Why is this failing SPF???

[Ken Morley <Ke...@jmtg.com>]

According to my understanding of the way SPF works the following message
should not be failing.  Can anyone tell me why this failed?


Here's the pertinent parts of the log:
--------------------------------------
Apr 11 15:00:18 maildrop postgrey[2407]: request:
client_address=66.179.38.26 client_name=hamhock-outbound.hoovers.com
etrn_domain= helo_name=hamhock.hoovers.com
instance=7dbd.461d3042.a4146.0 protocol_name=ESMTP protocol_state=RCPT
queue_id= recipient=mmarker@domain.com recipient_count=0
request=smtpd_access_policy
reverse_client_name=hamhock-outbound.hoovers.com
sender=handers@hoovers.com size=18654 action=PREPEND X-Greylist: delayed
1063 seconds by postgrey-1.27 at maildrop.domain.com; Wed, 11 Apr 2007
 15:00:18 EDT 

Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP< MAIL
FROM:<ha...@hoovers.com> SIZE=18654\r\n

Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) lookup
(debug_sender) => undef, "handers@hoovers.com" does not match

Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP> 250 2.1.0
Sender <ha...@hoovers.com> OK

Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP::10024
/var/amavisd/tmp/amavis-20070411T141549-32198: <ha...@hoovers.com> ->
<mm...@domain.com> SIZE=18654 Received: from maildrop.domain.com
([127.0.0.1]) by localhost (maildrop.domain.com [127.0.0.1])
(amavisd-new, port 10024) with ESMTP for <mm...@domain.com>; Wed, 11
Apr 2007 15:00:18 -0400 (EDT)

Apr 11 15:00:19 maildrop amavisd[32198]: (32198-06) Checking:
pOlR15g8xTwO [66.179.38.26] <ha...@hoovers.com> ->
<mm...@domain.com>

Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) SPAM,
<ha...@hoovers.com> -> <mm...@domain.com>, Yes, score=9.243 tag=3
tag2=6.31 kill=6.31 tests=[BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091,
HTML_MESSAGE=0.001, SARE_GIF_ATTACH=0.75, SPF_HELO_FAIL=10],
autolearn=no, quarantine pOlR15g8xTwO (spam-quarantine)

Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) one_response_for_all
<ha...@hoovers.com>: REJECTs, '554 5.7.0 Reject, id=32198-06 - SPAM'


Here's the SPF record for hoovers.com:
--------------------------------------
hoovers.com     text = "v=spf1 ip4:66.179.38.0/23 ip4:66.45.81.128/27
ip4:66.45.81.160/27 ip4:66.179.85.192/27 ip4:216.234.248.64/26
ip4:216.234.248.78 ip4:216.234.248.82 ip4:66.162.217.59 mx ptr
a:exchange.hoovers.com a:mail.eca.com include:dartmail.net ~all"


The sending server is hamhock-outbound.hoovers.com [66.179.38.26] and
that IP address is within the range listed in the first SPF entry.  Why
did this fail?

Thanks!

Ken Morley
JM Technology Group

Ken -AT- jmtg.com

Re: Why is this failing SPF???

[Gino Cerullo <gc...@pixelpointstudios.com>]

On 13-Apr-07, at 9:41 AM, Ken Morley wrote:

> According to my understanding of the way SPF works the following  
> message
> should not be failing.  Can anyone tell me why this failed?
>
>
> Here's the pertinent parts of the log:
> --------------------------------------
> Apr 11 15:00:18 maildrop postgrey[2407]: request:
> client_address=66.179.38.26 client_name=hamhock-outbound.hoovers.com
> etrn_domain= helo_name=hamhock.hoovers.com
> instance=7dbd.461d3042.a4146.0 protocol_name=ESMTP protocol_state=RCPT
> queue_id= recipient=mmarker@domain.com recipient_count=0
> request=smtpd_access_policy
> reverse_client_name=hamhock-outbound.hoovers.com
> sender=handers@hoovers.com size=18654 action=PREPEND X-Greylist:  
> delayed
> 1063 seconds by postgrey-1.27 at maildrop.domain.com; Wed, 11 Apr 2007
>  15:00:18 EDT
>
> Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP< MAIL
> FROM:<ha...@hoovers.com> SIZE=18654\r\n
>
> Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) lookup
> (debug_sender) => undef, "handers@hoovers.com" does not match
>
> Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP> 250 2.1.0
> Sender <ha...@hoovers.com> OK
>
> Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP::10024
> /var/amavisd/tmp/amavis-20070411T141549-32198:  
> <ha...@hoovers.com> ->
> <mm...@domain.com> SIZE=18654 Received: from maildrop.domain.com
> ([127.0.0.1]) by localhost (maildrop.domain.com [127.0.0.1])
> (amavisd-new, port 10024) with ESMTP for <mm...@domain.com>; Wed, 11
> Apr 2007 15:00:18 -0400 (EDT)
>
> Apr 11 15:00:19 maildrop amavisd[32198]: (32198-06) Checking:
> pOlR15g8xTwO [66.179.38.26] <ha...@hoovers.com> ->
> <mm...@domain.com>
>
> Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) SPAM,
> <ha...@hoovers.com> -> <mm...@domain.com>, Yes, score=9.243 tag=3
> tag2=6.31 kill=6.31 tests=[BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091,
> HTML_MESSAGE=0.001, SARE_GIF_ATTACH=0.75, SPF_HELO_FAIL=10],
> autolearn=no, quarantine pOlR15g8xTwO (spam-quarantine)
>
> Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06)  
> one_response_for_all
> <ha...@hoovers.com>: REJECTs, '554 5.7.0 Reject, id=32198-06 - SPAM'
>
>
> Here's the SPF record for hoovers.com:
> --------------------------------------
> hoovers.com     text = "v=spf1 ip4:66.179.38.0/23 ip4:66.45.81.128/27
> ip4:66.45.81.160/27 ip4:66.179.85.192/27 ip4:216.234.248.64/26
> ip4:216.234.248.78 ip4:216.234.248.82 ip4:66.162.217.59 mx ptr
> a:exchange.hoovers.com a:mail.eca.com include:dartmail.net ~all"
>
>
> The sending server is hamhock-outbound.hoovers.com [66.179.38.26] and
> that IP address is within the range listed in the first SPF entry.   
> Why
> did this fail?

It didn't fail SPF, it failed SPF_HELO.

The sending server said: helo_name=hamhock.hoovers.com'

SPF policy for hamhock.hoovers.com is: hamhock.hoovers.com.	IN	 
TXT	"v=spf1 a -all"

Which resolves to: hamhock.hoovers.com.	IN	A	66.179.38.137

Which does not match 66.179.38.26

--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON  M3M 1W6

416-247-7740

Re: Why is this failing SPF???

[Matt Kettler <mk...@verizon.net>]

Ken Morley wrote:
> According to my understanding of the way SPF works the following message
> should not be failing.  Can anyone tell me why this failed?
>
>
> Here's the pertinent parts of the log:
> --------------------------------------
> Apr 11 15:00:18 maildrop postgrey[2407]: request:
> client_address=66.179.38.26 client_name=hamhock-outbound.hoovers.com
> etrn_domain= helo_name=hamhock.hoovers.com
>
>   
<snip>
> Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) SPAM,
> <ha...@hoovers.com> -> <mm...@domain.com>, Yes, score=9.243 tag=3
> tag2=6.31 kill=6.31 tests=[BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091,
> HTML_MESSAGE=0.001, SARE_GIF_ATTACH=0.75, SPF_HELO_FAIL=10],
> autolearn=no, quarantine pOlR15g8xTwO (spam-quarantine)
>
> Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) one_response_for_all
> <ha...@hoovers.com>: REJECTs, '554 5.7.0 Reject, id=32198-06 - SPAM'
>
>
> Here's the SPF record for hoovers.com:
> --------------------------------------
> hoovers.com     text = "v=spf1 ip4:66.179.38.0/23 ip4:66.45.81.128/27
> ip4:66.45.81.160/27 ip4:66.179.85.192/27 ip4:216.234.248.64/26
> ip4:216.234.248.78 ip4:216.234.248.82 ip4:66.162.217.59 mx ptr
> a:exchange.hoovers.com a:mail.eca.com include:dartmail.net ~all"
>
>
> The sending server is hamhock-outbound.hoovers.com [66.179.38.26] and
> that IP address is within the range listed in the first SPF entry.  Why
> did this fail?

First, this was SPF_HELO_FAIL, not SPF_FAIL. This rule by default has a
score of zero, and is not really a proper way to test SPF. Why'd you
raise it from 0 to 10?

Since it was SPF_HELO_FAIL we need to look at the HELO, not the real
host delivering the mail. According to your server logs, the HELO was
hamhock.hoovers.com, not hamhock-outbound.hoovers.com.

That said, from my perspective hamhock.hoovers.com resolves to
66.179.38.137, which should also match the first clause of the SPF record.

Does hamhock.hoovers.com resolve to anything else on your spamassassin
system?

It's also possible that SA's trust-path auto-guesser is confused and it
used the wrong Received: headers. But there's not enough information
here to debug that. You'd have to take a copy of the message and run it
through spamassassin -D to see how SA parsed the various Received: headers.