You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jan Doberstein <ja...@hosteurope.de> on 2006/12/18 17:06:55 UTC
SPF detection making mistakes
Hi there,
i'm getting some problems with the spamassassin spf modul
(Mail::SpamAssassin::Plugin::SPF) maybe i can resolve this problem by
asking the list.
Please take a look at this header:
----------- start cut -----------
Return-path: <xx...@gmx.de>
Delivery-date: Sun, 17 Dec 2006 10:45:20 +0100
Received: by wp030.webpack.hosteurope.de running Exim 4.43 using esmtp
from mi012.mc1.hosteurope.de ([80.237.138.243]);
id 1Gvsa8-0007VG-JW; Sun, 17 Dec 2006 10:45:20 +0100
Received: by mx0.webpack.hosteurope.de (80.237.138.5,
mi012.mc1.hosteurope.de) running EXperimental Internet Mailer (even more
power) using smtp
from mail.gmx.net ([213.165.64.20])
id 1Gvsa6-0005C2-As
for xxx@nureintespaket.de; Sun, 17 Dec 2006 10:45:20 +0100
Received: (qmail invoked by alias); 17 Dec 2006 09:45:18 -0000
Received: from pD9E05917.dip.t-dialin.net (EHLO [223.1.1.128])
[217.224.89.23]
by mail.gmx.net (mp034) with SMTP; 17 Dec 2006 10:45:18 +0100
X-Authenticated: #202980
From: "just a name" <xx...@gmx.de>
To: XXX@nureintespaket.de
Date: Sun, 17 Dec 2006 10:45:33 +0100
MIME-Version: 1.0
Subject: test
Reply-to: xxx@gmx.de
Message-ID: <45...@xxx.gmx.de>
Priority: normal
X-mailer: Pegasus Mail for Windows (4.41)
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: Quoted-printable
Content-description: Mail message body
X-Y-GMX-Trusted: 0
X-HE-Virus-Scanned: yes
X-HE-Spam-Level: ++
X-HE-Spam-Score: 2.5
X-HE-Spam-Report: Content analysis details: (2.5 points)
pts rule name description
--- ---- -------------- --------------------------------------
2.1 HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious hostname (T-Dialin)
0.2 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see
http://spf.pobox.com/why.html?sender=xxx%40gmx.de&ip=223.1.1.12
8&receiver=mi012.mc1.hosteurope.de]
0.2 RCVD_ILLEGAL_IP Received: contains illegal IP address
Envelope-to: XXX@nureintespaket.de
----------- end cut -----------
As you can see, the spf check fail, but in my understanding if should
pass without a failure.
This mail was sent via dial-in and smtp-auth ... how can i modify the
spf modul that this will check this kind of header correct ?
Thanks for help.
\jd
Re: SPF detection making mistakes
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Jan Doberstein wrote:
> Please take a look at this header:
> Received: by wp030.webpack.hosteurope.de running Exim 4.43 using esmtp
> from mi012.mc1.hosteurope.de ([80.237.138.243]);
> id 1Gvsa8-0007VG-JW; Sun, 17 Dec 2006 10:45:20 +0100
> Received: by mx0.webpack.hosteurope.de (80.237.138.5,
> mi012.mc1.hosteurope.de) running EXperimental Internet Mailer (even more
> power) using smtp
> from mail.gmx.net ([213.165.64.20])
> id 1Gvsa6-0005C2-As
> for xxx@nureintespaket.de; Sun, 17 Dec 2006 10:45:20 +0100
SA can't parse these broken received headers, thus causing your problem.
Fix them, and you'll be all set.
Daryl
RE: SPF detection making mistakes
Posted by Sietse van Zanen <si...@wizdom.nu>.
Seems de dmx.net / dmx.de SPF is broken:
> set type=TXT
> gmx.net
Server: 10.10.21.4
Address: 10.10.21.4#53
Non-authoritative answer:
gmx.net text = "v=spf1 ip4:213.165.64.0/23 -all"
Authoritative answers can be found from:
> gmx.de
Server: 10.10.21.4
Address: 10.10.21.4#53
Non-authoritative answer:
gmx.de text = "v=spf1 ip4:213.165.64.0/23 -all"
Authoritative answers can be found from:
this does not include:
Received: from pD9E05917.dip.t-dialin.net (EHLO [223.1.1.128])
> [217.224.89.23]
The managers of the dmx.de / dmx.net should strip that header to make their SPF record ok, or include their dial-up users IP addresses.
-Sietse
From: Bret Miller
Sent: Mon 18-Dec-06 17:41
To: Jan Doberstein; users@spamassassin.apache.org
Subject: RE: SPF detection making mistakes
> i'm getting some problems with the spamassassin spf modul
> (Mail::SpamAssassin::Plugin::SPF) maybe i can resolve this problem by
> asking the list.
>
> Please take a look at this header:
>
>
> ----------- start cut -----------
> Return-path: <xx...@gmx.de>
> Delivery-date: Sun, 17 Dec 2006 10:45:20 +0100
> Received: by wp030.webpack.hosteurope.de running Exim 4.43 using esmtp
> from mi012.mc1.hosteurope.de ([80.237.138.243]);
> id 1Gvsa8-0007VG-JW; Sun, 17 Dec 2006 10:45:20 +0100
> Received: by mx0.webpack.hosteurope.de (80.237.138.5,
> mi012.mc1.hosteurope.de) running EXperimental Internet Mailer
> (even more
> power) using smtp
> from mail.gmx.net ([213.165.64.20])
> id 1Gvsa6-0005C2-As
> for xxx@nureintespaket.de; Sun, 17 Dec 2006 10:45:20 +0100
> Received: (qmail invoked by alias); 17 Dec 2006 09:45:18 -0000
> Received: from pD9E05917.dip.t-dialin.net (EHLO [223.1.1.128])
> [217.224.89.23]
> by mail.gmx.net (mp034) with SMTP; 17 Dec 2006 10:45:18 +0100
> X-Authenticated: #202980
> From: "just a name" <xx...@gmx.de>
> To: XXX@nureintespaket.de
> Date: Sun, 17 Dec 2006 10:45:33 +0100
> MIME-Version: 1.0
> Subject: test
> Reply-to: xxx@gmx.de
> Message-ID: <45...@xxx.gmx.de>
> Priority: normal
> X-mailer: Pegasus Mail for Windows (4.41)
> Content-type: text/plain; charset=ISO-8859-1
> Content-transfer-encoding: Quoted-printable
> Content-description: Mail message body
> X-Y-GMX-Trusted: 0
> X-HE-Virus-Scanned: yes
> X-HE-Spam-Level: ++
> X-HE-Spam-Score: 2.5
> X-HE-Spam-Report: Content analysis details: (2.5 points)
>
> pts rule name description
> --- ---- -------------- --------------------------------------
> 2.1 HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious
> hostname (T-Dialin)
> 0.2 SPF_FAIL SPF: sender does not match SPF record (fail)
> [SPF failed: Please see
> http://spf.pobox.com/why.html?sender=xxx%40gmx.de&ip=223.1.1.12
> 8&receiver=mi012.mc1.hosteurope.de]
Huh?? 223.1.1.12? Is 213.165.64.20 part of your trusted networks?
Actually the doc for the SPF module says "trusted_networks" but
shouldn't it be checking "internal_networks" instead?
Anyway, it fails because it's checking the wrong IP because it thinks
you received it at one stage earlier that you did. That's likely because
either or both of trusted_networks and internal_networks are not
correctly set.
HTH,
Bret
> 0.2 RCVD_ILLEGAL_IP Received: contains illegal IP address
>
> Envelope-to: XXX@nureintespaket.de
>
> ----------- end cut -----------
>
>
> As you can see, the spf check fail, but in my understanding if should
> pass without a failure.
>
> This mail was sent via dial-in and smtp-auth ... how can i modify the
> spf modul that this will check this kind of header correct ?
>
>
> Thanks for help.
>
> \jd
>
>
Re: SPF detection making mistakes
Posted by Jan Doberstein <ja...@hosteurope.de>.
Bret Miller wrote:
> Huh?? 223.1.1.12? Is 213.165.64.20 part of your trusted networks?
no, it's not .. this is Dial-UP IP from T-Online, Second Line is the
"normal" gmx network, "my" Network start an mx0.webpack.hosteurope.de
> Actually the doc for the SPF module says "trusted_networks" but
> shouldn't it be checking "internal_networks" instead?
on the mx0.webpack.hosteurope.de is the Spamassassin running, and the
hole IP-Range is in internal_network. Should it be in trusted_networks
too ?
> Anyway, it fails because it's checking the wrong IP because it thinks
> you received it at one stage earlier that you did. That's likely because
> either or both of trusted_networks and internal_networks are not
> correctly set.
As I understand this correct the IP-Range of mx0.webpack.hosteurope.de
should announce in the config as internal an trusted network ?
\jd
RE: SPF detection making mistakes
Posted by Bret Miller <br...@wcg.org>.
> i'm getting some problems with the spamassassin spf modul
> (Mail::SpamAssassin::Plugin::SPF) maybe i can resolve this problem by
> asking the list.
>
> Please take a look at this header:
>
>
> ----------- start cut -----------
> Return-path: <xx...@gmx.de>
> Delivery-date: Sun, 17 Dec 2006 10:45:20 +0100
> Received: by wp030.webpack.hosteurope.de running Exim 4.43 using esmtp
> from mi012.mc1.hosteurope.de ([80.237.138.243]);
> id 1Gvsa8-0007VG-JW; Sun, 17 Dec 2006 10:45:20 +0100
> Received: by mx0.webpack.hosteurope.de (80.237.138.5,
> mi012.mc1.hosteurope.de) running EXperimental Internet Mailer
> (even more
> power) using smtp
> from mail.gmx.net ([213.165.64.20])
> id 1Gvsa6-0005C2-As
> for xxx@nureintespaket.de; Sun, 17 Dec 2006 10:45:20 +0100
> Received: (qmail invoked by alias); 17 Dec 2006 09:45:18 -0000
> Received: from pD9E05917.dip.t-dialin.net (EHLO [223.1.1.128])
> [217.224.89.23]
> by mail.gmx.net (mp034) with SMTP; 17 Dec 2006 10:45:18 +0100
> X-Authenticated: #202980
> From: "just a name" <xx...@gmx.de>
> To: XXX@nureintespaket.de
> Date: Sun, 17 Dec 2006 10:45:33 +0100
> MIME-Version: 1.0
> Subject: test
> Reply-to: xxx@gmx.de
> Message-ID: <45...@xxx.gmx.de>
> Priority: normal
> X-mailer: Pegasus Mail for Windows (4.41)
> Content-type: text/plain; charset=ISO-8859-1
> Content-transfer-encoding: Quoted-printable
> Content-description: Mail message body
> X-Y-GMX-Trusted: 0
> X-HE-Virus-Scanned: yes
> X-HE-Spam-Level: ++
> X-HE-Spam-Score: 2.5
> X-HE-Spam-Report: Content analysis details: (2.5 points)
>
> pts rule name description
> --- ---- -------------- --------------------------------------
> 2.1 HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious
> hostname (T-Dialin)
> 0.2 SPF_FAIL SPF: sender does not match SPF record (fail)
> [SPF failed: Please see
> http://spf.pobox.com/why.html?sender=xxx%40gmx.de&ip=223.1.1.12
> 8&receiver=mi012.mc1.hosteurope.de]
Huh?? 223.1.1.12? Is 213.165.64.20 part of your trusted networks?
Actually the doc for the SPF module says "trusted_networks" but
shouldn't it be checking "internal_networks" instead?
Anyway, it fails because it's checking the wrong IP because it thinks
you received it at one stage earlier that you did. That's likely because
either or both of trusted_networks and internal_networks are not
correctly set.
HTH,
Bret
> 0.2 RCVD_ILLEGAL_IP Received: contains illegal IP address
>
> Envelope-to: XXX@nureintespaket.de
>
> ----------- end cut -----------
>
>
> As you can see, the spf check fail, but in my understanding if should
> pass without a failure.
>
> This mail was sent via dial-in and smtp-auth ... how can i modify the
> spf modul that this will check this kind of header correct ?
>
>
> Thanks for help.
>
> \jd
>
>