You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by a....@ukgrid.net on 2010/05/05 14:53:06 UTC
Checking if SPF is being used
Hi,
how can I check if SpamAssassin is checking SPF? I ask because we
have had instances of spam being delivered using a spoofed email
address that is from a domain actually hosted on our mail server,
which shouldn´t happen if SPF is being used (SPF is configured in DNS
for the domain in question).
The SpamAssassin SPF plugin is installed:
/usr/local/lib/perl5/site_perl/5.10.1/Mail/SpamAssassin/Plugin/SPF.pm
I also have the p5-Mail-SPF package installed.
The info SpamAssassin puts into the header of one of the offending
emails looks like this:
No, score=1.8 required=4.8 tests=BAYES_00,HTML_MESSAGE,
MIME_HTML_ONLY,MISSING_MID,RDNS_NONE,URIBL_BLACK autolearn=no
version=3.3.0
Anyone give me any clues?
thanks, Andy.
Re: Checking if SPF is being used
Posted by a....@ukgrid.net.
ok for the header bitty, Im using
envelope_sender_header Return-path
Which I think should be appropriate for exim, and Im sticking it in
the user_prefs in the home dir of the user that spamd runs as. Is that
the right config file?
thanks Andy.
Re: Checking if SPF is being used
Posted by Benny Pedersen <me...@junc.org>.
On ons 05 maj 2010 17:15:56 CEST, wrote
> So I think that proves it is using SPF doesnt it?
yes
> If you´d agree then my next question is why did it delivery mail
> with a spoofed email address of a domain that it is hosted on our
> mail server? Im using
good question, was it ?
read perldoc Mail::SpamAssassin::Conf one more time, find envelope
header and set it so it works with envelope header in your mta
done
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Checking if SPF is being used
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Wed, 5 May 2010, Michael Scheidell wrote:
[snip..]
> and/or, your spf records are borked.
>
> host -t txt ukgrid.net
> ukgrid.net descriptive text "v=spf1 +mx +a:alpha.ukgrid.net -all"
>
> <http://www.kitterman.com/spf/validate.html>
>
>
> what is a +mx record? what is a +a:alpha.ukgrid.net record?
>
> (I don't know if the + is breaking things, looks optional to me. I
> guess I have never seen them formatted like that before)
'+' syntax is valid SPF, but redundant in his instance.
See: http://www.openspf.org/SPF_Record_Syntax
In their examples the following two lines are functionally equivalent:
"v=spf1 a mx -all"
"v=spf1 +a +mx -all"
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Checking if SPF is being used
Posted by a....@ukgrid.net.
Thanks, I was meaning I dont know if I can test spamassassin to see if
it now correctly scores email. If I can get another server to relay
some mail I guess, right now I cant think of one....
Quoting Benny Pedersen <me...@junc.org>:
> On ons 05 maj 2010 17:45:20 CEST, wrote
>
>> Im not sure if I can test this, obviously running spamassassin from
>> the command line isnt going to be able check against the sending
>> host of the mail (as there is none).
>
> http://old.openspf.org/wizard.html?mydomain=ukgrid.net&submit=Go!
>
> --
> xpoint http://www.unicom.com/pw/reply-to-harmful.html
>
>
Re: Checking if SPF is being used SOLVED
Posted by a....@ukgrid.net.
Hi,
thanks a lot for your help, its seems to be working great now.
I sent a message from a server not defined in the domain SPF using my
email address and it got a failed spam scored based on "SPF_FAIL" :)
Great :)
thanks to everyone who commented,
Andy.
Re: Checking if SPF is being used
Posted by Benny Pedersen <me...@junc.org>.
On ons 05 maj 2010 17:45:20 CEST, wrote
> Im not sure if I can test this, obviously running spamassassin from
> the command line isnt going to be able check against the sending
> host of the mail (as there is none).
http://old.openspf.org/wizard.html?mydomain=ukgrid.net&submit=Go!
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Checking if SPF is being used
Posted by a....@ukgrid.net.
Hi Micheal,
ok I have to come clean on a little error here which Ive just been
thinking over, which by coincidence I have noticed attempting to mail
Benny. Benny's email server bounced my mail due to an SPF error, which
I have never seen myself on my mail nor reported by anyone using this
mail domain. But there you go, Benny has a very strict SPF check and
it seems almost everyone else in the world doesnt! Anyway the SPF
record was originally
"v=spf1 +mx +a:alpha -all"
Which I then checked using the site kitterman.com, which told me it
was invalid due to a non-FQDN being used, which Ive now update to
alpha.ukgird.net.
So I suppose that may well have totally broken SPF for the domain
until I fixed it a few minutes ago....
Im not sure if I can test this, obviously running spamassassin from
the command line isnt going to be able check against the sending host
of the mail (as there is none).
thanks Andy.
Quoting Michael Scheidell <sc...@secnap.net>:
Re: Checking if SPF is being used
Posted by Michael Scheidell <sc...@secnap.net>.
On 5/5/10 11:15 AM, a.smith@ukgrid.net wrote:
>
>
> So I think that proves it is using SPF doesnt it? If you´d agree then
> my next question is why did it delivery mail with a spoofed email
> address of a domain that it is hosted on our mail server? Im using
> exim and Im looking at an example of this type of spam and its got
> both the return address and from fields showing an email address from
> a domain hosted on our mail server :S Thats not what SPF is meant to
> do surely?
maybe your internal server is not able to look up public TXT records and
doesn't know your internal domain has them?
from the server in question, test spf via dig, nslookup or host.
host -t txt domain.com
and/or, your spf records are borked.
host -t txt ukgrid.net
ukgrid.net descriptive text "v=spf1 +mx +a:alpha.ukgrid.net -all"
<http://www.kitterman.com/spf/validate.html>
what is a +mx record? what is a +a:alpha.ukgrid.net record?
(I don't know if the + is breaking things, looks optional to me. I
guess I have never seen them formatted like that before)
still: check internal server on internal dns see if it thinks there is
a spf record.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Checking if SPF is being used
Posted by a....@ukgrid.net.
From this maillist the x-spam-status is:
No, score=-11.1 required=4.8 tests=BAYES_00,RCVD_IN_DNSWL_HI,
RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,RDNS_NONE,SPF_PASS
autolearn=unavailable version=3.3.1
Hehe, this is another server which is on Spamassassin 3.1.1, seems it
is using SPF on this box. So far all mail from the list has come via
this server as its the preferred MX server for this domain.
Ok, so I just did a search on the last 1000 messages to be delivered
via the server we started looking at, and there are many instances
where the x-spam-status has some SPF values; ie SPF_PASS,
SPF_HELO_FAIL etc
So I think that proves it is using SPF doesnt it? If you´d agree then
my next question is why did it delivery mail with a spoofed email
address of a domain that it is hosted on our mail server? Im using
exim and Im looking at an example of this type of spam and its got
both the return address and from fields showing an email address from
a domain hosted on our mail server :S Thats not what SPF is meant to
do surely?
Yep I got the Mail::SPF module installed.
Quoting Benny Pedersen <me...@junc.org>:
Re: Checking if SPF is being used
Posted by Benny Pedersen <me...@junc.org>.
On ons 05 maj 2010 16:33:39 CEST, wrote
> tests_pri_-400: 4 (0.0%), tests_pri_0: 2040 (23.4%), check_spf: 76
> (0.9%), check_razor2: 1643 (18.9%), check_pyzor: 0.39 (0.0%),
> tests_pri_500: 2506 (28.8%)
i see check spf there, but might fail on missing perl module Mail::SPF
> So its using SPF after all? Or it seems perhaps its using SPF when I
> run a check from the command line but not when the mail server is
> running normal automatic tests? A bit confusing....
no its just a learning curve :=)
what is the X-Spam-Status header from this maillist saying in your mails ?
if your setup works it says something
btw have you Mail::SPF perl module installed ?, its not needed when
mta does the spf test, but you then have to configure the plugin so
and remember the right envelope sender header, its not From:
in postfix its Return-Path:
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Checking if SPF is being used
Posted by a....@ukgrid.net.
Hi Benny,
do you mean in the general perl envrionment? From that I have the
following available regarding mail:
Actually I just realised I didnt run the test command against a real
mail, Ive just rerun it and I get loads of SPF stuff, starting like
this:
May 5 15:30:31.372 [12084] dbg: plugin: loading
Mail::SpamAssassin::Plugin::SPF from @INC
May 5 15:30:34.564 [12084] dbg: config: fixed relative path:
/var/db/spamassassin/3.003000/updates_spamassassin_org/25_spf.cf
May 5 15:30:34.564 [12084] dbg: config: using
"/var/db/spamassassin/3.003000/updates_spamassassin_org/25_spf.cf" for
included file
May 5 15:30:34.565 [12084] dbg: config: read file
/var/db/spamassassin/3.003000/updates_spamassassin_org/25_spf.cf
May 5 15:30:34.638 [12084] dbg: config: fixed relative path:
/var/db/spamassassin/3.003000/updates_spamassassin_org/60_whitelist_spf.cf
May 5 15:30:34.638 [12084] dbg: config: using
"/var/db/spamassassin/3.003000/updates_spamassassin_org/60_whitelist_spf.cf"
for included file
May 5 15:30:34.638 [12084] dbg: config: read file
/var/db/spamassassin/3.003000/updates_spamassassin_org/60_whitelist_spf.cf
May 5 15:30:35.604 [12084] dbg: spf: checking to see if the message
has a Received-SPF header that we can use
May 5 15:30:35.634 [12084] dbg: spf: using Mail::SPF for SPF checks
ending....
May 5 15:30:40.070 [12084] dbg: timing: total 8709 ms - init: 4081
(46.9%), parse: 1.74 (0.0%), extract_message_metadata: 40 (0.5%),
poll_dns_idle: 2497 (28.7%), get_uri_detail_list: 2 (0.0%),
tests_pri_-1000: 9 (0.1%), compile_gen: 131 (1.5%), compile_eval: 14
(0.2%), tests_pri_-950: 5 (0.1%), tests_pri_-900: 5 (0.1%),
tests_pri_-400: 4 (0.0%), tests_pri_0: 2040 (23.4%), check_spf: 76
(0.9%), check_razor2: 1643 (18.9%), check_pyzor: 0.39 (0.0%),
tests_pri_500: 2506 (28.8%)
So its using SPF after all? Or it seems perhaps its using SPF when I
run a check from the command line but not when the mail server is
running normal automatic tests? A bit confusing....
thanks Andy.
Re: Checking if SPF is being used
Posted by Benny Pedersen <me...@junc.org>.
On ons 05 maj 2010 15:51:31 CEST, wrote
> thanks for the info. As I mentioned in a follow up I have the plugin
> listed to load in my init.pre. But as you rightly guessed SPF isnt
> loaded, as per the spamassassin -D -t msg test you described.
any spf from @inc ?
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Checking if SPF is being used
Posted by a....@ukgrid.net.
Hi Benny,
thanks for the info. As I mentioned in a follow up I have the
plugin listed to load in my init.pre. But as you rightly guessed SPF
isnt loaded, as per the spamassassin -D -t msg test you described.
So what can be missing? I must admit to finding the configuration
files quite confusing, there are alot spread across three different
directories, the /etc dir the share dir and the home dir of the user
that spamd runs as. From the documentation I read:
Using "whitelist_auth" is roughly equivalent to specifying
duplicate "whitelist_from_spf", "whitelist_from_dk", and
"whitelist_from_dkim" lines for each of the addresses speci-
fied.
So do I just need to put whitelist_from_spf in my user_prefs? Will
that actually score down mails that dont comply with SPF or will it
simply ensure mails that do comply arent mistaken as spam? The former
is the most important one for me, not false positives,
thanks, Andy.
Re: Checking if SPF is being used
Posted by Benny Pedersen <me...@junc.org>.
On ons 05 maj 2010 14:53:06 CEST, wrote
> No, score=1.8 required=4.8 tests=BAYES_00,HTML_MESSAGE,
> MIME_HTML_ONLY,MISSING_MID,RDNS_NONE,URIBL_BLACK autolearn=no
> version=3.3.0
no spf, and 3.3.1 is latest :)
> Anyone give me any clues?
spamassassin 2>&1 -D -t msg | grep spf | less
perldoc Mail::SpamAssassin::Conf see search envelope header
perldoc Mail::SpamAssassin::Plugin::SPF more plugin settings here
> thanks, Andy.
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Checking if SPF is being used
Posted by a....@ukgrid.net.
PS in my init.pre SPF is loaded:
loadplugin Mail::SpamAssassin::Plugin::SPF
Quoting a.smith@ukgrid.net: