You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "David F. Skoll" <df...@roaringpenguin.com> on 2012/08/24 16:37:52 UTC

Somewhat OT: Is this wrong?

Hi,

Somewhat OT, but I figure there are SPF experts here:

http://technet.microsoft.com/en-us/library/aa995992.aspx

It appears to me that Microsoft uses header sender/from addresses
to do an SPF lookup (see "How Sender ID Works")

Am I the only one who thinks this is utterly wrong?
To me, this is pretty clear:

http://www.openspf.org/FAQ/Envelope_from_scope

Regards,

David.

Re: Somewhat OT: Is this wrong?

Posted by Jeremy McSpadden <je...@fluxlabs.net>.

Topic Last Modified: 2006-04-05

http://technet.microsoft.com/en-us/library/aa996295.aspx .. for Exchange 2010

--
Jeremy McSpadden
Flux Labs, Inc | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions
Office : 850-250-5590 x 101 | Cell : 850-890-2543 | Fax : 850-254-2955

On Aug 24, 2012, at 9:37 AM, "David F. Skoll" <df...@roaringpenguin.com>>
 wrote:

Hi,

Somewhat OT, but I figure there are SPF experts here:

http://technet.microsoft.com/en-us/library/aa995992.aspx

It appears to me that Microsoft uses header sender/from addresses
to do an SPF lookup (see "How Sender ID Works")

Am I the only one who thinks this is utterly wrong?
To me, this is pretty clear:

http://www.openspf.org/FAQ/Envelope_from_scope

Regards,

David.

Re: Somewhat OT: Is this wrong?

Posted by Jeremy McSpadden <je...@fluxlabs.net>.

Microsoft handles SPF using the Edge Transport service, in 2010. If it is configured on the domain.
You are correct with the article, although 2003 is old ...

--
Jeremy McSpadden
Flux Labs, Inc | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions
Office : 850-250-5590 x 101 | Cell : 850-890-2543 | Fax : 850-254-2955

On Aug 24, 2012, at 9:58 AM, Ned Slider <ne...@unixmail.co.uk>>
 wrote:

On 24/08/12 15:37, David F. Skoll wrote:
Hi,

Somewhat OT, but I figure there are SPF experts here:

http://technet.microsoft.com/en-us/library/aa995992.aspx

It appears to me that Microsoft uses header sender/from addresses
to do an SPF lookup (see "How Sender ID Works")

Am I the only one who thinks this is utterly wrong?
To me, this is pretty clear:

http://www.openspf.org/FAQ/Envelope_from_scope

Regards,

David.


The Microsoft Sender ID system is not the same as SPF.

See here:

http://www.openspf.org/SPF_vs_Sender_ID

Hope that helps.

Re: Somewhat OT: Is this wrong?

Posted by "David F. Skoll" <df...@roaringpenguin.com>.

On 24 Aug 2012 21:13:57 -0000
"John Levine" <jo...@taugh.com> wrote:

> As I understand it, you're referring to Exchange 2003,

The MSFT article referred to Exchange 2003.  AFAIK, the behavior
is the same even in modern versions of Exchange.

For example http://technet.microsoft.com/en-us/library/aa996295.aspx
is about Exchange 2010 and it says: "... is authorized to send messages
for the domain that's specified in the message headers."

> What, exactly, do you expect to happen here?

Microsoft to fix things?  Oh sorry, wrong mailing list... that should
be in the rapturous miracles channel.

Regards,

David.

Re: Somewhat OT: Is this wrong?

Posted by Jason Haar <Ja...@trimble.com>.

On 25/08/12 09:13, John Levine wrote:
> As I understand it, you're referring to Exchange 2003, which was
> shipped nine years ago, and which, if you believe the Wikipedia
> article, hasn't been updated since 2005 and hasn't been supported
> since 2009. What, exactly, do you expect to happen here?
> http://en.wikipedia.org/wiki/Microsoft_Exchange_Server R's, John 
...and probably 30+% of enterprises are still using it. Have you ever
seen Exchange 2007+? Needs a damn team and clustering to make it work
properly. I'd guess it's a move by Microsoft to "encourage" customers to
the Cloud - problem is most move to Google ;-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: Somewhat OT: Is this wrong?

Posted by John Levine <jo...@taugh.com>.

>It appears to be on by default as part of Exchange's Intelligent [sic]
>Message Filter.

As I understand it, you're referring to Exchange 2003, which was
shipped nine years ago, and which, if you believe the Wikipedia
article, hasn't been updated since 2005 and hasn't been supported
since 2009.

What, exactly, do you expect to happen here?

http://en.wikipedia.org/wiki/Microsoft_Exchange_Server

R's,
John

Re: Somewhat OT: Is this wrong?

Posted by "David F. Skoll" <df...@roaringpenguin.com>.

On 24 Aug 2012 18:08:42 -0000
"John Levine" <jo...@taugh.com> wrote:

> Microsoft's Sender-ID has been using SPF records to do Sender-ID
> checks for a decade.  You just noticed now?

Yes.  It's never been an issue for me before now.

> In practice, Sender-ID has been a failure, nobody of any importance
> uses it any more, and Microsoft's own mail systems including Hotmail
> are now doing DKIM and SPF checks.

It appears to be on by default as part of Exchange's Intelligent [sic]
Message Filter.

Regards,

David.

Re: Somewhat OT: Is this wrong?

Posted by "David F. Skoll" <df...@roaringpenguin.com>.

On Fri, 24 Aug 2012 19:01:34 +0100
Ned Slider <ne...@unixmail.co.uk> wrote:

> I don't think it diminishes the effectiveness of SPF though.

Here's the problem: One of our services sends email with an envelope
address of <> and a From: header address within roaringpenguin.com.
In this case, an SPF implementation may use the HELO hostname as the SPF
domain.

However, MSFT is using roaringpenguin.com and deciding that our message
is failing SPF and rejecting it.

We're in a position to say "Get lost, Microsoft" but a lot of people
who need to get mail delivered may opt instead to weaken or remove
their SPF records. :(

Regards,

David.

Re: Somewhat OT: Is this wrong?

Posted by Ned Slider <ne...@unixmail.co.uk>.

On 24/08/12 16:55, David F. Skoll wrote:
> On Fri, 24 Aug 2012 16:29:18 +0100
> Ned Slider<ne...@unixmail.co.uk>  wrote:
>
>> If Microsoft want to examine the From header then that is their
>> concern. Googling shows others tend to agree with you that their
>> implementation is broken, or in your words wrong. It is certainly
>> wrong in SPF terms, but again it's not SPF :-)
>
> The problem is that I publish SPF records for my domain in the expectation
> that they'll be used correctly.  By behaving incorrectly, Microsoft
> is making it less attractive for sites to publish SPF records lest they
> be misinterpreted.
>
> Regards,
>
> David.
>

I hear you.

I don't think it diminishes the effectiveness of SPF though. If your 
domain is regularly spoofed/phished etc then publishing an SPF record 
provides a really easy way for your recipients to verify your mail is 
legitimate and weed out the spoofs.

But of course that is dependent on the receiving mail server being 
competently configured, something which is outside of your control.

Re: Somewhat OT: Is this wrong?

Posted by Dave Warren <li...@hireahit.com>.

On 8/24/2012 8:55 AM, David F. Skoll wrote:
> On Fri, 24 Aug 2012 16:29:18 +0100
> Ned Slider <ne...@unixmail.co.uk> wrote:
>
>> If Microsoft want to examine the From header then that is their
>> concern. Googling shows others tend to agree with you that their
>> implementation is broken, or in your words wrong. It is certainly
>> wrong in SPF terms, but again it's not SPF :-)
> The problem is that I publish SPF records for my domain in the expectation
> that they'll be used correctly.  By behaving incorrectly, Microsoft
> is making it less attractive for sites to publish SPF records lest they
> be misinterpreted.
>

The behaviour is "correct" due to the fact that Exchange implemented 
Sender-ID rather than SPF; Sender-ID's repurposes SPF v1 records when no 
SPF 2.0 record exists.

Add yourself a "spf2.0/pra ?all" TXT record and this behaviour will cease.

While I'd argue that this specification is broken by design, it is at 
least a published specification and therefore one can work around it in 
a reliable fashion.

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

Re: Somewhat OT: Is this wrong?

Posted by John Levine <jo...@taugh.com>.

>The problem is that I publish SPF records for my domain in the expectation
>that they'll be used correctly.  By behaving incorrectly, Microsoft
>is making it less attractive for sites to publish SPF records lest they
>be misinterpreted.

Microsoft's Sender-ID has been using SPF records to do Sender-ID
checks for a decade.  You just noticed now?

In practice, Sender-ID has been a failure, nobody of any importance
uses it any more, and Microsoft's own mail systems including Hotmail
are now doing DKIM and SPF checks.

R's,
John

Re: Somewhat OT: Is this wrong?

Posted by "David F. Skoll" <df...@roaringpenguin.com>.

On Fri, 24 Aug 2012 16:29:18 +0100
Ned Slider <ne...@unixmail.co.uk> wrote:

> If Microsoft want to examine the From header then that is their
> concern. Googling shows others tend to agree with you that their
> implementation is broken, or in your words wrong. It is certainly
> wrong in SPF terms, but again it's not SPF :-)

The problem is that I publish SPF records for my domain in the expectation
that they'll be used correctly.  By behaving incorrectly, Microsoft
is making it less attractive for sites to publish SPF records lest they
be misinterpreted.

Regards,

David.

Re: Somewhat OT: Is this wrong?

Posted by Ned Slider <ne...@unixmail.co.uk>.

On 24/08/12 16:03, David F. Skoll wrote:
> On Fri, 24 Aug 2012 15:58:27 +0100
> Ned Slider<ne...@unixmail.co.uk>  wrote:
>
>> The Microsoft Sender ID system is not the same as SPF.
>
> The technet article I posted implied (and real-world tests seem to confirm)
> that MSFT Exchange 2003 really does SPF lookups against header-sender domains.
>
> Regards,
>
> David.
>

David,

It may well do.

Sorry, I'm not familiar with what Microsoft does. I was merely pointing 
out that you shouldn't confuse a Microsoft proprietary standard that 
happens to have a similar name with SPF as they are not the same thing.

If Microsoft want to examine the From header then that is their concern. 
Googling shows others tend to agree with you that their implementation 
is broken, or in your words wrong. It is certainly wrong in SPF terms, 
but again it's not SPF :-)

Regards,

--ned

Re: Somewhat OT: Is this wrong?

Posted by "David F. Skoll" <df...@roaringpenguin.com>.

On Fri, 24 Aug 2012 15:58:27 +0100
Ned Slider <ne...@unixmail.co.uk> wrote:

> The Microsoft Sender ID system is not the same as SPF.

The technet article I posted implied (and real-world tests seem to confirm)
that MSFT Exchange 2003 really does SPF lookups against header-sender domains.

Regards,

David.

Re: Somewhat OT: Is this wrong?

Posted by Ned Slider <ne...@unixmail.co.uk>.

On 24/08/12 15:37, David F. Skoll wrote:
> Hi,
>
> Somewhat OT, but I figure there are SPF experts here:
>
> http://technet.microsoft.com/en-us/library/aa995992.aspx
>
> It appears to me that Microsoft uses header sender/from addresses
> to do an SPF lookup (see "How Sender ID Works")
>
> Am I the only one who thinks this is utterly wrong?
> To me, this is pretty clear:
>
> http://www.openspf.org/FAQ/Envelope_from_scope
>
> Regards,
>
> David.
>

The Microsoft Sender ID system is not the same as SPF.

See here:

http://www.openspf.org/SPF_vs_Sender_ID

Hope that helps.