You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jim Hermann - UUN Hostmaster <ho...@uuism.net> on 2006/06/18 16:33:35 UTC
SPF SOFTFAIL definition
If the SPF module can't obtain the DNS TXT record due to timeouts, does this
get reported as a SOFTFAIL?
Jim
RE: SPF SOFTFAIL definition
Posted by Jim Hermann - UUN Hostmaster <ho...@uuism.net>.
Here is another example that I was able to isolate to a test file.
The debug looks like this:
[28763] dbg: plugin: registering glue method for check_hashcash_double_spend
(Mail::SpamAssassin::Plugin::Hashcash=HASH(0x98a6e80))
[28763] dbg: plugin: registering glue method for check_for_spf_helo_pass
(Mail::SpamAssassin::Plugin::SPF=HASH(0x9880c54))
[28763] dbg: spf: checking HELO (helo=BABY, ip=125.214.61.195)
[28763] dbg: spf: cannot check HELO of 'BABY', skipping
[28763] dbg: eval: all '*From' addrs: marileestewart@relmaxtop.com
[28763] dbg: eval: forged-HELO: from= helo=baby by=uuserver.net
[28763] dbg: plugin: registering glue method for check_subject_in_blacklist
(Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa001140))
[28763] dbg: plugin: registering glue method for check_hashcash_value
(Mail::SpamAssassin::Plugin::Hashcash=HASH(0x98a6e80))
[28763] dbg: eval: trying Received header date for real time: 18 Jun 2006
03:05:08 -0500
[28763] dbg: eval: time_t from date=1150617908, rcvd= 18 Jun 2006 03:05:08
-0500
[28763] dbg: eval: trying Received header date for real time: 18 Jun 2006
03:04:28 -0500
[28763] dbg: eval: time_t from date=1150617868, rcvd= 18 Jun 2006 03:04:28
-0500
[28763] dbg: eval: all '*To' addrs: kanderson@uuaa.org
[28763] dbg: plugin: registering glue method for check_for_spf_neutral
(Mail::SpamAssassin::Plugin::SPF=HASH(0x9880c54))
[28763] dbg: spf: checking EnvelopeFrom (helo=BABY, ip=125.214.61.195,
envfrom=marileestewart@relmaxtop.com)
[28763] dbg: spf: query for
marileestewart@relmaxtop.com/125.214.61.195/BABY: result: softfail, comment:
[28763] dbg: plugin: registering glue method for check_for_spf_softfail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x9880c54))
[28763] dbg: rules: ran eval rule SPF_SOFTFAIL ======> got hit
[28763] dbg: plugin: registering glue method for check_for_spf_pass
(Mail::SpamAssassin::Plugin::SPF=HASH(0x9880c54))
[28763] dbg: plugin: registering glue method for check_for_spf_helo_softfail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x9880c54))
[28763] dbg: rules: ran eval rule __ENV_AND_HDR_FROM_MATCH ======> got hit
[28763] dbg: plugin: registering glue method for
check_for_def_spf_whitelist_from
(Mail::SpamAssassin::Plugin::SPF=HASH(0x9880c54))
[28763] dbg: spf: def_whitelist_from_spf: marileestewart@relmaxtop.com is
not in DEF_WHITELIST_FROM_SPF
[28763] dbg: plugin: registering glue method for check_for_spf_fail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x9880c54))
[28763] dbg: eval: date chosen from message: Sun Jun 18 03:04:28 2006
[28763] dbg: plugin: registering glue method for check_subject_in_whitelist
(Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa001140))
[28763] dbg: plugin: registering glue method for
check_for_spf_whitelist_from
(Mail::SpamAssassin::Plugin::SPF=HASH(0x9880c54))
[28763] dbg: spf: whitelist_from_spf: marileestewart@relmaxtop.com is not in
user's WHITELIST_FROM_SPF
Headers:
>From marileestewart@relmaxtop.com Mon Jun 19 00:44:04 2006
Return-Path: <ma...@relmaxtop.com>
Received: from host.uuserver.net (root@localhost)
by xxxx.org (8.12.11/8.12.11) with ESMTP id k5I8573c022877
for <xx...@xxxx.org>; Sun, 18 Jun 2006 03:05:08 -0500
X-ClientAddr: 125.214.61.195
Received: from BABY ([125.214.61.195])
by host.uuserver.net (8.12.11/8.12.11) with ESMTP id k5I84QuC026169
for <xx...@xxxx.org>; Sun, 18 Jun 2006 03:04:28 -0500
Report has this:
pts rule name description
---- ---------------------- -----------------------------------------
0.5 PLING_QUERY Subject has exclamation mark and question mark
1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
[SPF failed: ]
-----Original Message-----
From: JamesDR [mailto:rolaids0@bellsouth.net]
Sent: Sunday, June 18, 2006 05:16 PM
To: users@spamassassin.apache.org
Subject: Re: SPF SOFTFAIL definition
AFAIK, you would get nothing. Just like if any other DNS test would fail.
What spamassassin reports as *FAIL is not an indicator that DNS isn't
working. You would need to consult your logs and do some testing.
However, since this is a DNS lookup, this does add time to the scanning
(I've seen where this can add a lot of time..) I prefer to use SPF for
my whitelisting needs in SA, I block anything that hardfails at the
server level -- allowing SA to add points for a softfail. Keep in mind,
it seems most servers that implement SPF use softfail (~all).
HTH
--
Thanks,
JamesDR
Trancated longreport
Posted by Jim Hermann - UUN Hostmaster <ho...@uuism.net>.
Why does the longreport get truncated sometimes?
It appears to have something to do with the percent sign in the rule
description. In the example below, the percent sign at the end of the
BAYES_50 description has been replaced with the word uppercase, which is the
last part AFTER the percent sign in the UPPERCASE_25_50 description.
For example:
Message Header has:
X-UUN-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=6.143,
required 5, BAYES_50 2.60, HTML_FONT_INVISIBLE 0.80,
HTML_MESSAGE 0.00, HTML_TINY_FONT 2.32, RAZOR2_CF_RANGE_00_01 0.01,
SARE_SPEC_LEO_LINE03a 0.41, UPPERCASE_25_50 0.00)
Message body has:
pts rule name description
---- ---------------------- -----------------------------------------
0.8 HTML_FONT_INVISIBLE BODY: HTML font color is same as background
0.0 HTML_MESSAGE BODY: HTML included in message
2.6 BAYES_50 BODY: Bayesian spam probability is 40 to 60
uppercase
-----
End of MailScanner report
I added the last line to my inline.spam.warning.txt file, so that I could
see if the entire message was truncated or just the longreport.
RE: SPF SOFTFAIL definition
Posted by Jim Hermann - UUN Hostmaster <ho...@uuism.net>.
Does it mean anything with there is no test after the SPF failed: part of
the report?
I checked the from domain and it did not have a TXT or SPF record. It is
possible that it refused my DNS connection. I don't recall. I saved the
message to a file and ran spamassassin on it and it passes now.
Here is the example:
pts rule name description
---- ---------------------- -----------------------------------------
1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
[SPF failed: ]
2.4 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
[SPF failed: ]
2.6 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.4352]
0.0 RAZOR2_CF_RANGE_00_01 Razor2 gives confidence between 00 and 01
[cf: 0]
Here are the pertinent headers:
Return-Path: <xx...@phred.org>
X-ClientAddr: 165.212.64.31
Received: from cmsout01.mbox.net (cmsout01.mbox.net [165.212.64.31])
by host.uuserver.net (8.12.11/8.12.11) with ESMTP id k594MO4s003948
for <di...@xxxx.org>; Thu, 8 Jun 2006 23:22:54 -0500
Received: from cmsout01.mbox.net (cmsout01.mbox.net [165.212.64.31])
by cmsout01.mbox.net (Postfix) with ESMTP id 7B70D7814F;
Fri, 9 Jun 2006 04:22:22 +0000 (GMT)
Received: from xxxx.cms.usa.net [z.z.z.z] by cmsout01.mbox.net via smtad
(C8.MAIN.3.27X);
Fri, 09 Jun 2006 04:22:22 GMT
X-USANET-Source: z.z.z.z IN xxxx@phred.org xxxx.cms.usa.net
X-USANET-MsgId: XID739kFieww4796X01
Received: from [x.x.x.x] [y.y.y.y] by xxxx.cms.usa.net
(ASMTP/xxxx@yyyy.com) via mtad (C8.MAIN.3.27X)
with ESMTP id 170kFiewV0308M37; Fri, 09 Jun 2006 04:22:21 GMT
X-USANET-Auth: y.y.y.y AUTH xxxx@yyyy.com [x.x.x.x]
-----Original Message-----
From: JamesDR [mailto:rolaids0@bellsouth.net]
Sent: Sunday, June 18, 2006 05:16 PM
To: users@spamassassin.apache.org
Subject: Re: SPF SOFTFAIL definition
AFAIK, you would get nothing. Just like if any other DNS test would fail.
What spamassassin reports as *FAIL is not an indicator that DNS isn't
working. You would need to consult your logs and do some testing.
However, since this is a DNS lookup, this does add time to the scanning
(I've seen where this can add a lot of time..) I prefer to use SPF for
my whitelisting needs in SA, I block anything that hardfails at the
server level -- allowing SA to add points for a softfail. Keep in mind,
it seems most servers that implement SPF use softfail (~all).
HTH
--
Thanks,
JamesDR
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.0/368 - Release Date: 06/16/06
Re: SPF SOFTFAIL definition
Posted by JamesDR <ro...@bellsouth.net>.
Jim Hermann - UUN Hostmaster wrote:
> What happens if the DNS records are not available?
> We don't know if there is a TXT record or not.
>
> Jim
>
>
> Benny Pedersen wrote:
>
>>>If the SPF module can't obtain the DNS TXT record due to timeouts, does
>
> this
>
>>>get reported as a SOFTFAIL?
>>
>>
>>Received-SPF: pass (amiga.junc.org: domain of
>
> users-return-42748-me=junc.org@spamassassin.apache.org
>
>>designates 209.237.227.199 as permitted sender)
>>Received-SPF: unknown (asf.osuosl.org: error in processing during
>
> lookup of hostmaster@uuism.net)
>
>>this was what i got from this mail
>>
>>so i belive SOFTFAIL does mean that spf is working ?
>>
>>
>>
>>
>
>
> Yes, softfail is when they don't want a hard fail :-D
>
> pretty much here is the break down:
> ?all = neutral
> ~all = softfail
> -all = hardfail
>
> ~all (softfail) are for sites who are 'testing' (majority of the records
> are this) and is (from my understanding) supposed to allow the mail to
> be still delivered.
> -all (hardfail) is more aggressive, but may cause lost mail
> ...
>
> http://www.openspf.org/whitepaper.pdf
>
AFAIK, you would get nothing. Just like if any other DNS test would fail.
What spamassassin reports as *FAIL is not an indicator that DNS isn't
working. You would need to consult your logs and do some testing.
However, since this is a DNS lookup, this does add time to the scanning
(I've seen where this can add a lot of time..) I prefer to use SPF for
my whitelisting needs in SA, I block anything that hardfails at the
server level -- allowing SA to add points for a softfail. Keep in mind,
it seems most servers that implement SPF use softfail (~all).
HTH
--
Thanks,
JamesDR
RE: SPF SOFTFAIL definition
Posted by Jim Hermann - UUN Hostmaster <ho...@uuism.net>.
What happens if the DNS records are not available?
We don't know if there is a TXT record or not.
Jim
-----Original Message-----
From: JamesDR [mailto:rolaids0@bellsouth.net]
Sent: Sunday, June 18, 2006 11:03 AM
To: users@spamassassin.apache.org
Subject: Re: SPF SOFTFAIL definition
Benny Pedersen wrote:
>>If the SPF module can't obtain the DNS TXT record due to timeouts, does
this
>>get reported as a SOFTFAIL?
>
>
> Received-SPF: pass (amiga.junc.org: domain of
users-return-42748-me=junc.org@spamassassin.apache.org
> designates 209.237.227.199 as permitted sender)
> Received-SPF: unknown (asf.osuosl.org: error in processing during
lookup of hostmaster@uuism.net)
>
> this was what i got from this mail
>
> so i belive SOFTFAIL does mean that spf is working ?
>
>
>
>
Yes, softfail is when they don't want a hard fail :-D
pretty much here is the break down:
?all = neutral
~all = softfail
-all = hardfail
~all (softfail) are for sites who are 'testing' (majority of the records
are this) and is (from my understanding) supposed to allow the mail to
be still delivered.
-all (hardfail) is more aggressive, but may cause lost mail
...
http://www.openspf.org/whitepaper.pdf
--
Thanks,
JamesDR
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.0/368 - Release Date: 06/16/06
Re: SPF SOFTFAIL definition
Posted by JamesDR <ro...@bellsouth.net>.
Benny Pedersen wrote:
>>If the SPF module can't obtain the DNS TXT record due to timeouts, does this
>>get reported as a SOFTFAIL?
>
>
> Received-SPF: pass (amiga.junc.org: domain of users-return-42748-me=junc.org@spamassassin.apache.org
> designates 209.237.227.199 as permitted sender)
> Received-SPF: unknown (asf.osuosl.org: error in processing during lookup of hostmaster@uuism.net)
>
> this was what i got from this mail
>
> so i belive SOFTFAIL does mean that spf is working ?
>
>
>
>
Yes, softfail is when they don't want a hard fail :-D
pretty much here is the break down:
?all = neutral
~all = softfail
-all = hardfail
~all (softfail) are for sites who are 'testing' (majority of the records
are this) and is (from my understanding) supposed to allow the mail to
be still delivered.
-all (hardfail) is more aggressive, but may cause lost mail
...
http://www.openspf.org/whitepaper.pdf
--
Thanks,
JamesDR
Re: SPF SOFTFAIL definition
Posted by Magnus Holmgren <ho...@lysator.liu.se>.
On Sunday 18 June 2006 19:31, Jim Hermann - UUN Hostmaster took the
opportunity to write:
> Is Mail::SpamAssassin::Plugin::SPF adding the Received-SPF: Header?
>
> I don't see it in email that received by my server, except for email from
> users@spamassassin.apache.org.
No, it only defines a number of eval tests. AFAIK SpamAssassin only ever adds
its X-Spam-* header fields. In fact, it only ever adds the fields one tells
it to.
--
Magnus Holmgren holmgren@lysator.liu.se
(No Cc of list mail needed, thanks)
RE: SPF SOFTFAIL definition
Posted by Jim Hermann - UUN Hostmaster <ho...@uuism.net>.
Is Mail::SpamAssassin::Plugin::SPF adding the Received-SPF: Header?
I don't see it in email that received by my server, except for email from
users@spamassassin.apache.org.
Jim
-----Original Message-----
From: Benny Pedersen [mailto:me@junc.org]
Sent: Sunday, June 18, 2006 10:56 AM
To: users@spamassassin.apache.org
Subject: Re: SPF SOFTFAIL definition
> If the SPF module can't obtain the DNS TXT record due to timeouts, does
this
> get reported as a SOFTFAIL?
Received-SPF: pass (amiga.junc.org: domain of
users-return-42748-me=junc.org@spamassassin.apache.org
designates 209.237.227.199 as permitted sender)
Received-SPF: unknown (asf.osuosl.org: error in processing during lookup
of hostmaster@uuism.net)
this was what i got from this mail
so i belive SOFTFAIL does mean that spf is working ?
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.0/368 - Release Date: 06/16/06
Re: SPF SOFTFAIL definition
Posted by Benny Pedersen <me...@junc.org>.
> If the SPF module can't obtain the DNS TXT record due to timeouts, does this
> get reported as a SOFTFAIL?
Received-SPF: pass (amiga.junc.org: domain of users-return-42748-me=junc.org@spamassassin.apache.org
designates 209.237.227.199 as permitted sender)
Received-SPF: unknown (asf.osuosl.org: error in processing during lookup of hostmaster@uuism.net)
this was what i got from this mail
so i belive SOFTFAIL does mean that spf is working ?