You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Paul Hurley <pa...@paulhurley.co.uk> on 2007/03/19 10:22:51 UTC
Problem with forwarding and SPF
Hello all, Happy Pi day for last week...
I'm running Spam Assassin V3.1.7.0 via SAProxy for Win32
(http://sourceforge.net/projects/sawin32/). I've recently implemented
SPF for my domain, which is working well. However I ahve a problem with
SPF on email I receieve. I have a few old email accounts that use
forwarding into my current account. These generate false SPF failures
because of the forward (see below, this is a recruitment email that is
ham to me)
Now I could create a rule for mail receievd from 172.20.8.86 and a meta
rule that cancelled out mail that hit SPF fails and the receieved rule,
but that essentially means turning off SPF for that domain. Any better
ideas ?
Thanks
Paul.
<quote>
>This mail is probably spam. The original message
>has been attached intact in RFC 822 format.
>
>Content preview: Employers of Choice Employers of choice New Scientist
> Jobs Employers of Choice are organisations that are searching for the
> best science and technology jobseekers. Do you fit their brief? To find
> out more details and view any current vacancies from the organisations
> below, just click on their logo. To search for a specific job visit
> NewScientistJobs.com [...]
>
>Content analysis details: (6.5 points, 6.0 required)
>
> 0.1 cust_LOCAL_TO_RCVD Found Received: after the To:
> 0.0 RM_hc_HTML Email is text/html format
>-0.0 PH_TO_PAULH Has Paul.Hurley@ in To:
> 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
>[SPF failed: Please see http://spf.pobox.com/why.html?sender=newscientistjobs%40email.newscientist.com&ip=172.20.8.86&receiver=casseopia]
> 0.5 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
> 0.1 PH_BODY_LERA BODY: Body contains a gappy version of 'le..ra'
> 0.1 HTML_MESSAGE BODY: HTML included in message
> 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> [score: 0.5000]
> 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 0.0 RM_rb_ANCHOR RAW: Testing for HTML end of anchor in emails
> 0.0 RM_rb_TITLE RAW: Testing for HTML title in emails
> 0.0 RM_rb_HTML RAW: Testing for HTML tag in emails
> 0.0 RM_rb_BREAK RAW: Testing for HTML Break in emails
> 0.0 RM_rb_FONT RAW: Testing for HTML Font tag in emails
> 0.0 RM_rb_PARA RAW: Testing for HTML Paragraph in emails
> 4.0 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
> 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
> 0.1 AWL AWL: From: address is in the auto white-list
>
>The original message was not completely plain text and may be unsafe to
>open with some email clients; in particular, it may contain a virus
>or confirm that your address can receive spam. If you wish to view
>it, it may be safer to save it to a file and open it with an editor.
>
>
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Employers of choice
> From:
> "New Scientist Jobs"<ne...@email.newscientist.com>
> Date:
> Mon, 12 Mar 2007 14:18:24 +0000 (GMT)
> To:
> paul.hurley@%olddomain%.net
>
> To:
> paul.hurley@%olddomain%.net
>
> Delivered-To:
> paul.hurley@%olddomain%.net
> Received:
> (qmail 29777 invoked from network); 12 Mar 2007 18:31:30 -0000
> Received:
> from smtp-a02.internal.boltblue.com (HELO smtp.boltblue.com)
> ([172.20.8.86]) (envelope-sender
> <ne...@email.newscientist.com>) by
> bblite.backend.boltblue.com (qmail-ldap-1.03) with SMTP for
> <pa...@cwcom.net>; 12 Mar 2007 18:31:30 -0000
> Received:
> (qmail 92833 invoked from network); 12 Mar 2007 17:22:47 -0000
> Received:
> from unknown (HELO mta1.primary.edc.dartmail.net) (216.73.95.131) by
> smtp-a02.boltblue.com with SMTP; 12 Mar 2007 17:22:47 -0000
> Message-ID:
> <Ki...@flonetwork.com>
>
>
>
>
</quote>
RE: Problem with forwarding and SPF
Posted by Dan Barker <db...@visioncomm.net>.
172.20.8.86 is in a private network. Do you trust it? Control it? In any
case, it appears that Trusted/Internal networks are not set up correctly.
You need to provide more information about your setup and the forwarder.
Dan
-----Original Message-----
From: Brian Wilson [mailto:wilson-ml@bubba.org]
Sent: Monday, March 19, 2007 7:48 AM
To: Paul Hurley
Cc: users@spamassassin.apache.org
Subject: Re: Problem with forwarding and SPF
On Mar 19, 2007, at 5:22 AM, Paul Hurley wrote:
Hello all, Happy Pi day for last week...
I'm running Spam Assassin V3.1.7.0 via SAProxy for Win32
(http://sourceforge.net/projects/sawin32/). I've recently implemented SPF
for my domain, which is working well. However I ahve a problem with SPF on
email I receieve. I have a few old email accounts that use forwarding into
my current account. These generate false SPF failures because of the forward
(see below, this is a recruitment email that is ham to me)
Now I could create a rule for mail receievd from 172.20.8.86 and a meta
rule that cancelled out mail that hit SPF fails and the receieved rule, but
that essentially means turning off SPF for that domain. Any better ideas ?
Thanks
Paul.
<quote>
This mail is probably spam. The original message
has been attached intact in RFC 822 format.
Content preview: Employers of Choice Employers of choice New Scientist
Jobs Employers of Choice are organisations that are searching for the
best science and technology jobseekers. Do you fit their brief? To find
out more details and view any current vacancies from the organisations
below, just click on their logo. To search for a specific job visit
NewScientistJobs.com [...]
Content analysis details: (6.5 points, 6.0 required)
0.1 cust_LOCAL_TO_RCVD Found Received: after the To:
0.0 RM_hc_HTML Email is text/html format
-0.0 PH_TO_PAULH Has Paul.Hurley@ in To:
1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
[SPF failed: Please see
http://spf.pobox.com/why.html?sender=newscientistjobs%40email.newscientist.c
om&ip=172.20.8.86&receiver=casseopia]
0.5 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
0.1 PH_BODY_LERA BODY: Body contains a gappy version of 'le..ra'
0.1 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 RM_rb_ANCHOR RAW: Testing for HTML end of anchor in emails
0.0 RM_rb_TITLE RAW: Testing for HTML title in emails
0.0 RM_rb_HTML RAW: Testing for HTML tag in emails
0.0 RM_rb_BREAK RAW: Testing for HTML Break in emails
0.0 RM_rb_FONT RAW: Testing for HTML Font tag in emails
0.0 RM_rb_PARA RAW: Testing for HTML Paragraph in emails
4.0 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
0.1 AWL AWL: From: address is in the auto white-list
The original message was not completely plain text and may be unsafe to
open with some email clients; in particular, it may contain a virus
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
--------------------------------------------------------------------------
Subject: Employers of choice
From: "New Scientist
Jobs"<ne...@email.newscientist.com>
Date: Mon, 12 Mar 2007 14:18:24 +0000 (GMT)
To: paul.hurley@%olddomain%.net
To: paul.hurley@%olddomain%.net
Delivered-To: paul.hurley@%olddomain%.net
Received: (qmail 29777 invoked from network); 12 Mar 2007
18:31:30 -0000
Received: from smtp-a02.internal.boltblue.com (HELO
smtp.boltblue.com) ([172.20.8.86]) (envelope-sender
<ne...@email.newscientist.com>) by bblite.backend.boltblue.com
(qmail-ldap-1.03) with SMTP for <pa...@cwcom.net>; 12 Mar 2007
18:31:30 -0000
Received: (qmail 92833 invoked from network); 12 Mar 2007
17:22:47 -0000
Received: from unknown (HELO mta1.primary.edc.dartmail.net)
(216.73.95.131) by smtp-a02.boltblue.com with SMTP; 12 Mar 2007
17:22:47 -0000
Message-ID:
<Ki...@flonetwork.com>
Unless you manage DNS for newscientist.com then you're SOL. SPF has to
deal with verifying that the sending party's IP address is authorized to
send email from that particular domain (newscientist.com) and does not have
to do anything with your domain or domains that forward to your email
address unless you are sending the message. Click the link where SPF failed
and read.
-B
Re: Problem with forwarding and SPF
Posted by Brian Wilson <wi...@bubba.org>.
On Mar 19, 2007, at 5:22 AM, Paul Hurley wrote:
> Hello all, Happy Pi day for last week...
>
> I'm running Spam Assassin V3.1.7.0 via SAProxy for Win32 (http://
> sourceforge.net/projects/sawin32/). I've recently implemented SPF
> for my domain, which is working well. However I ahve a problem
> with SPF on email I receieve. I have a few old email accounts that
> use forwarding into my current account. These generate false SPF
> failures because of the forward (see below, this is a recruitment
> email that is ham to me)
>
> Now I could create a rule for mail receievd from 172.20.8.86 and a
> meta rule that cancelled out mail that hit SPF fails and the
> receieved rule, but that essentially means turning off SPF for that
> domain. Any better ideas ?
>
> Thanks
>
> Paul.
>
> <quote>
>> This mail is probably spam. The original message
>> has been attached intact in RFC 822 format.
>>
>> Content preview: Employers of Choice Employers of choice New
>> Scientist
>> Jobs Employers of Choice are organisations that are searching
>> for the
>> best science and technology jobseekers. Do you fit their brief?
>> To find
>> out more details and view any current vacancies from the
>> organisations
>> below, just click on their logo. To search for a specific job visit
>> NewScientistJobs.com [...]
>>
>> Content analysis details: (6.5 points, 6.0 required)
>>
>> 0.1 cust_LOCAL_TO_RCVD Found Received: after the To:
>> 0.0 RM_hc_HTML Email is text/html format
>> -0.0 PH_TO_PAULH Has Paul.Hurley@ in To:
>> 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record
>> (softfail)
>> [SPF failed: Please see http://spf.pobox.com/why.html?
>> sender=newscientistjobs%
>> 40email.newscientist.com&ip=172.20.8.86&receiver=casseopia]
>> 0.5 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received:
>> date
>> 0.1 PH_BODY_LERA BODY: Body contains a gappy version of
>> 'le..ra'
>> 0.1 HTML_MESSAGE BODY: HTML included in message
>> 0.0 BAYES_50 BODY: Bayesian spam probability is 40
>> to 60%
>> [score: 0.5000]
>> 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME
>> parts
>> 0.0 RM_rb_ANCHOR RAW: Testing for HTML end of anchor in
>> emails
>> 0.0 RM_rb_TITLE RAW: Testing for HTML title in emails
>> 0.0 RM_rb_HTML RAW: Testing for HTML tag in emails
>> 0.0 RM_rb_BREAK RAW: Testing for HTML Break in emails
>> 0.0 RM_rb_FONT RAW: Testing for HTML Font tag in emails
>> 0.0 RM_rb_PARA RAW: Testing for HTML Paragraph in emails
>> 4.0 DCC_CHECK Listed in DCC (http://rhyolite.com/
>> anti-spam/dcc/)
>> 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-
>> ignorant.org
>> 0.1 AWL AWL: From: address is in the auto
>> white-list
>>
>> The original message was not completely plain text and may be
>> unsafe to
>> open with some email clients; in particular, it may contain a virus
>> or confirm that your address can receive spam. If you wish to view
>> it, it may be safer to save it to a file and open it with an editor.
>>
>>
>>
>>
>> Subject:
>> Employers of choice
>> From:
>> "New Scientist Jobs"<ne...@email.newscientist.com>
>> Date:
>> Mon, 12 Mar 2007 14:18:24 +0000 (GMT)
>> To:
>> paul.hurley@%olddomain%.net
>> To:
>> paul.hurley@%olddomain%.net
>> Delivered-To:
>> paul.hurley@%olddomain%.net
>> Received:
>> (qmail 29777 invoked from network); 12 Mar 2007 18:31:30 -0000
>> Received:
>> from smtp-a02.internal.boltblue.com (HELO smtp.boltblue.com)
>> ([172.20.8.86]) (envelope-sender
>> <ne...@email.newscientist.com>) by
>> bblite.backend.boltblue.com (qmail-ldap-1.03) with SMTP for
>> <pa...@cwcom.net>; 12 Mar 2007 18:31:30 -0000
>> Received:
>> (qmail 92833 invoked from network); 12 Mar 2007 17:22:47 -0000
>> Received:
>> from unknown (HELO mta1.primary.edc.dartmail.net) (216.73.95.131)
>> by smtp-a02.boltblue.com with SMTP; 12 Mar 2007 17:22:47 -0000
>> Message-ID:
>> <Ki...@flonetwork.com>
>>
>>
>>
>>
>>
Unless you manage DNS for newscientist.com then you're SOL. SPF has
to deal with verifying that the sending party's IP address is
authorized to send email from that particular domain
(newscientist.com) and does not have to do anything with your domain
or domains that forward to your email address unless you are sending
the message. Click the link where SPF failed and read.
-B