Checking if SPF is being used

[a....@ukgrid.net]

Hi,

   how can I check if SpamAssassin is checking SPF? I ask because we  
have had instances of spam being delivered using a spoofed email  
address that is from a domain actually hosted on our mail server,  
which shouldn´t happen if SPF is being used (SPF is configured in DNS  
for the domain in question).
The SpamAssassin SPF plugin is installed:

/usr/local/lib/perl5/site_perl/5.10.1/Mail/SpamAssassin/Plugin/SPF.pm

I also have the p5-Mail-SPF package installed.

The info SpamAssassin puts into the header of one of the offending  
emails looks like this:

No, score=1.8 required=4.8 tests=BAYES_00,HTML_MESSAGE,  
MIME_HTML_ONLY,MISSING_MID,RDNS_NONE,URIBL_BLACK autolearn=no  
version=3.3.0


Anyone give me any clues?

thanks, Andy.

Re: Checking if SPF is being used

[a....@ukgrid.net]

ok for the header bitty, Im using

envelope_sender_header Return-path

Which I think should be appropriate for exim, and Im sticking it in  
the user_prefs in the home dir of the user that spamd runs as. Is that  
the right config file?

thanks Andy.

Re: Checking if SPF is being used

[Benny Pedersen <me...@junc.org>]

On ons 05 maj 2010 17:15:56 CEST,  wrote

> So I think that proves it is using SPF doesnt it?

yes

> If you´d agree then my next question is why did it delivery mail  
> with a spoofed email address of a domain that it is hosted on our  
> mail server? Im using

good question, was it ?

read perldoc Mail::SpamAssassin::Conf one more time, find envelope  
header and set it so it works with envelope header in your mta

done

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Checking if SPF is being used

[David B Funk <db...@engineering.uiowa.edu>]

On Wed, 5 May 2010, Michael Scheidell wrote:

[snip..]
> and/or, your spf records are borked.
>
>   host -t txt ukgrid.net
> ukgrid.net descriptive text "v=spf1 +mx +a:alpha.ukgrid.net -all"
>
> <http://www.kitterman.com/spf/validate.html>
>
>
> what is a +mx record?  what is a +a:alpha.ukgrid.net record?
>
> (I don't know if the + is breaking things, looks optional to me.  I
> guess I have never seen them formatted like that before)

'+' syntax is valid SPF, but redundant in his instance.

See: http://www.openspf.org/SPF_Record_Syntax

In their examples the following two lines are functionally equivalent:

 "v=spf1 a mx -all"
 "v=spf1 +a +mx -all"


-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: Checking if SPF is being used

[a....@ukgrid.net]

Thanks, I was meaning I dont know if I can test spamassassin to see if  
it now correctly scores email. If I can get another server to relay  
some mail I guess, right now I cant think of one....

Quoting Benny Pedersen <me...@junc.org>:

> On ons 05 maj 2010 17:45:20 CEST,  wrote
>
>> Im not sure if I can test this, obviously running spamassassin from  
>> the command line isnt going to be able check against the sending  
>> host of the mail (as there is none).
>
> http://old.openspf.org/wizard.html?mydomain=ukgrid.net&submit=Go!
>
> -- 
> xpoint http://www.unicom.com/pw/reply-to-harmful.html
>
>

Re: Checking if SPF is being used SOLVED

[a....@ukgrid.net]

Hi,

   thanks a lot for your help, its seems to be working great now.
I sent a message from a server not defined in the domain SPF using my  
email address and it got a failed spam scored based on "SPF_FAIL" :)
Great :)

thanks to everyone who commented,

Andy.

Re: Checking if SPF is being used

[Benny Pedersen <me...@junc.org>]

On ons 05 maj 2010 17:45:20 CEST,  wrote

> Im not sure if I can test this, obviously running spamassassin from  
> the command line isnt going to be able check against the sending  
> host of the mail (as there is none).

http://old.openspf.org/wizard.html?mydomain=ukgrid.net&submit=Go!

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Checking if SPF is being used

[a....@ukgrid.net]

Hi Micheal,

  ok I have to come clean on a little error here which Ive just been  
thinking over, which by coincidence I have noticed attempting to mail  
Benny. Benny's email server bounced my mail due to an SPF error, which  
I have never seen myself on my mail nor reported by anyone using this  
mail domain. But there you go, Benny has a very strict SPF check and  
it seems almost everyone else in the world doesnt! Anyway the SPF  
record was originally

"v=spf1 +mx +a:alpha -all"

Which I then checked using the site kitterman.com, which told me it  
was invalid due to a non-FQDN being used, which Ive now update to  
alpha.ukgird.net.
So I suppose that may well have totally broken SPF for the domain  
until I fixed it a few minutes ago....

Im not sure if I can test this, obviously running spamassassin from  
the command line isnt going to be able check against the sending host  
of the mail (as there is none).

thanks Andy.

Quoting Michael Scheidell <sc...@secnap.net>:

Re: Checking if SPF is being used

[Michael Scheidell <sc...@secnap.net>]

On 5/5/10 11:15 AM, a.smith@ukgrid.net wrote:
>
>
> So I think that proves it is using SPF doesnt it? If you´d agree then 
> my next question is why did it delivery mail with a spoofed email 
> address of a domain that it is hosted on our mail server? Im using 
> exim and Im looking at an example of this type of spam and its got 
> both the return address and from fields showing an email address from 
> a domain hosted on our mail server :S Thats not what SPF is meant to 
> do surely?
maybe your internal server is not able to look up public TXT records and 
doesn't know your internal domain has them?

from the server in question, test spf via dig, nslookup or host.

host -t txt domain.com

and/or, your spf records are borked.

  host -t txt ukgrid.net
ukgrid.net descriptive text "v=spf1 +mx +a:alpha.ukgrid.net -all"

<http://www.kitterman.com/spf/validate.html>


what is a +mx record?  what is a +a:alpha.ukgrid.net record?

(I don't know if the + is breaking things, looks optional to me.  I 
guess I have never seen them formatted like that before)

still:  check internal server on internal dns see if it thinks there is 
a spf record.



-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  

Re: Checking if SPF is being used

[a....@ukgrid.net]

 From this maillist the x-spam-status is:

No, score=-11.1 required=4.8 tests=BAYES_00,RCVD_IN_DNSWL_HI,  
RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,RDNS_NONE,SPF_PASS  
autolearn=unavailable version=3.3.1

Hehe, this is another server which is on Spamassassin 3.1.1, seems it  
is using SPF on this box. So far all mail from the list has come via  
this server as its the preferred MX server for this domain.

Ok, so I just did a search on the last 1000 messages to be delivered  
via the server we started looking at, and there are many instances  
where the x-spam-status has some SPF values; ie SPF_PASS,  
SPF_HELO_FAIL etc

So I think that proves it is using SPF doesnt it? If you´d agree then  
my next question is why did it delivery mail with a spoofed email  
address of a domain that it is hosted on our mail server? Im using  
exim and Im looking at an example of this type of spam and its got  
both the return address and from fields showing an email address from  
a domain hosted on our mail server :S Thats not what SPF is meant to  
do surely?

Yep I got the Mail::SPF module installed.


Quoting Benny Pedersen <me...@junc.org>:

Re: Checking if SPF is being used

[Benny Pedersen <me...@junc.org>]

On ons 05 maj 2010 16:33:39 CEST,  wrote

> tests_pri_-400: 4 (0.0%), tests_pri_0: 2040 (23.4%), check_spf: 76  
> (0.9%), check_razor2: 1643 (18.9%), check_pyzor: 0.39 (0.0%),  
> tests_pri_500: 2506 (28.8%)

i see check spf there, but might fail on missing perl module Mail::SPF

> So its using SPF after all? Or it seems perhaps its using SPF when I  
> run a check from the command line but not when the mail server is  
> running normal automatic tests? A bit confusing....

no its just a learning curve :=)

what is the X-Spam-Status header from this maillist saying in your mails ?

if your setup works it says something

btw have you Mail::SPF perl module installed ?, its not needed when  
mta does the spf test, but you then have to configure the plugin so

and remember the right envelope sender header, its not From:

in postfix its Return-Path:

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Checking if SPF is being used

[a....@ukgrid.net]

Hi Benny,

   do you mean in the general perl envrionment? From that I have the  
following available regarding mail:
Actually I just realised I didnt run the test command against a real  
mail, Ive just rerun it and I get loads of SPF stuff, starting like  
this:

May  5 15:30:31.372 [12084] dbg: plugin: loading  
Mail::SpamAssassin::Plugin::SPF from @INC
May  5 15:30:34.564 [12084] dbg: config: fixed relative path:  
/var/db/spamassassin/3.003000/updates_spamassassin_org/25_spf.cf
May  5 15:30:34.564 [12084] dbg: config: using  
"/var/db/spamassassin/3.003000/updates_spamassassin_org/25_spf.cf" for  
included file
May  5 15:30:34.565 [12084] dbg: config: read file  
/var/db/spamassassin/3.003000/updates_spamassassin_org/25_spf.cf
May  5 15:30:34.638 [12084] dbg: config: fixed relative path:  
/var/db/spamassassin/3.003000/updates_spamassassin_org/60_whitelist_spf.cf
May  5 15:30:34.638 [12084] dbg: config: using  
"/var/db/spamassassin/3.003000/updates_spamassassin_org/60_whitelist_spf.cf"  
for included file
May  5 15:30:34.638 [12084] dbg: config: read file  
/var/db/spamassassin/3.003000/updates_spamassassin_org/60_whitelist_spf.cf
May  5 15:30:35.604 [12084] dbg: spf: checking to see if the message  
has a Received-SPF header that we can use
May  5 15:30:35.634 [12084] dbg: spf: using Mail::SPF for SPF checks
ending....
May  5 15:30:40.070 [12084] dbg: timing: total 8709 ms - init: 4081  
(46.9%), parse: 1.74 (0.0%), extract_message_metadata: 40 (0.5%),  
poll_dns_idle: 2497 (28.7%), get_uri_detail_list: 2 (0.0%),  
tests_pri_-1000: 9 (0.1%), compile_gen: 131 (1.5%), compile_eval: 14  
(0.2%), tests_pri_-950: 5 (0.1%), tests_pri_-900: 5 (0.1%),  
tests_pri_-400: 4 (0.0%), tests_pri_0: 2040 (23.4%), check_spf: 76  
(0.9%), check_razor2: 1643 (18.9%), check_pyzor: 0.39 (0.0%),  
tests_pri_500: 2506 (28.8%)

So its using SPF after all? Or it seems perhaps its using SPF when I  
run a check from the command line but not when the mail server is  
running normal automatic tests? A bit confusing....

thanks Andy.

Re: Checking if SPF is being used

[Benny Pedersen <me...@junc.org>]

On ons 05 maj 2010 15:51:31 CEST,  wrote

> thanks for the info. As I mentioned in a follow up I have the plugin  
> listed to load in my init.pre. But as you rightly guessed SPF isnt  
> loaded, as per the spamassassin -D -t msg test you described.

any spf from @inc ?

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Checking if SPF is being used

[a....@ukgrid.net]

Hi Benny,

   thanks for the info. As I mentioned in a follow up I have the  
plugin listed to load in my init.pre. But as you rightly guessed SPF  
isnt loaded, as per the spamassassin -D -t msg test you described.
So what can be missing? I must admit to finding the configuration  
files quite confusing, there are alot spread across three different  
directories, the /etc dir the share dir and the home dir of the user  
that spamd runs as. From the documentation I read:

                Using "whitelist_auth" is roughly equivalent to specifying
                duplicate "whitelist_from_spf", "whitelist_from_dk", and
                "whitelist_from_dkim" lines for each of the addresses speci-
                fied.

So do I just need to put whitelist_from_spf in my user_prefs? Will  
that actually score down mails that dont comply with SPF or will it  
simply ensure mails that do comply arent mistaken as spam? The former  
is the most important one for me, not false positives,

thanks, Andy.

Re: Checking if SPF is being used

[Benny Pedersen <me...@junc.org>]

On ons 05 maj 2010 14:53:06 CEST,  wrote

> No, score=1.8 required=4.8 tests=BAYES_00,HTML_MESSAGE,  
> MIME_HTML_ONLY,MISSING_MID,RDNS_NONE,URIBL_BLACK autolearn=no  
> version=3.3.0

no spf, and 3.3.1 is latest :)

> Anyone give me any clues?

spamassassin 2>&1 -D -t msg | grep spf | less

perldoc Mail::SpamAssassin::Conf see search envelope header
perldoc Mail::SpamAssassin::Plugin::SPF more plugin settings here

> thanks, Andy.

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Checking if SPF is being used

[a....@ukgrid.net]

PS in my init.pre SPF is loaded:

loadplugin Mail::SpamAssassin::Plugin::SPF

Quoting a.smith@ukgrid.net: