You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Kristopher Austin <kr...@oc.edu> on 2006/01/23 18:10:02 UTC

USER_IN_SPF_WHITELIST not firing

After seeing all the SPF discussion lately I decided to actually ask you
guys about this problem.

I have many whitelist_from_spf entries where I usually keep my whitelist
entries.  For some reason, I have never seen a hit on
USER_IN_SPF_WHITELIST.  I have received plenty of emails that I believe
should have hit.  Here are some example entries:

whitelist_from_spf *@newsletters.microsoft.com
whitelist_from_spf *@microsoft.com
whitelist_from_spf *@paypal.com
whitelist_from_spf scomp@aol.net
whitelist_from_spf *@cresmail.com
whitelist_from_spf ezines@arcamax.com
whitelist_from_spf *@alert.bankofamerica.com
whitelist_from_spf *@dell.com
whitelist_from_spf *@salliemae.com

After further investigation I notice that I have plenty of SPF_HELO_*
hits, but no SPF_* hits.  I assume this issue is probably related to the
other.  What is the difference between SPF_HELO rules and the plain SPF
versions?  Why would I not be seeing any hits on the non-HELO ones?

I have trusted_networks configured correctly.  I have the plugin enabled
and I see no errors with a spamassassin --lint -D.  All the SPF
dependencies are loaded.  I am using SA 3.1 / sa-exim / exim 4.60 /
Debian 3.1.

I really have no idea on how to proceed from here.  How does one test
the SPF tests and get debug output on it?

Here is some debug output that may or may not be useful:
/# spamassassin --lint -D 2>&1 | grep -i spf
[29944] dbg: diag: module installed: Mail::SPF::Query, version 1.997
[29944] dbg: config: read file /usr/share/spamassassin/25_spf.cf
[29944] dbg: config: read file
/usr/share/spamassassin/60_whitelist_spf.cf
[29944] dbg: config: read file
/etc/spamassassin/70_sare_whitelist_spf.cf
[29944] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
[29944] dbg: plugin: registered
Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310)
[29944] dbg: plugin: registering glue method for check_for_spf_helo_pass
(Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310))
[29944] dbg: spf: message was delivered entirely via trusted relays, not
required
[29944] dbg: plugin: registering glue method for check_for_spf_neutral
(Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310))
[29944] dbg: spf: message was delivered entirely via trusted relays, not
required
[29944] dbg: plugin: registering glue method for check_for_spf_softfail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310))
[29944] dbg: plugin: registering glue method for check_for_spf_pass
(Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310))
[29944] dbg: plugin: registering glue method for
check_for_spf_helo_softfail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310))
[29944] dbg: plugin: registering glue method for
check_for_def_spf_whitelist_from
(Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310))
[29944] dbg: spf: cannot get Envelope-From, cannot use SPF
[29944] dbg: spf: def_spf_whitelist_from: could not find useable
envelope sender
[29944] dbg: plugin: registering glue method for check_for_spf_fail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310))
[29944] dbg: plugin: registering glue method for
check_for_spf_whitelist_from
(Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310))
[29944] dbg: spf: spf_whitelist_from: could not find useable envelope
sender

Thanks,
Kris

Re: USER_IN_SPF_WHITELIST not firing

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

On 1/23/2006 12:10 PM, Kristopher Austin wrote:
> After seeing all the SPF discussion lately I decided to actually ask you
> guys about this problem.
> 
> I have many whitelist_from_spf entries where I usually keep my whitelist
> entries.  For some reason, I have never seen a hit on
> USER_IN_SPF_WHITELIST.  I have received plenty of emails that I believe
> should have hit.  Here are some example entries:

> whitelist_from_spf *@paypal.com

> 
> After further investigation I notice that I have plenty of SPF_HELO_*
> hits, but no SPF_* hits.  I assume this issue is probably related to the
> other.  What is the difference between SPF_HELO rules and the plain SPF
> versions?  Why would I not be seeing any hits on the non-HELO ones?

If SpamAssassin isn't running on your gateway MX, and your 
trusted_networks are set correctly, which they are...

> 
> I have trusted_networks configured correctly.  I have the plugin enabled
> and I see no errors with a spamassassin --lint -D.  All the SPF
> dependencies are loaded.  I am using SA 3.1 / sa-exim / exim 4.60 /
> Debian 3.1.

...you won't see anything but SPF_HELO_* hits unless you add this line 
to your local.cf:

always_trust_envelope_sender 1


By default (I'm starting to think that it shouldn't be by default), SA 
will not trust the envelope sender since it could possibly have been 
modified by one of the (trusted) internal_networks hosts.  Without an 
envelope sender that it can trust, SA can't do SPF checks on the 
envelope sender (which is what the SPF_* checks are).


> I really have no idea on how to proceed from here.  How does one test
> the SPF tests and get debug output on it?

spamassassin -Dspf < test.msg


Daryl