You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Brian Taber <bt...@diversecg.com> on 2005/07/03 02:09:06 UTC
SPF Checks
I am using spamassassin 3.0.4-1 with MailScanner. I have 2
questions/issues about SPF checks.
It seams that SA is only doing HELO SPF checks (I didn't even know those
existed till now) and not actual checks on the from addresses. Is this a
config issue? I would like to enable these. I can't fing any config
options pertaining to this...
The second is about the scores assigned to SPF failures. SPF_HELO_SOFTFAIL
has a score of 3.140 (so if the provider has ~all in their SPF record,
they aren't really sure if their SPF record covers all of their servers,
you get SOFTFAIL), but SPF_HELO_FAIL has a score of 0.001 (the provider
has -all in their SPF record, sure their SPF record covers all of their
servers, you get FAIL).
Am I missing something?
Brian
Re: SPF Checks
Posted by Kai Schaetzl <ma...@conactive.com>.
Loren Wilton wrote on Sat, 2 Jul 2005 18:07:19 -0700:
> I think perhaps SPF is supposed to match against the sender in the envelope,
> or possibly the received header, rather than the From header, which is
> trivially forged
Now that you say that I remember that you can configure this in local.cf:
envelope_sender_header X-Envelope-From
Check your local.cf and your headers if you have something that qualifies for
that. SA uses some defaults here (check documentation which) and you may not
have these.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
Re: SPF Checks
Posted by Loren Wilton <lw...@earthlink.net>.
I think perhaps SPF is supposed to match against the sender in the envelope,
or possibly the received header, rather than the From header, which is
trivially forged.
Others will be able to give more information. I know the rule score of .001
is deliberate, but I don't recall immediately why. It probably had
something to do with the test being forged.
Loren
Re: SPF Checks
Posted by Brian Taber <bt...@diversecg.com>.
Random email that was forwarded to the customers Exchange server.. no way
to debug... I just happened to notice it later...
The biggest thing is I see the HELO setup on mail servers incorrectly all
the time, I didn't think SPF had anything to do with HELO...
> Brian Taber wrote:
>> Hmmm... Another potential SPF issue... I have a customer with AMEX,
>> received an email from them, and the SPF checks conflict with each
>> other:
>>
>>
>> helo=<mta301.email.americanexpress.com>
>>
>> Received: from mta301.email.americanexpress.com
>> (mta301.email.americanexpress.com [206.132.204.250])
>>
>> From: bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com
>>
>> And the scores:
>> 3.14 SPF_HELO_SOFTFAIL
>> -0.00 SPF_PASS
>>
>>
>> Why did the helo softfail? I tested their SPF record, and the test
>> turned
>> out a pass:
>>
>> http://www.dnsstuff.com/tools/spf.ch?server=bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com&ip=206.132.204.250
>>
>>
>> Now I am really confused :)
>
> A debug output from SpamAssassin would probably tell you why or at least
> help figure out why.
>
> Daryl
>
>
Re: SPF Checks
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Brian Taber wrote:
> Hmmm... Another potential SPF issue... I have a customer with AMEX,
> received an email from them, and the SPF checks conflict with each other:
>
>
> helo=<mta301.email.americanexpress.com>
>
> Received: from mta301.email.americanexpress.com
> (mta301.email.americanexpress.com [206.132.204.250])
>
> From: bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com
>
> And the scores:
> 3.14 SPF_HELO_SOFTFAIL
> -0.00 SPF_PASS
>
>
> Why did the helo softfail? I tested their SPF record, and the test turned
> out a pass:
>
> http://www.dnsstuff.com/tools/spf.ch?server=bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com&ip=206.132.204.250
>
>
> Now I am really confused :)
A debug output from SpamAssassin would probably tell you why or at least
help figure out why.
Daryl
Re: SPF Checks
Posted by Brian Taber <bt...@diversecg.com>.
Hmmm... Another potential SPF issue... I have a customer with AMEX,
received an email from them, and the SPF checks conflict with each other:
helo=<mta301.email.americanexpress.com>
Received: from mta301.email.americanexpress.com
(mta301.email.americanexpress.com [206.132.204.250])
From: bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com
And the scores:
3.14 SPF_HELO_SOFTFAIL
-0.00 SPF_PASS
Why did the helo softfail? I tested their SPF record, and the test turned
out a pass:
http://www.dnsstuff.com/tools/spf.ch?server=bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com&ip=206.132.204.250
Now I am really confused :)
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Daryl C. W. O'Shea writes:
>> Brian Taber wrote:
>> > As for the scores, score of 0 for PASS makes perfect sense, but a FAIL
>> > should receive at least the same score as a SOFTFAIL, because a FAIL
>> means
>> > the email is definately from a forged sender (on the other hand the
>> FAIL
>> > may be because the person who created the SPF records had no idea what
>> > they were doing)... catch 22.... oh well....
>>
>> When the 3.0 scoring mass-checks were done a lot of ham (more than the
>> SPF_SOFTFAIL) hit SPF_FAIL, hence the low score.
>>
>> I expect the reason this happened was because of old ham in people's
>> corpus that no longer matched various domains' SPF records due to
>> changes in their networks (and of course the occasional screwup by the
>> publishing domain).
>>
>> I'd expect that this week's 3.1 scoring mass-check will show that the
>> score can be increased slightly, but probably not by a lot.
>
> yep. fingers crossed. (we should really attempt to only use SPF records
> from --reuse mass-checks.)
>
> There is still the SPF-vs-forwarder issue that SES/SRS was created to
> resolve, too.
>
> - --j.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Exmh CVS
>
> iD8DBQFCyyFoMJF5cimLx9ARAvlLAKCcCVJmRzmGwBfiyQ4EvlbLGT8YZgCfUvin
> UJIBCdzNWGejmRFhnDX2078=
> =anfE
> -----END PGP SIGNATURE-----
>
>
Re: SPF Checks
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Brian Taber wrote:
> Figured that.... what are the mass-check's you mentioned? Is there
> somewhere I can go to find out more? Is there a way to update
> spamassassin with the newest scores?
http://wiki.apache.org/spamassassin/MassCheck
http://wiki.apache.org/spamassassin/RescoreDetails
http://wiki.apache.org/spamassassin/Release310Schedule
Scores are generally updated for minor level releases (3.0.0, 3.1.0, etc).
Updating SpamAssassin with the newest scores is done by upgrading.
It wouldn't be a great idea to use 3.1.0 scores with 3.0.x since the
newer SA version includes changes to avoid false positives that occurred
in earlier versions.
Daryl
Re: SPF Checks
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Brian Taber wrote:
> As for the scores, score of 0 for PASS makes perfect sense, but a FAIL
> should receive at least the same score as a SOFTFAIL, because a FAIL means
> the email is definately from a forged sender (on the other hand the FAIL
> may be because the person who created the SPF records had no idea what
> they were doing)... catch 22.... oh well....
When the 3.0 scoring mass-checks were done a lot of ham (more than the
SPF_SOFTFAIL) hit SPF_FAIL, hence the low score.
I expect the reason this happened was because of old ham in people's
corpus that no longer matched various domains' SPF records due to
changes in their networks (and of course the occasional screwup by the
publishing domain).
I'd expect that this week's 3.1 scoring mass-check will show that the
score can be increased slightly, but probably not by a lot.
Daryl
Re: SPF Checks
Posted by Brian Taber <bt...@diversecg.com>.
Since I am using spamassassin via MailScanner, I dug into my config files
more (took a while) I found an option in spam.assassin.prefs.conf called
envelope_sender_header that was not set properly, now all SPF checks
work...
As for the scores, score of 0 for PASS makes perfect sense, but a FAIL
should receive at least the same score as a SOFTFAIL, because a FAIL means
the email is definately from a forged sender (on the other hand the FAIL
may be because the person who created the SPF records had no idea what
they were doing)... catch 22.... oh well....
> Brian Taber wrote:
>> I am using spamassassin 3.0.4-1 with MailScanner. I have 2
>> questions/issues about SPF checks.
>>
>> It seams that SA is only doing HELO SPF checks (I didn't even know those
>> existed till now) and not actual checks on the from addresses. Is this
>> a
>> config issue? I would like to enable these. I can't fing any config
>> options pertaining to this...
>>
>> The second is about the scores assigned to SPF failures.
>> SPF_HELO_SOFTFAIL
>> has a score of 3.140 (so if the provider has ~all in their SPF record,
>> they aren't really sure if their SPF record covers all of their servers,
>> you get SOFTFAIL), but SPF_HELO_FAIL has a score of 0.001 (the provider
>> has -all in their SPF record, sure their SPF record covers all of their
>> servers, you get FAIL).
>>
>> Am I missing something?
>>
>>
>> Brian
>
> SA 3.0.x won't do "regular" SPF checks if the message is passed through
> any trusted hosts (the top most header passed to SA must be the first
> trusted host). There's an option in 3.1 to override this.
>
> So if SA isn't running on your border MX then you won't see any of these
> SPF checks. If it is running on your border MX then either your
> trusted_networks aren't set correctly or there is something else
> happening I've yet to see.
>
> Of course running a message through SpamAssassin (on the same host that
> normally runs SA) with debugging enabled will probably tell you why the
> check isn't being done (if it's a message that should hit an SPF test).
>
>
> Daryl
>
>
Re: SPF Checks
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Brian Taber wrote:
> I am using spamassassin 3.0.4-1 with MailScanner. I have 2
> questions/issues about SPF checks.
>
> It seams that SA is only doing HELO SPF checks (I didn't even know those
> existed till now) and not actual checks on the from addresses. Is this a
> config issue? I would like to enable these. I can't fing any config
> options pertaining to this...
>
> The second is about the scores assigned to SPF failures. SPF_HELO_SOFTFAIL
> has a score of 3.140 (so if the provider has ~all in their SPF record,
> they aren't really sure if their SPF record covers all of their servers,
> you get SOFTFAIL), but SPF_HELO_FAIL has a score of 0.001 (the provider
> has -all in their SPF record, sure their SPF record covers all of their
> servers, you get FAIL).
>
> Am I missing something?
>
>
> Brian
SA 3.0.x won't do "regular" SPF checks if the message is passed through
any trusted hosts (the top most header passed to SA must be the first
trusted host). There's an option in 3.1 to override this.
So if SA isn't running on your border MX then you won't see any of these
SPF checks. If it is running on your border MX then either your
trusted_networks aren't set correctly or there is something else
happening I've yet to see.
Of course running a message through SpamAssassin (on the same host that
normally runs SA) with debugging enabled will probably tell you why the
check isn't being done (if it's a message that should hit an SPF test).
Daryl
Re: SPF Checks
Posted by Rick Measham <ri...@measham.id.au>.
Brian Taber wrote:
> The second is about the scores assigned to SPF failures. SPF_HELO_SOFTFAIL
> has a score of 3.140 (so if the provider has ~all in their SPF record,
> they aren't really sure if their SPF record covers all of their servers,
> you get SOFTFAIL), but SPF_HELO_FAIL has a score of 0.001 (the provider
> has -all in their SPF record, sure their SPF record covers all of their
> servers, you get FAIL).
I'm guessing it's a case of 'how much do you trust SPF records' .. the
maintainers don't trust them too much and so set the hardfail to a
really low score.
If you trust them more, then you can increase the score yourself.
(From experience there are a lot of broken SPF records around)
Just my thoughts .. no evidence!
Cheers!
Rick Measham