to one
>> of the listed IP addresses, which causes the SPF_HELO_PASS (I can't
>> resolve darkstar right now so so I cannot verify this)
>>
>> Add 127.0.0.1, and any other local IPs, to your SPF record and you
>> should be good to go.
>>
>> Personally, I do this at my work, but we use split-dns. The external
>> view doesn't see 127.0.0.1, or any internal IP addresses, but the
>> internal one (used by SA) does.
>
> darkstar.netcore is just my desktop.
> So any mailserver who sees this ip from outside just gets the mail from
> my gateway-ip ( ip masquaraded ) , and that one is listed in SPF
> records.
Yes, but what box performs the SA scan? is it darkstar? or some other box? Does
the box performing the SA scan see the masquerade, or is it also behind your
firewall and thus sees the private IPs?
You're not concerned with what outside machines see here. You are trying to
diagnose why YOUR local SA box does not cause SPF_PASS for messages that you
sent to your own domain.
Re: whitelist_from_spf is not working
Posted by Ramprasad <ra...@netcore.co.in>.
On Tue, 2006-05-02 at 10:18 -0400, Matt Kettler wrote:
> Ramprasad wrote:
> > Hi,
> > I am using SA 3.1.1 as a module in MailScanner.
> > I am not able to get whitelist_from_spf working.
> >
> > In my local.cf I have
> >
> > ifplugin Mail::SpamAssassin::Plugin::SPF
> > whitelist_from_spf *@netcore.co.in
> > endif
> >
> > A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf
> > checks are working ), but no USER_IN_SPF_WHITELIST
> >
> > why, do I have to do anything else ??
> >
>
> Follow-up:
>
> Looking at your SPF records, you don't have 127.0.0.1 listed. Any mail
> generated locally on darkstar.netcore.co.in will NOT pass SPF because
> the actual IP address is 127.0.0.1, which isn't listed. SA. However, the
> HELO string is (darkstar.netcore.co.in). That presumably resolves to one
> of the listed IP addresses, which causes the SPF_HELO_PASS (I can't
> resolve darkstar right now so so I cannot verify this)
>
> Add 127.0.0.1, and any other local IPs, to your SPF record and you
> should be good to go.
>
> Personally, I do this at my work, but we use split-dns. The external
> view doesn't see 127.0.0.1, or any internal IP addresses, but the
> internal one (used by SA) does.
darkstar.netcore is just my desktop.
So any mailserver who sees this ip from outside just gets the mail from
my gateway-ip ( ip masquaraded ) , and that one is listed in SPF
records.
This is a problem of setting the enevlope-from header for postfix.
Because the server that runs SA uses postfix. How do I do that ?
Thanks
Ram
Re: whitelist_from_spf is not working
Posted by Matt Kettler <mk...@comcast.net>.
Ramprasad wrote:
> Hi,
> I am using SA 3.1.1 as a module in MailScanner.
> I am not able to get whitelist_from_spf working.
>
> In my local.cf I have
>
> ifplugin Mail::SpamAssassin::Plugin::SPF
> whitelist_from_spf *@netcore.co.in
> endif
>
> A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf
> checks are working ), but no USER_IN_SPF_WHITELIST
>
> why, do I have to do anything else ??
>
Follow-up:
Looking at your SPF records, you don't have 127.0.0.1 listed. Any mail
generated locally on darkstar.netcore.co.in will NOT pass SPF because
the actual IP address is 127.0.0.1, which isn't listed. SA. However, the
HELO string is (darkstar.netcore.co.in). That presumably resolves to one
of the listed IP addresses, which causes the SPF_HELO_PASS (I can't
resolve darkstar right now so so I cannot verify this)
Add 127.0.0.1, and any other local IPs, to your SPF record and you
should be good to go.
Personally, I do this at my work, but we use split-dns. The external
view doesn't see 127.0.0.1, or any internal IP addresses, but the
internal one (used by SA) does.
Re: whitelist_from_spf is not working
Posted by Ramprasad <ra...@netcore.co.in>.
On Tue, 2006-05-02 at 10:12 -0400, Matt Kettler wrote:
> Ramprasad wrote:
> > Hi,
> > I am using SA 3.1.1 as a module in MailScanner.
> > I am not able to get whitelist_from_spf working.
> >
> > In my local.cf I have
> >
> > ifplugin Mail::SpamAssassin::Plugin::SPF
> > whitelist_from_spf *@netcore.co.in
> > endif
> >
> > A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf
> > checks are working ), but no USER_IN_SPF_WHITELIST
> >
> > why, do I have to do anything else ??
> >
> You need to have a SPF_PASS, not a SPF_HELO_PASS.
>
> SPF_HELO_PASS means the claimed hostname in the HELO sent to the server
> would pass SPF.
>
> SPF_PASS means the actual host (based on IP address) passed SPF.
>
> Only the second one is any kind of real pass. The first one can be
> trivially forged, and unless it fires with SPF_PASS, you may as well
> consider the email forged.
>
> Check your SPF records and your Received: headers more closely,
> apparently there's something preventing SPF from matching here.
Sorry,
I am quiet lost. How do I debug this.
Is there a way I can check if the SPF records are working ?
Re: whitelist_from_spf is not working
Posted by Ramprasad <ra...@netcore.co.in>.
On Tue, 2006-05-02 at 10:12 -0400, Matt Kettler wrote:
> Ramprasad wrote:
> > Hi,
> > I am using SA 3.1.1 as a module in MailScanner.
> > I am not able to get whitelist_from_spf working.
> >
> > In my local.cf I have
> >
> > ifplugin Mail::SpamAssassin::Plugin::SPF
> > whitelist_from_spf *@netcore.co.in
> > endif
> >
> > A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf
> > checks are working ), but no USER_IN_SPF_WHITELIST
> >
> > why, do I have to do anything else ??
> >
> You need to have a SPF_PASS, not a SPF_HELO_PASS.
>
> SPF_HELO_PASS means the claimed hostname in the HELO sent to the server
> would pass SPF.
>
> SPF_PASS means the actual host (based on IP address) passed SPF.
>
> Only the second one is any kind of real pass. The first one can be
> trivially forged, and unless it fires with SPF_PASS, you may as well
> consider the email forged.
>
> Check your SPF records and your Received: headers more closely,
> apparently there's something preventing SPF from matching here.
Oh I can see this
'[29194] dbg: spf: cannot get Envelope-From, cannot use SPF'
What is the envelope-from header I must use with postfix ?
Thanks
Ram
Re: whitelist_from_spf is not working
Posted by Matt Kettler <mk...@comcast.net>.
Ramprasad wrote:
> Hi,
> I am using SA 3.1.1 as a module in MailScanner.
> I am not able to get whitelist_from_spf working.
>
> In my local.cf I have
>
> ifplugin Mail::SpamAssassin::Plugin::SPF
> whitelist_from_spf *@netcore.co.in
> endif
>
> A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf
> checks are working ), but no USER_IN_SPF_WHITELIST
>
> why, do I have to do anything else ??
>
You need to have a SPF_PASS, not a SPF_HELO_PASS.
SPF_HELO_PASS means the claimed hostname in the HELO sent to the server
would pass SPF.
SPF_PASS means the actual host (based on IP address) passed SPF.
Only the second one is any kind of real pass. The first one can be
trivially forged, and unless it fires with SPF_PASS, you may as well
consider the email forged.
Check your SPF records and your Received: headers more closely,
apparently there's something preventing SPF from matching here.
whitelist_from_spf is not working
Posted by Ramprasad <ra...@netcore.co.in>.
Hi,
I am using SA 3.1.1 as a module in MailScanner.
I am not able to get whitelist_from_spf working.
In my local.cf I have
ifplugin Mail::SpamAssassin::Plugin::SPF
whitelist_from_spf *@netcore.co.in
endif
A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf
checks are working ), but no USER_IN_SPF_WHITELIST
why, do I have to do anything else ??
Thanks
Ram