You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by sa...@top-consulting.net on 2010/01/18 16:40:14 UTC

SpamAssassin SPF Checks

I am running Postfix with Amavisd-maia which in turn uses Mail::SpamAssassin..

I am running SPF checks with Postfix and that works reasonably well  
but it fails at catching fake senders in the 'DATA' portion of the  
SMTP conversation.

Say my domain is: test.com

the envelope of the message will contain something like:
From: web@remotedomain.com

and the sending ip/domain will properly pass SPF checking

the 'DATA' portion of the message however will contain a different  
from, usually my own domain name:
From: user@test.com

How do I tell SpamAssassin to run an SPF check against that From:  
field and not just analyze the results Postfix added in. I am already  
using this configuration variable: ignore_received_spf_header 1  but  
it doesn't help at all.

My current debugging output looks like this:

[27379] dbg: spf: ignoring any Received-SPF headers from internal  
hosts, by admin setting
[27379] dbg: spf: checking HELO (helo=remotedomain.com, ip=X.X.X.X)
[27379] dbg: spf: query for /X.X.X.X/remotedomain.com: result: pass,  
comment: , text: Mechanism 'include:remotedomain.com' matched
[27379] dbg: rules: ran eval rule SPF_HELO_PASS ======> got hit (1)
[27379] dbg: spf: ignoring any Received-SPF headers from internal  
hosts, by admin setting
[27379] dbg: spf: checking EnvelopeFrom (helo=remotedomain.com,  
ip=X.X.X.X, envfrom=web@remotedomain.com)
[27379] dbg: spf: query for  
web@remotedomain.com/X.X.X.X/remotedomain.com: result: pass, comment:  
, text: Mechanism 'include:remotedomain.com' matched
[27379] dbg: rules: ran eval rule SPF_PASS ======> got hit (1)
[27379] dbg: spf: def_whitelist_from_spf: web@remotedomain.com is not  
in DEF_WHITELIST_FROM_SPF
[27379] dbg: spf: whitelist_from_spf: web@remotedomain.com is not in  
user's WHITELIST_FROM_SPF

How do I get SpamAssassin to do an SPF check on the From provided in  
the 'DATA' portion ? Is that even possible ?

If not, how do I stop this type of Spam ?

Re: SpamAssassin SPF Checks

Posted by RW <rw...@googlemail.com>.

On Mon, 18 Jan 2010 10:40:14 -0500
sa@top-consulting.net wrote:


> If not, how do I stop this type of Spam ?


try making a meta rule that that looks for your domain in "from" and the
absence of a sensible hostname in "message-id"

Re: SpamAssassin SPF Checks

Posted by Mike Cardwell <sp...@lists.grepular.com>.

On 18/01/2010 15:40, sa@top-consulting.net wrote:

> How do I get SpamAssassin to do an SPF check on the From provided in the
> 'DATA' portion ? Is that even possible ?
> 
> If not, how do I stop this type of Spam ?

SPF is only meant for the sender envelope. Not the From header. If you
were to do SPF checks on the From header of this email it would be
rejected due to an SPF failure.

-- 
Mike Cardwell    : UK based IT Consultant, LAMP developer, Linux admin
Cardwell IT Ltd. : UK Company - http://cardwellit.com/       #06920226
Technical Blog   : Tech Blog  - https://secure.grepular.com/blog/
Spamalyser       : Spam Tool  - http://spamalyser.com/