SPF Checks

[Brian Taber <bt...@diversecg.com>]

I am using spamassassin 3.0.4-1 with MailScanner.  I have 2
questions/issues about SPF checks.

It seams that SA is only doing HELO SPF checks (I didn't even know those
existed till now) and not actual checks on the from addresses.  Is this a
config issue?  I would like to enable these.  I can't fing any config
options pertaining to this...

The second is about the scores assigned to SPF failures. SPF_HELO_SOFTFAIL
has a score of 3.140 (so if the provider has ~all in their SPF record,
they aren't really sure if their SPF record covers all of their servers,
you get SOFTFAIL), but SPF_HELO_FAIL has a score of 0.001 (the provider
has -all in their SPF record, sure their SPF record covers all of their
servers, you get FAIL).

Am I missing something?


Brian

Re: SPF Checks

[Kai Schaetzl <ma...@conactive.com>]

Loren Wilton wrote on Sat, 2 Jul 2005 18:07:19 -0700:

> I think perhaps SPF is supposed to match against the sender in the envelope, 
> or possibly the received header, rather than the From header, which is 
> trivially forged

Now that you say that I remember that you can configure this in local.cf:
envelope_sender_header X-Envelope-From

Check your local.cf and your headers if you have something that qualifies for 
that. SA uses some defaults here (check documentation which) and you may not 
have these.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: SPF Checks

[Loren Wilton <lw...@earthlink.net>]

I think perhaps SPF is supposed to match against the sender in the envelope,
or possibly the received header, rather than the From header, which is
trivially forged.

Others will be able to give more information.  I know the rule score of .001
is deliberate, but I don't recall immediately why.  It probably had
something to do with the test being forged.

        Loren

Re: SPF Checks

[Brian Taber <bt...@diversecg.com>]

Random email that was forwarded to the customers Exchange server..  no way
to debug...  I just happened to notice it later...

The biggest thing is I see the HELO setup on mail servers incorrectly all
the time, I didn't think SPF had anything to do with HELO...



> Brian Taber wrote:
>> Hmmm...  Another potential SPF issue...  I have a customer with AMEX,
>> received an email from them, and the SPF checks conflict with each
>> other:
>>
>>
>> helo=<mta301.email.americanexpress.com>
>>
>> Received: from mta301.email.americanexpress.com
>> (mta301.email.americanexpress.com [206.132.204.250])
>>
>> From: bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com
>>
>> And the scores:
>> 3.14	SPF_HELO_SOFTFAIL
>> -0.00	SPF_PASS
>>
>>
>> Why did the helo softfail?  I tested their SPF record, and the test
>> turned
>> out a pass:
>>
>> http://www.dnsstuff.com/tools/spf.ch?server=bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com&ip=206.132.204.250
>>
>>
>> Now I am really confused    :)
>
> A debug output from SpamAssassin would probably tell you why or at least
> help figure out why.
>
> Daryl
>
>

Re: SPF Checks

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

Brian Taber wrote:
> Hmmm...  Another potential SPF issue...  I have a customer with AMEX,
> received an email from them, and the SPF checks conflict with each other:
> 
> 
> helo=<mta301.email.americanexpress.com>
> 
> Received: from mta301.email.americanexpress.com
> (mta301.email.americanexpress.com [206.132.204.250])
> 
> From: bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com
> 
> And the scores:
> 3.14	SPF_HELO_SOFTFAIL
> -0.00	SPF_PASS
> 
> 
> Why did the helo softfail?  I tested their SPF record, and the test turned
> out a pass:
> 
> http://www.dnsstuff.com/tools/spf.ch?server=bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com&ip=206.132.204.250
> 
> 
> Now I am really confused    :)

A debug output from SpamAssassin would probably tell you why or at least 
help figure out why.

Daryl

Re: SPF Checks

[Brian Taber <bt...@diversecg.com>]

Hmmm...  Another potential SPF issue...  I have a customer with AMEX,
received an email from them, and the SPF checks conflict with each other:


helo=<mta301.email.americanexpress.com>

Received: from mta301.email.americanexpress.com
(mta301.email.americanexpress.com [206.132.204.250])

From: bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com

And the scores:
3.14	SPF_HELO_SOFTFAIL
-0.00	SPF_PASS


Why did the helo softfail?  I tested their SPF record, and the test turned
out a pass:

http://www.dnsstuff.com/tools/spf.ch?server=bo-bykuxc9axk0d2bbfq9444bxppjxtdc@b.email.americanexpress.com&ip=206.132.204.250


Now I am really confused    :)


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Daryl C. W. O'Shea writes:
>> Brian Taber wrote:
>> > As for the scores, score of 0 for PASS makes perfect sense, but a FAIL
>> > should receive at least the same score as a SOFTFAIL, because a FAIL
>> means
>> > the email is definately from a forged sender (on the other hand the
>> FAIL
>> > may be because the person who created the SPF records had no idea what
>> > they were doing)...  catch 22....  oh well....
>>
>> When the 3.0 scoring mass-checks were done a lot of ham (more than the
>> SPF_SOFTFAIL) hit SPF_FAIL, hence the low score.
>>
>> I expect the reason this happened was because of old ham in people's
>> corpus that no longer matched various domains' SPF records due to
>> changes in their networks (and of course the occasional screwup by the
>> publishing domain).
>>
>> I'd expect that this week's 3.1 scoring mass-check will show that the
>> score can be increased slightly, but probably not by a lot.
>
> yep.  fingers crossed.  (we should really attempt to only use SPF records
> from --reuse mass-checks.)
>
> There is still the SPF-vs-forwarder issue that SES/SRS was created to
> resolve, too.
>
> - --j.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Exmh CVS
>
> iD8DBQFCyyFoMJF5cimLx9ARAvlLAKCcCVJmRzmGwBfiyQ4EvlbLGT8YZgCfUvin
> UJIBCdzNWGejmRFhnDX2078=
> =anfE
> -----END PGP SIGNATURE-----
>
>

Re: SPF Checks

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

Brian Taber wrote:
> Figured that....  what are the mass-check's you mentioned?  Is there
> somewhere I can go to find out more?  Is there a way to update
> spamassassin with the newest scores?

http://wiki.apache.org/spamassassin/MassCheck
http://wiki.apache.org/spamassassin/RescoreDetails
http://wiki.apache.org/spamassassin/Release310Schedule

Scores are generally updated for minor level releases (3.0.0, 3.1.0, etc).

Updating SpamAssassin with the newest scores is done by upgrading.

It wouldn't be a great idea to use 3.1.0 scores with 3.0.x since the 
newer SA version includes changes to avoid false positives that occurred 
in earlier versions.


Daryl

Re: SPF Checks

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

Brian Taber wrote:
> As for the scores, score of 0 for PASS makes perfect sense, but a FAIL
> should receive at least the same score as a SOFTFAIL, because a FAIL means
> the email is definately from a forged sender (on the other hand the FAIL
> may be because the person who created the SPF records had no idea what
> they were doing)...  catch 22....  oh well....

When the 3.0 scoring mass-checks were done a lot of ham (more than the 
SPF_SOFTFAIL) hit SPF_FAIL, hence the low score.

I expect the reason this happened was because of old ham in people's 
corpus that no longer matched various domains' SPF records due to 
changes in their networks (and of course the occasional screwup by the 
publishing domain).

I'd expect that this week's 3.1 scoring mass-check will show that the 
score can be increased slightly, but probably not by a lot.


Daryl

Re: SPF Checks

[Brian Taber <bt...@diversecg.com>]

Since I am using spamassassin via MailScanner, I dug into my config files
more (took a while)  I found an option in spam.assassin.prefs.conf called
envelope_sender_header that was not set properly, now all SPF checks
work...

As for the scores, score of 0 for PASS makes perfect sense, but a FAIL
should receive at least the same score as a SOFTFAIL, because a FAIL means
the email is definately from a forged sender (on the other hand the FAIL
may be because the person who created the SPF records had no idea what
they were doing)...  catch 22....  oh well....



> Brian Taber wrote:
>> I am using spamassassin 3.0.4-1 with MailScanner.  I have 2
>> questions/issues about SPF checks.
>>
>> It seams that SA is only doing HELO SPF checks (I didn't even know those
>> existed till now) and not actual checks on the from addresses.  Is this
>> a
>> config issue?  I would like to enable these.  I can't fing any config
>> options pertaining to this...
>>
>> The second is about the scores assigned to SPF failures.
>> SPF_HELO_SOFTFAIL
>> has a score of 3.140 (so if the provider has ~all in their SPF record,
>> they aren't really sure if their SPF record covers all of their servers,
>> you get SOFTFAIL), but SPF_HELO_FAIL has a score of 0.001 (the provider
>> has -all in their SPF record, sure their SPF record covers all of their
>> servers, you get FAIL).
>>
>> Am I missing something?
>>
>>
>> Brian
>
> SA 3.0.x won't do "regular" SPF checks if the message is passed through
> any trusted hosts (the top most header passed to SA must be the first
> trusted host).  There's an option in 3.1 to override this.
>
> So if SA isn't running on your border MX then you won't see any of these
> SPF checks.  If it is running on your border MX then either your
> trusted_networks aren't set correctly or there is something else
> happening I've yet to see.
>
> Of course running a message through SpamAssassin (on the same host that
> normally runs SA) with debugging enabled will probably tell you why the
> check isn't being done (if it's a message that should hit an SPF test).
>
>
> Daryl
>
>

Re: SPF Checks

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

Brian Taber wrote:
> I am using spamassassin 3.0.4-1 with MailScanner.  I have 2
> questions/issues about SPF checks.
> 
> It seams that SA is only doing HELO SPF checks (I didn't even know those
> existed till now) and not actual checks on the from addresses.  Is this a
> config issue?  I would like to enable these.  I can't fing any config
> options pertaining to this...
> 
> The second is about the scores assigned to SPF failures. SPF_HELO_SOFTFAIL
> has a score of 3.140 (so if the provider has ~all in their SPF record,
> they aren't really sure if their SPF record covers all of their servers,
> you get SOFTFAIL), but SPF_HELO_FAIL has a score of 0.001 (the provider
> has -all in their SPF record, sure their SPF record covers all of their
> servers, you get FAIL).
> 
> Am I missing something?
> 
> 
> Brian

SA 3.0.x won't do "regular" SPF checks if the message is passed through 
any trusted hosts (the top most header passed to SA must be the first 
trusted host).  There's an option in 3.1 to override this.

So if SA isn't running on your border MX then you won't see any of these 
SPF checks.  If it is running on your border MX then either your 
trusted_networks aren't set correctly or there is something else 
happening I've yet to see.

Of course running a message through SpamAssassin (on the same host that 
normally runs SA) with debugging enabled will probably tell you why the 
check isn't being done (if it's a message that should hit an SPF test).


Daryl

Re: SPF Checks

[Rick Measham <ri...@measham.id.au>]

Brian Taber wrote:
> The second is about the scores assigned to SPF failures. SPF_HELO_SOFTFAIL
> has a score of 3.140 (so if the provider has ~all in their SPF record,
> they aren't really sure if their SPF record covers all of their servers,
> you get SOFTFAIL), but SPF_HELO_FAIL has a score of 0.001 (the provider
> has -all in their SPF record, sure their SPF record covers all of their
> servers, you get FAIL).

I'm guessing it's a case of 'how much do you trust SPF records' .. the 
maintainers don't trust them too much and so set the hardfail to a 
really low score.

If you trust them more, then you can increase the score yourself.

(From experience there are a lot of broken SPF records around)

Just my thoughts .. no evidence!

Cheers!
Rick Measham