You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ve...@tatravelcenters.com on 2010/08/23 17:51:48 UTC
SPF soft fail problem
I'm having a problem with SPF soft fail detection for a particular domain
that I cannot explain. Emails are being rejected for the domain because
emails are being hit with the SPF_FAIL rule, but according to the SPF
record, they should be hit with the SPF_SOFTFAIL rule.
The domain in question is nawilliams.com. This is the SPF record:
"v=spf1 mx ptr ~all"
I'm seeing other domains being hit with SPF_SOFTFAIL, so I am at a loss as
to why this one isn't. What am I missing?
I am using SpamAssassin 3.3.1 provided by Ubuntu 10.04.
Neil
Re: SPF soft fail problem
Posted by Ve...@tatravelcenters.com.
Michael Scheidell <mi...@secnap.com> wrote on 08/23/2010
11:59:06 AM:
> you will need to provide more information.
>
> post ALL the headers, and state which one is the last untrusted received
> header.
Here is what I see in the Exim reject log. I'm not sure quite what you
mean by "last untrusted received header". The last received header is the
one added by my host. The one prior to that was added by an untrusted
host.
Keep in mind, however, that the issue isn't that I'm getting a fail. I'm
expecting it to fail. The issue is that I'm getting a hard fail instead
of a soft fail as specified by the SPF record.
Neil
---
2010-08-22 21:22:30 1OnLk4-0005H0-MS H=server70a.appriver.com
(server70.appriver.com) [69.20.116.35] F=<mm...@nawilliams.com>
rejected after DATA: Message scored 12.8 spam points.
Envelope-from: <mm...@nawilliams.com>
Envelope-to: <St...@tatravelcenters.com>
P Received: from server70a.appriver.com ([69.20.116.35]
helo=server70.appriver.com)
by lnxsrv4.ta.com (envelope-from
<mm...@nawilliams.com>)
with smtp (Exim 4.71)
id 1OnLk4-0005H0-MS
for Stukus.David@tatravelcenters.com; Sun, 22 Aug 2010 21:22:29
-0400
X-Note-AR-ScanTimeLocal: 8/22/2010 9:22:41 PM
X-Policy: GLOBAL - nawilliams.com
X-Primary: mmccutcheon@nawilliams.com
X-Note: This Email was scanned by AppRiver SecureTide
X-ALLOW: @nawilliams.com ALLOWED
X-Virus-Scan: V-
X-Note: Spam Tests Failed:
X-Country-Path: PRIVATE->UNITED STATES->UNITED STATES
X-Note-Sending-IP: 69.15.41.219
X-Note-Reverse-DNS:
X-Note-WHTLIST: mmccutcheon@nawilliams.com
X-Note: User Rule Hits:
X-Note: Global Rule Hits: G202 G203 G204 G205 G209 G210 G221 G309
X-Note: Encrypt Rule Hits:
X-Note: Mail Class: ALLOWEDSENDER
X-Note: Headers Injected
P Received: from [69.15.41.219] (HELO nawatl01.NAWATL.local)
by server70.appriver.com (CommuniGate Pro SMTP 5.3.7)
with ESMTP id 142957128 for Stukus.David@tatravelcenters.com; Sun, 22
Aug 2010 21:22:40 -0400
P Received: from 10.2.18.2 ([10.2.18.2]) by nawatl01.NAWATL.local
([10.2.18.2]) with Microsoft Exchange Server HTTP-DAV ;
Mon, 23 Aug 2010 01:22:36 +0000
Subject: Re: Requested Information
References:
<FC...@nawatl01.NAWATL.local>
<23...@sz0052a.emeryville.ca.mail.comcast.net>
<OF...@LocalDomain>
<OF...@tatravelcenters.com>
F From: "Mike McCutcheon" <mm...@nawilliams.com>
Content-Type: multipart/alternative;
boundary="Apple-Mail-12--723357858";
charset="iso-8859-1"
In-Reply-To:
<OF...@tatravelcenters.com>
thread-topic: Requested Information
thread-index: ActCYatDdxF4uzGMQ9iA9XjNGJDdRQ==
I Message-ID: <92...@nawilliams.com>
Date: Sun, 22 Aug 2010 20:21:59 -0500
T To: <St...@tatravelcenters.com>
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0 (iPhone Mail 8A400)
X-Spam-Score: 12.8 (++++++++++++)
X-Spam-Report: Content analysis details: (12.8 points, 7.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
20 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?s=mfrom;id=mmccutcheon%40nawilliams.com;ip=69.20.116.35;r=lnxsrv4.ta.com
]
0.0 HTML_MESSAGE BODY: HTML included in message
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76
chars
-5.3 AWL AWL: From: address is in the auto white-list
Re: SPF soft fail problem
Posted by Michael Scheidell <mi...@secnap.com>.
On 8/23/10 11:51 AM, Vergottini.Neil@tatravelcenters.com wrote:
> I'm having a problem with SPF soft fail detection for a particular
> domain that I cannot explain. Emails are being rejected for the
> domain because emails are being hit with the SPF_FAIL rule, but
> according to the SPF record, they should be hit with the SPF_SOFTFAIL
> rule.
>
> The domain in question is nawilliams.com. This is the SPF record:
>
Chrystal ball is in use by sales department for Q3 forecasts.
you will need to provide more information.
post ALL the headers, and state which one is the last untrusted received
header.
> "v=spf1 mx ptr ~all"
>
> I'm seeing other domains being hit with SPF_SOFTFAIL, so I am at a
> loss as to why this one isn't. What am I missing?
>
> I am using SpamAssassin 3.3.1 provided by Ubuntu 10.04.
>
> Neil
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: SPF soft fail problem
Posted by Martin Gregorie <ma...@gregorie.org>.
On Mon, 2010-08-23 at 15:25 -0400, Vergottini.Neil@tatravelcenters.com
wrote:
> Benny Pedersen <me...@junc.org> wrote on 08/23/2010 02:45:07 PM:
>
> > > The domain in question is nawilliams.com. This is the SPF record:
> > >
> > > "v=spf1 mx ptr ~all"
> >
> > ptr is unsafe to use in spf
> >
> > ~all means domain owner dont know what thay are doing
>
> I figured as much. What I don't understand is why this is coming up
> as SPF_FAIL instead of SPF_SOFTFAIL. My understanding is the ~all in
> the SPF record should be seen as a soft fail or is there something in
> the rule that overrides this if ptr is used.
>
You might like to use the tools here:
http://www.kitterman.com/spf/validate.html?
especially the 'Test SPF record' tool. You should be able to use it
against details of the message that generated the unexpected hard fail
and a syntax definition and explanation is here:
http://www.openspf.org/SPF_Record_Syntax
HTH
Martin
Re: SPF soft fail problem
Posted by Emin Akbulut <em...@gmail.com>.
I just wanted to share a useful link which one detects mismatched mirrors
-except SPF records-
This site also queries DNS but it's much flexible, you can say the IP of
DNS,
use your own DNS or use public one.
http://centralops.net/co/NsLookup.aspx
It's useful for system administering, Spamassassin, mail system
and other related things.
Re: SPF soft fail problem
Posted by Martin Gregorie <ma...@gregorie.org>.
On Tue, 2010-08-24 at 19:03 +0100, Anthony Cartmell wrote:
> >> To everybody; one of the best online diagnostic tool
> >> http://www.intodns.com/nawilliams.com
> >
> > 1. this tool didn't find the error mentioned, and while it's very hard to
> > detect this problem, posting this address here just wouldn't help.
>
> FWIW, to find DNS inconsistencies you need a full-traversal DNS checker
> like:
> http://www.squish.net/dnscheck
>
Thanks for that. Bookmarked.
Martin
Re: SPF soft fail problem
Posted by Anthony Cartmell <li...@fonant.com>.
>> To everybody; one of the best online diagnostic tool
>> http://www.intodns.com/nawilliams.com
>
> 1. this tool didn't find the error mentioned, and while it's very hard to
> detect this problem, posting this address here just wouldn't help.
FWIW, to find DNS inconsistencies you need a full-traversal DNS checker
like:
http://www.squish.net/dnscheck
Anthony
--
www.fonant.com - Quality web sites
Re: SPF soft fail problem
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > Matus UHLAR - fantomas <uh...@fantomas.sk> wrote on 08/23/2010 04:50:39 PM:
> > > Looking at it more deeply, nawilliams.com has three nameservers (but
> > > only 2 delegations from .com), where two return -all and one returns
> > > ~all:
> > >
> > > % dig spf nawilliams.com @beulah.zootsplace.com.
> > > nawilliams.com. 30 IN SPF "v=spf1 mx -all
On 24.08.10 00:30, Emin Akbulut wrote:
> To everybody; one of the best online diagnostic tool
> http://www.intodns.com/nawilliams.com
1. this tool didn't find the error mentioned, and while it's very hard to
detect this problem, posting this address here just wouldn't help.
2. the tool incorrectly reports "Missing nameservers reported by parent" as
FAIL, since this is not a problem by itself. it should cause warning.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.
Re: SPF soft fail problem
Posted by Emin Akbulut <em...@gmail.com>.
To everybody; one of the best online diagnostic tool
http://www.intodns.com/nawilliams.com
<http://www.intodns.com/nawilliams.com>
On Mon, Aug 23, 2010 at 11:55 PM, <Ve...@tatravelcenters.com>wrote:
> Matus UHLAR - fantomas <uh...@fantomas.sk> wrote on 08/23/2010 04:50:39
> PM:
>
>
> >
> > Looking at it more deeply, nawilliams.com has three nameservers (but
> only 2
> > delegations from .com), where two return -all and one returns ~all:
> >
> > % dig spf nawilliams.com @beulah.zootsplace.com.
> > nawilliams.com. 30 IN SPF "v=spf1 mx -all
>
Re: SPF soft fail problem
Posted by Ve...@tatravelcenters.com.
Matus UHLAR - fantomas <uh...@fantomas.sk> wrote on 08/23/2010 04:50:39
PM:
>
> Looking at it more deeply, nawilliams.com has three nameservers (but
only 2
> delegations from .com), where two return -all and one returns ~all:
>
> % dig spf nawilliams.com @beulah.zootsplace.com.
> nawilliams.com. 30 IN SPF "v=spf1 mx -all
Okay, that explains it. I should have thought about checking all three
DNS servers. I didn't think about it because I was always getting back
the same result. Thanks. I will notify the mail administrator to get it
fixed.
Neil
Re: SPF soft fail problem
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > > The domain in question is nawilliams.com. This is the SPF record:
> > >
> > > "v=spf1 mx ptr ~all"
> Benny Pedersen <me...@junc.org> wrote on 08/23/2010 02:45:07 PM:
> > ptr is unsafe to use in spf
> >
> > ~all means domain owner dont know what thay are doing
On 23.08.10 15:25, Vergottini.Neil@tatravelcenters.com wrote:
> I figured as much. What I don't understand is why this is coming up as
> SPF_FAIL instead of SPF_SOFTFAIL. My understanding is the ~all in the SPF
> record should be seen as a soft fail or is there something in the rule
> that overrides this if ptr is used.
funny. Whan I checked just now, I got different result than few hours ago:
...before:
% spf nawilliams.com.
nawilliams.com has SPF record "v=spf1 mx ptr ~all"
% txt nawilliams.com.
nawilliams.com descriptive text "v=spf1 mx ptr ~all"
...now:
% spf nawilliams.com
nawilliams.com has SPF record "v=spf1 mx -all"
Looking at it more deeply, nawilliams.com has three nameservers (but only 2
delegations from .com), where two return -all and one returns ~all:
% dig spf nawilliams.com @beulah.zootsplace.com.
nawilliams.com. 30 IN SPF "v=spf1 mx -all"
% dig spf nawilliams.com @edna.zootsplace.com.
nawilliams.com. 30 IN SPF "v=spf1 mx ptr ~all"
% dig spf nawilliams.com @hortense.zootsplace.com.
nawilliams.com. 30 IN SPF "v=spf1 mx -all"
I take this as DNS error.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
Re: SPF soft fail problem
Posted by Ve...@tatravelcenters.com.
Benny Pedersen <me...@junc.org> wrote on 08/23/2010 02:45:07 PM:
> > The domain in question is nawilliams.com. This is the SPF record:
> >
> > "v=spf1 mx ptr ~all"
>
> ptr is unsafe to use in spf
>
> ~all means domain owner dont know what thay are doing
I figured as much. What I don't understand is why this is coming up as
SPF_FAIL instead of SPF_SOFTFAIL. My understanding is the ~all in the SPF
record should be seen as a soft fail or is there something in the rule
that overrides this if ptr is used.
>
> here softfail give from mta defer_if_permit <reseaon>
>
> send a email to postmaster and show your logs about the softfail
> problem, thay will thank you for helping :)
Thanks. I am trying to contact the mail administrator through the user to
get them to correct their SPF record.
Neil