Re: [Assp-test] SPF record from DNS received in 2 lines probelm
Wonderful! Thank you for supporting us unwilling Windows users.
On Fri, May 8, 2015 at 1:11 PM, Thomas Eckardt
wrote:
> found it
>
> Mail::SPF had a problem with some DNS entries in the past (older Version).
> ASSP has internaly corrected this issue. How ever, this code correction
> caused a wrong parsing of multiple TXT records with Mail::SPF 2.007 and
> higher.
>
> This will be fixed in the next build.
>
> Thomas
>
>
>
>
>
> Von:K Post
> An: ASSP development mailing list
> Datum: 08.05.2015 18:02
> Betreff:Re: [Assp-test] SPF record from DNS received in 2 lines
> probelm
>
>
>
> >wasted time
> Okay, then what other options are there? More and more spf records seem
> to
> be long like this, and they're failing.(I know I could use a linux
> system, but the powers that be won't let me - because the commercial linux
> vendors don't support the OS for free for our charity like Microsoft does
> -
> super frustrating, but it's the deck of cards that I've been dealt)
>
>
>
> On Fri, May 8, 2015 at 11:56 AM, Thomas Eckardt
>
> wrote:
>
> > >I'm going to try to find some time later today to play
> >
> > wasted time
> >
> >
> >
> >
> >
> > Von:K Post
> > An: ASSP development mailing list
> > Datum: 08.05.2015 17:53
> > Betreff:Re: [Assp-test] SPF record from DNS received in 2 lines
> > probelm
> >
> >
> >
> > This tool: http://www.kitterman.com/spf/validate.html claims that the
> SPF
> > record is fine, it also shows it on one line.
> >
> > It seems like the Windows DNS mechanism is splitting the results, or at
> > least NSLOOKUP does. Does Mail::SPF use windows for DNS? Probably, I'd
> > think.
> >
> > Does ASSP have access to an array of results from Mail::SPF::Query?
> Maybe
> > they're supposed to be concatenated or something? Really just a wild
> > guess. I'm going to try to find some time later today to play with the
> > module, though I'm no perl wiz.
> >
> >
> >
> >
> >
> >
> > On Fri, May 8, 2015 at 4:22 AM, Thomas Eckardt
> >
> > wrote:
> >
> > > > b.news.saksoff5th.com text =
> > > >
> > > > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> > > ip4:8.7.44.123/32
> > > > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > > > 25.54.0/24 ip4:2"
> > > > "08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > > > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > > > p4:63.236.31.128"
> > > > "/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
> > >
> > > There is nothing to fix - everything is working OK. IMHO this SPF
> record
> > > is simply wrong.
> > > How should an SPF application know, that the second part is an
> addition
> > to
> > > the first part, if the first part is terminated (").
> > > It should be:
> > >
> > > > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> > > ip4:8.7.44.123/32
> > > > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > > > 25.54.0/24 ip4:2
> > > > 08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > > > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > > > p4:63.236.31.128
> > > > /26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
> > >
> > > The line processing is done by Mail::SPF not by ASSP!
> > >
> > > Thomas
> > >
> > >
> > >
> > >
> > > Von:K Post
> > > An: ASSP development mailing list
>
> > > Datum: 07.05.2015 17:32
> > > Betreff:Re: [Assp-test] SPF record from DNS received in 2
> lines
> > > probelm
> > >
> > >
> > >
> > > This seems to be happening regularly - enough to be causing serious
> SPF
> > > reliability errors
> > >
> > > Received-SPF: permerror (homedepot.com: Unknown mechanism type 'inclu'
> > in
> > > 'v=spf1' record) receiver=assp.OurCharity.org; identity=mailfrom;
> > > envelope-from="homede...@homedepot.com"; helo=mail-ext.escalate.com;
> > > client-ip=64.124.92.69
> > >
> > > When I do a NSLookup in Windows 8 or Windows 2012, I see:
> > > "v=spf1 ip4:207.11.40.24 ip4:207.11.40.25 ip4:207.11.27.104
> > > ip4:207.11.27.105 ip4:50.57.54.137 ip4:64.124.92.69
> > > a:smtp01.edifecs.com a:smtp02.edifecs.com include:
> > > spf.messaging.microsoft.com include:cust-spf.exacttarget.com include:s
> > > pf.mailengine1.com inclu"<--- note the quote and the line break
> > > "de:spf.mtasv.net ~all"
> > >
> > > That "inclu" at the end of the line is interpreted as ASSP as invalid,
> > > which it IS, but assp should be seeing that 2nd line that starts "de"
> to
> > > make "include." Of course this seems like more of a problem with
> > windows
> > > DNS. It dosn't matter if I use internal windows DNS servers or
> Google's
> > > (presumably Linux) 8.8.8.8 server. Same formatting of the results.
> > >
> > > Anyone else seeing this on windows?
> > >
> > > On Tue, May 5, 2015 at 10:22 AM, K Post wrote:
> > >
> > > > On my windows systems, when I do a NSLookup for the SPF record for
> > > > b.news.saksoff5th.com, I get
> > > > > b.news.saksoff5th.com
> > > > Server: google-public-dns-a.google.com
>
Re: [Assp-test] SPF record from DNS received in 2 lines probelm
found it
Mail::SPF had a problem with some DNS entries in the past (older Version).
ASSP has internaly corrected this issue. How ever, this code correction
caused a wrong parsing of multiple TXT records with Mail::SPF 2.007 and
higher.
This will be fixed in the next build.
Thomas
Von:K Post
An: ASSP development mailing list
Datum: 08.05.2015 18:02
Betreff:Re: [Assp-test] SPF record from DNS received in 2 lines
probelm
>wasted time
Okay, then what other options are there? More and more spf records seem
to
be long like this, and they're failing.(I know I could use a linux
system, but the powers that be won't let me - because the commercial linux
vendors don't support the OS for free for our charity like Microsoft does
-
super frustrating, but it's the deck of cards that I've been dealt)
On Fri, May 8, 2015 at 11:56 AM, Thomas Eckardt
wrote:
> >I'm going to try to find some time later today to play
>
> wasted time
>
>
>
>
>
> Von:K Post
> An: ASSP development mailing list
> Datum: 08.05.2015 17:53
> Betreff:Re: [Assp-test] SPF record from DNS received in 2 lines
> probelm
>
>
>
> This tool: http://www.kitterman.com/spf/validate.html claims that the
SPF
> record is fine, it also shows it on one line.
>
> It seems like the Windows DNS mechanism is splitting the results, or at
> least NSLOOKUP does. Does Mail::SPF use windows for DNS? Probably, I'd
> think.
>
> Does ASSP have access to an array of results from Mail::SPF::Query?
Maybe
> they're supposed to be concatenated or something? Really just a wild
> guess. I'm going to try to find some time later today to play with the
> module, though I'm no perl wiz.
>
>
>
>
>
>
> On Fri, May 8, 2015 at 4:22 AM, Thomas Eckardt
>
> wrote:
>
> > > b.news.saksoff5th.com text =
> > >
> > > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> > ip4:8.7.44.123/32
> > > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > > 25.54.0/24 ip4:2"
> > > "08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > > p4:63.236.31.128"
> > > "/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
> >
> > There is nothing to fix - everything is working OK. IMHO this SPF
record
> > is simply wrong.
> > How should an SPF application know, that the second part is an
addition
> to
> > the first part, if the first part is terminated (").
> > It should be:
> >
> > > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> > ip4:8.7.44.123/32
> > > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > > 25.54.0/24 ip4:2
> > > 08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > > p4:63.236.31.128
> > > /26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
> >
> > The line processing is done by Mail::SPF not by ASSP!
> >
> > Thomas
> >
> >
> >
> >
> > Von:K Post
> > An: ASSP development mailing list
> > Datum: 07.05.2015 17:32
> > Betreff:Re: [Assp-test] SPF record from DNS received in 2
lines
> > probelm
> >
> >
> >
> > This seems to be happening regularly - enough to be causing serious
SPF
> > reliability errors
> >
> > Received-SPF: permerror (homedepot.com: Unknown mechanism type 'inclu'
> in
> > 'v=spf1' record) receiver=assp.OurCharity.org; identity=mailfrom;
> > envelope-from="homede...@homedepot.com"; helo=mail-ext.escalate.com;
> > client-ip=64.124.92.69
> >
> > When I do a NSLookup in Windows 8 or Windows 2012, I see:
> > "v=spf1 ip4:207.11.40.24 ip4:207.11.40.25 ip4:207.11.27.104
> > ip4:207.11.27.105 ip4:50.57.54.137 ip4:64.124.92.69
> > a:smtp01.edifecs.com a:smtp02.edifecs.com include:
> > spf.messaging.microsoft.com include:cust-spf.exacttarget.com include:s
> > pf.mailengine1.com inclu"<--- note the quote and the line break
> > "de:spf.mtasv.net ~all"
> >
> > That "inclu" at the end of the line is interpreted as ASSP as invalid,
> > which it IS, but assp should be seeing that 2nd line that starts "de"
to
> > make "include." Of course this seems like more of a problem with
> windows
> > DNS. It dosn't matter if I use internal windows DNS servers or
Google's
> > (presumably Linux) 8.8.8.8 server. Same formatting of the results.
> >
> > Anyone else seeing this on windows?
> >
> > On Tue, May 5, 2015 at 10:22 AM, K Post wrote:
> >
> > > On my windows systems, when I do a NSLookup for the SPF record for
> > > b.news.saksoff5th.com, I get
> > > > b.news.saksoff5th.com
> > > Server: google-public-dns-a.google.com
> > > Address: 8.8.8.8
> > > b.news.saksoff5th.com text =
> > >
> > > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> > ip4:8.7.44.123/32
> > > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > > 25.54.0/24 ip4:2"
> > > "08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > > p4:63.236.31.128"
> > > "/26 ip4:
Re: [Assp-test] Senderbase not always matching domain
Thanks for sticking with this! I'm sorry, but I don't quite follow. 153.69.214.203 shows a hostname when I query Senderbase 0-0=1|1=NCR CORPORATION|2=6.2|3=6.2|6=0|7=2|8=3410716|9=4530|20= csmail03.ncrwebhost.com|22=Y|40=4.6|41=4.5|43=4 .4|44=12.2|45=N|46=11|48=24|50=Duluth|51=GA|52=30096|53=US|54=-84.1494|55=33.9791 However, in the analyze GUI, it shows: 153.69.214.203 SenderBase: status=not classified, data=US, NCR CORPORATION, , , Y, 11 I don't understand why the gui wouldn't show the hostname. On Fri, May 8, 2015 at 11:58 AM, Thomas Eckardt wrote: > It shows the same that stored in the cache - more is not used by assp. > > > > > > Von:K Post > An: ASSP development mailing list > Datum: 08.05.2015 17:52 > Betreff:Re: [Assp-test] Senderbase not always matching domain > > > > I hear ya... > > What about the senderbase result as it appears in the analyze gui? Why > isn't this showing the hostname? > > > On Fri, May 8, 2015 at 11:46 AM, Thomas Eckardt > > wrote: > > > >1) Is there a way to have Senderbase return the DOMAIN that it's > > guessing? > > > > ASSP has to take what it gets - DNS is used - retun values are the same > > like in nslookup or other DNS tools. > > > > 2) Is there a way to specify in the White Org file that ASSP uses to > only > > > > the 'White Org file' (regex) is checked against the SB-org and the domai > - > > no other way. > > > > Thomas > > > > > > > > > > Von:K Post > > An: ASSP development mailing list > > Datum: 08.05.2015 16:31 > > Betreff:Re: [Assp-test] Senderbase not always matching domain > > > > > > > > Thank you both for sticking with this. > > > > Greyhat, my name's Ken :) Seriously though, the Force has taught me > that > > you need to reverse the IP, which makes much more sense. Thanks. > > > > Thomas, I know ASSP uses DNS, I just didn't know if it was querying > > differently than I was testing - and it is, the RIGHT way - reversing > the > > IP. > > > > I now see the hostname being returned, and I can match on that through a > > regex. Doesn't that open up vulnerability though if a spammer has their > > SMTP server's IP address reverse to mtaxxx.e.delta.com? Likely, > probably > > not, but it's what I would do if I were trying to send spam appearing to > > be > > from Delta - or worse, one of the banks. > > > > My language was also incorrect in my original post. I talked about > > hostname, but what I'd really like to do is match on the "guess" DOMAIN > > name that the senderbase website shows, in this case e.delta.com. So: > > 1) Is there a way to have Senderbase return the DOMAIN that it's > guessing? > > 2) Is there a way to specify in the White Org file that ASSP uses to > only > > match against network name, hostname, or domain name? > > > > > > > > > > On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt > > > > wrote: > > > > > ASSP uses DNS queries for Senderbase. > > > > > > Thomas > > > > > > > > > > > > > > > > > > Von:K Post > > > An: ASSP development mailing list > > > > Datum: 07.05.2015 20:36 > > > Betreff:Re: [Assp-test] Senderbase not always matching domain > > > > > > > > > > > > It doesn't seem like the domain is being returned, just the network > > name, > > > so a lot domains that should result in a white org score, aren't > > hitting. > > > This doesn't appear to be an ASSP problem > > > > > > I just did a lookup for the ip 38.100.169.66 > > > At the senderbase website, it shows a domain of e.delta.com, which I > > have > > > whitelisted (Delta Airlines) > > > > > > However, a nslookup for the txt record only shows > > > 38.100.169.66.query.senderbase.org text = > > > > > > "0-0=1|1=CHARTER > > > > > > > > > > > > COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort > > > Worth|5 > > > 1=TX|52=76114|53=US|54=-97.3972|55=32.7807" > > > > > > Nowhere to I see e.delta.com which explains why ASSP isn't matching. > Is > > > this the same way that ASSP queries senderbase? Is there a way to > have > > > ASSP ask senderbase to return the best guess domain name just like > > > SenderBase does on its website? That would solve the problem where > the > > > netblock is a major carrier, that carrier can't be whitelisted, but > the > > > domain that's returned (or hostname) is whitelisted. > > > > > > > > > > > > > > > > > > > > > On Tue, May 5, 2015 at 5:34 PM, K Post wrote: > > > > > > > SenderBaseLog was set to standard before. Set it to diagnostic. > > > > > > > > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt < > > > > thomas.ecka...@thockar.com> wrote: > > > > > > > >> > > but where's the senderbase line in the log? > > > >> > > > >> check SenderBaseLog > > > >> > > > >> Thomas > > > >> > > > >> > > > >> > > > >> > > > >> Von:K Post > > > >> An: ASSP development mailing list > > > > > >> Datum: 05.05.2015 18:21 > > > >> Betreff:Re: [Assp-test] Senderbase not always matching > domain > > > >> > > > >> > > > >> > >
Re: [Assp-test] SPF record from DNS received in 2 lines probelm
>wasted time
Okay, then what other options are there? More and more spf records seem to
be long like this, and they're failing.(I know I could use a linux
system, but the powers that be won't let me - because the commercial linux
vendors don't support the OS for free for our charity like Microsoft does -
super frustrating, but it's the deck of cards that I've been dealt)
On Fri, May 8, 2015 at 11:56 AM, Thomas Eckardt
wrote:
> >I'm going to try to find some time later today to play
>
> wasted time
>
>
>
>
>
> Von:K Post
> An: ASSP development mailing list
> Datum: 08.05.2015 17:53
> Betreff:Re: [Assp-test] SPF record from DNS received in 2 lines
> probelm
>
>
>
> This tool: http://www.kitterman.com/spf/validate.html claims that the SPF
> record is fine, it also shows it on one line.
>
> It seems like the Windows DNS mechanism is splitting the results, or at
> least NSLOOKUP does. Does Mail::SPF use windows for DNS? Probably, I'd
> think.
>
> Does ASSP have access to an array of results from Mail::SPF::Query? Maybe
> they're supposed to be concatenated or something? Really just a wild
> guess. I'm going to try to find some time later today to play with the
> module, though I'm no perl wiz.
>
>
>
>
>
>
> On Fri, May 8, 2015 at 4:22 AM, Thomas Eckardt
>
> wrote:
>
> > > b.news.saksoff5th.com text =
> > >
> > > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> > ip4:8.7.44.123/32
> > > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > > 25.54.0/24 ip4:2"
> > > "08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > > p4:63.236.31.128"
> > > "/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
> >
> > There is nothing to fix - everything is working OK. IMHO this SPF record
> > is simply wrong.
> > How should an SPF application know, that the second part is an addition
> to
> > the first part, if the first part is terminated (").
> > It should be:
> >
> > > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> > ip4:8.7.44.123/32
> > > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > > 25.54.0/24 ip4:2
> > > 08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > > p4:63.236.31.128
> > > /26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
> >
> > The line processing is done by Mail::SPF not by ASSP!
> >
> > Thomas
> >
> >
> >
> >
> > Von:K Post
> > An: ASSP development mailing list
> > Datum: 07.05.2015 17:32
> > Betreff:Re: [Assp-test] SPF record from DNS received in 2 lines
> > probelm
> >
> >
> >
> > This seems to be happening regularly - enough to be causing serious SPF
> > reliability errors
> >
> > Received-SPF: permerror (homedepot.com: Unknown mechanism type 'inclu'
> in
> > 'v=spf1' record) receiver=assp.OurCharity.org; identity=mailfrom;
> > envelope-from="homede...@homedepot.com"; helo=mail-ext.escalate.com;
> > client-ip=64.124.92.69
> >
> > When I do a NSLookup in Windows 8 or Windows 2012, I see:
> > "v=spf1 ip4:207.11.40.24 ip4:207.11.40.25 ip4:207.11.27.104
> > ip4:207.11.27.105 ip4:50.57.54.137 ip4:64.124.92.69
> > a:smtp01.edifecs.com a:smtp02.edifecs.com include:
> > spf.messaging.microsoft.com include:cust-spf.exacttarget.com include:s
> > pf.mailengine1.com inclu"<--- note the quote and the line break
> > "de:spf.mtasv.net ~all"
> >
> > That "inclu" at the end of the line is interpreted as ASSP as invalid,
> > which it IS, but assp should be seeing that 2nd line that starts "de" to
> > make "include." Of course this seems like more of a problem with
> windows
> > DNS. It dosn't matter if I use internal windows DNS servers or Google's
> > (presumably Linux) 8.8.8.8 server. Same formatting of the results.
> >
> > Anyone else seeing this on windows?
> >
> > On Tue, May 5, 2015 at 10:22 AM, K Post wrote:
> >
> > > On my windows systems, when I do a NSLookup for the SPF record for
> > > b.news.saksoff5th.com, I get
> > > > b.news.saksoff5th.com
> > > Server: google-public-dns-a.google.com
> > > Address: 8.8.8.8
> > > b.news.saksoff5th.com text =
> > >
> > > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> > ip4:8.7.44.123/32
> > > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > > 25.54.0/24 ip4:2"
> > > "08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > > p4:63.236.31.128"
> > > "/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
> > >
> > > Looking at the mail analyzer, I get:
> > > Received-SPF: permerror (b.news.saksoff5th.com: Missing required IPv4
> > > address in 'ip4:2') receiver=antispam.nexario.net; identity=mailfrom;
> > >
> envelope-from="bo-b9vk0mvatcv9czaumtyq5qcby69...@b.news.saksoff5th.com";
> > > helo=mta954.news.saksoff5th.com; client-ip=8.7.44.125
> > >
> > > So ASSP doesn't like ip4:2 which is't seeing at the end of line 1 of
> the
Re: [Assp-test] Senderbase not always matching domain
It shows the same that stored in the cache - more is not used by assp. Von:K Post An: ASSP development mailing list Datum: 08.05.2015 17:52 Betreff:Re: [Assp-test] Senderbase not always matching domain I hear ya... What about the senderbase result as it appears in the analyze gui? Why isn't this showing the hostname? On Fri, May 8, 2015 at 11:46 AM, Thomas Eckardt wrote: > >1) Is there a way to have Senderbase return the DOMAIN that it's > guessing? > > ASSP has to take what it gets - DNS is used - retun values are the same > like in nslookup or other DNS tools. > > 2) Is there a way to specify in the White Org file that ASSP uses to only > > the 'White Org file' (regex) is checked against the SB-org and the domai - > no other way. > > Thomas > > > > > Von:K Post > An: ASSP development mailing list > Datum: 08.05.2015 16:31 > Betreff:Re: [Assp-test] Senderbase not always matching domain > > > > Thank you both for sticking with this. > > Greyhat, my name's Ken :) Seriously though, the Force has taught me that > you need to reverse the IP, which makes much more sense. Thanks. > > Thomas, I know ASSP uses DNS, I just didn't know if it was querying > differently than I was testing - and it is, the RIGHT way - reversing the > IP. > > I now see the hostname being returned, and I can match on that through a > regex. Doesn't that open up vulnerability though if a spammer has their > SMTP server's IP address reverse to mtaxxx.e.delta.com? Likely, probably > not, but it's what I would do if I were trying to send spam appearing to > be > from Delta - or worse, one of the banks. > > My language was also incorrect in my original post. I talked about > hostname, but what I'd really like to do is match on the "guess" DOMAIN > name that the senderbase website shows, in this case e.delta.com. So: > 1) Is there a way to have Senderbase return the DOMAIN that it's guessing? > 2) Is there a way to specify in the White Org file that ASSP uses to only > match against network name, hostname, or domain name? > > > > > On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt > > wrote: > > > ASSP uses DNS queries for Senderbase. > > > > Thomas > > > > > > > > > > > > Von:K Post > > An: ASSP development mailing list > > Datum: 07.05.2015 20:36 > > Betreff:Re: [Assp-test] Senderbase not always matching domain > > > > > > > > It doesn't seem like the domain is being returned, just the network > name, > > so a lot domains that should result in a white org score, aren't > hitting. > > This doesn't appear to be an ASSP problem > > > > I just did a lookup for the ip 38.100.169.66 > > At the senderbase website, it shows a domain of e.delta.com, which I > have > > whitelisted (Delta Airlines) > > > > However, a nslookup for the txt record only shows > > 38.100.169.66.query.senderbase.org text = > > > > "0-0=1|1=CHARTER > > > > > > COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort > > Worth|5 > > 1=TX|52=76114|53=US|54=-97.3972|55=32.7807" > > > > Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is > > this the same way that ASSP queries senderbase? Is there a way to have > > ASSP ask senderbase to return the best guess domain name just like > > SenderBase does on its website? That would solve the problem where the > > netblock is a major carrier, that carrier can't be whitelisted, but the > > domain that's returned (or hostname) is whitelisted. > > > > > > > > > > > > > > On Tue, May 5, 2015 at 5:34 PM, K Post wrote: > > > > > SenderBaseLog was set to standard before. Set it to diagnostic. > > > > > > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt < > > > thomas.ecka...@thockar.com> wrote: > > > > > >> > > but where's the senderbase line in the log? > > >> > > >> check SenderBaseLog > > >> > > >> Thomas > > >> > > >> > > >> > > >> > > >> Von:K Post > > >> An: ASSP development mailing list > > > >> Datum: 05.05.2015 18:21 > > >> Betreff:Re: [Assp-test] Senderbase not always matching domain > > >> > > >> > > >> > > >> >good point but I've no answer, sounds like you found a bug > > >> Hopefully Thomas will have some time to look into this. > > >> > > >> Thanks again. > > >> > > >> On Tue, May 5, 2015 at 11:42 AM, Grayhat wrote: > > >> > > >> > :: On Tue, 5 May 2015 11:22:07 -0400 > > >> > :: > > > > >> > :: K Post wrote: > > >> > > > >> > > > Sorry Greyhat, you lost me. What does this show different from > > >> > > > what I was > > >> > > saying? Maybe I wasn't clear. > > >> > > When I pull up the analyze interface in assp it shows only > Cogent, > > >> > > doesn't show e.delta.com, do it's not a match to my regex, and > > >> > > thereby doesn't get the whitesenderorg bonus. > > >> > > > >> > yeah, you're right, it's a strange behavior; I wonder if ASSP is > > using > > >> > the /24 instead of the IP (didn't check the code) ... > > >> > > > >> > > And here's a
Re: [Assp-test] Senderbase not always matching domain
OH - so senderbase is only looking at the network name? If that's the case, the sample whiteorg.txt file at http://assp.cvs.sourceforge.net/viewvc/assp/assp2/files/whiteorg.txt threw me off based on its listings. Does this mean that for something like Delta Airlines, who doesn't generally send from a network that Senderbase identifies as theirs, that we'd have to match against a giant network like Cogent instead of the hostname or better domain name that senderbase sees? On Fri, May 8, 2015 at 11:50 AM, Thomas Eckardt wrote: > >Shouldn't it? > > No - it is not used. > > >, , Y, 11 > > the Y shows that the hostname matches the IP > > Thomas > > > > Von:K Post > An: ASSP development mailing list > Datum: 08.05.2015 17:11 > Betreff:Re: [Assp-test] Senderbase not always matching domain > > > > And here's another, also from a delta.com address, this time them sending > (legitimate) boarding passes. > > Came from IP 153.69.214.203 > > querying > 203.214.69.153.query.senderbase.org (yes I reversed it) > returns > 0-0=1|1=NCR CORPORATION|2=6.2|3=6.2|6=0|7=2|8=3410716|9=4530|20= > csmail03.ncrwebhost.com|22=Y|40=4.6|41=4.5|43=4 > > .4|44=12.2|45=N|46=11|48=24|50=Duluth|51=GA|52=30096|53=US|54=-84.1494|55=33.9791 > > parameter 20 shows the hostname > > However, in the analyze GUI, it shows: > 153.69.214.203 SenderBase: status=not classified, data=US, NCR > CORPORATION, > , , Y, 11 > The hostname doesn't appear. Shouldn't it? > > > > On Fri, May 8, 2015 at 10:28 AM, K Post wrote: > > > Thank you both for sticking with this. > > > > Greyhat, my name's Ken :) Seriously though, the Force has taught me > that > > you need to reverse the IP, which makes much more sense. Thanks. > > > > Thomas, I know ASSP uses DNS, I just didn't know if it was querying > > differently than I was testing - and it is, the RIGHT way - reversing > the > > IP. > > > > I now see the hostname being returned, and I can match on that through a > > regex. Doesn't that open up vulnerability though if a spammer has their > > SMTP server's IP address reverse to mtaxxx.e.delta.com? Likely, > > probably not, but it's what I would do if I were trying to send spam > > appearing to be from Delta - or worse, one of the banks. > > > > My language was also incorrect in my original post. I talked about > > hostname, but what I'd really like to do is match on the "guess" DOMAIN > > name that the senderbase website shows, in this case e.delta.com. So: > > 1) Is there a way to have Senderbase return the DOMAIN that it's > guessing? > > 2) Is there a way to specify in the White Org file that ASSP uses to > only > > match against network name, hostname, or domain name? > > > > > > > > > > On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt > > > wrote: > > > >> ASSP uses DNS queries for Senderbase. > >> > >> Thomas > >> > >> > >> > >> > >> > >> Von:K Post > >> An: ASSP development mailing list > >> Datum: 07.05.2015 20:36 > >> Betreff:Re: [Assp-test] Senderbase not always matching domain > >> > >> > >> > >> It doesn't seem like the domain is being returned, just the network > name, > >> so a lot domains that should result in a white org score, aren't > hitting. > >> This doesn't appear to be an ASSP problem > >> > >> I just did a lookup for the ip 38.100.169.66 > >> At the senderbase website, it shows a domain of e.delta.com, which I > have > >> whitelisted (Delta Airlines) > >> > >> However, a nslookup for the txt record only shows > >> 38.100.169.66.query.senderbase.org text = > >> > >> "0-0=1|1=CHARTER > >> > >> > > COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort > >> Worth|5 > >> 1=TX|52=76114|53=US|54=-97.3972|55=32.7807" > >> > >> Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is > >> this the same way that ASSP queries senderbase? Is there a way to have > >> ASSP ask senderbase to return the best guess domain name just like > >> SenderBase does on its website? That would solve the problem where the > >> netblock is a major carrier, that carrier can't be whitelisted, but the > >> domain that's returned (or hostname) is whitelisted. > >> > >> > >> > >> > >> > >> > >> On Tue, May 5, 2015 at 5:34 PM, K Post wrote: > >> > >> > SenderBaseLog was set to standard before. Set it to diagnostic. > >> > > >> > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt < > >> > thomas.ecka...@thockar.com> wrote: > >> > > >> >> > > but where's the senderbase line in the log? > >> >> > >> >> check SenderBaseLog > >> >> > >> >> Thomas > >> >> > >> >> > >> >> > >> >> > >> >> Von:K Post > >> >> An: ASSP development mailing list > >> > > >> >> Datum: 05.05.2015 18:21 > >> >> Betreff:Re: [Assp-test] Senderbase not always matching > domain > >> >> > >> >> > >> >> > >> >> >good point but I've no answer, sounds like you found a bug > >> >> Hopefully Thomas will have some time to look into this. > >> >> > >> >> Thanks again. > >> >> > >> >> O
Re: [Assp-test] SPF record from DNS received in 2 lines probelm
>I'm going to try to find some time later today to play
wasted time
Von:K Post
An: ASSP development mailing list
Datum: 08.05.2015 17:53
Betreff:Re: [Assp-test] SPF record from DNS received in 2 lines
probelm
This tool: http://www.kitterman.com/spf/validate.html claims that the SPF
record is fine, it also shows it on one line.
It seems like the Windows DNS mechanism is splitting the results, or at
least NSLOOKUP does. Does Mail::SPF use windows for DNS? Probably, I'd
think.
Does ASSP have access to an array of results from Mail::SPF::Query? Maybe
they're supposed to be concatenated or something? Really just a wild
guess. I'm going to try to find some time later today to play with the
module, though I'm no perl wiz.
On Fri, May 8, 2015 at 4:22 AM, Thomas Eckardt
wrote:
> > b.news.saksoff5th.com text =
> >
> > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> ip4:8.7.44.123/32
> > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > 25.54.0/24 ip4:2"
> > "08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > p4:63.236.31.128"
> > "/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
>
> There is nothing to fix - everything is working OK. IMHO this SPF record
> is simply wrong.
> How should an SPF application know, that the second part is an addition
to
> the first part, if the first part is terminated (").
> It should be:
>
> > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> ip4:8.7.44.123/32
> > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > 25.54.0/24 ip4:2
> > 08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > p4:63.236.31.128
> > /26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
>
> The line processing is done by Mail::SPF not by ASSP!
>
> Thomas
>
>
>
>
> Von:K Post
> An: ASSP development mailing list
> Datum: 07.05.2015 17:32
> Betreff:Re: [Assp-test] SPF record from DNS received in 2 lines
> probelm
>
>
>
> This seems to be happening regularly - enough to be causing serious SPF
> reliability errors
>
> Received-SPF: permerror (homedepot.com: Unknown mechanism type 'inclu'
in
> 'v=spf1' record) receiver=assp.OurCharity.org; identity=mailfrom;
> envelope-from="homede...@homedepot.com"; helo=mail-ext.escalate.com;
> client-ip=64.124.92.69
>
> When I do a NSLookup in Windows 8 or Windows 2012, I see:
> "v=spf1 ip4:207.11.40.24 ip4:207.11.40.25 ip4:207.11.27.104
> ip4:207.11.27.105 ip4:50.57.54.137 ip4:64.124.92.69
> a:smtp01.edifecs.com a:smtp02.edifecs.com include:
> spf.messaging.microsoft.com include:cust-spf.exacttarget.com include:s
> pf.mailengine1.com inclu"<--- note the quote and the line break
> "de:spf.mtasv.net ~all"
>
> That "inclu" at the end of the line is interpreted as ASSP as invalid,
> which it IS, but assp should be seeing that 2nd line that starts "de" to
> make "include." Of course this seems like more of a problem with
windows
> DNS. It dosn't matter if I use internal windows DNS servers or Google's
> (presumably Linux) 8.8.8.8 server. Same formatting of the results.
>
> Anyone else seeing this on windows?
>
> On Tue, May 5, 2015 at 10:22 AM, K Post wrote:
>
> > On my windows systems, when I do a NSLookup for the SPF record for
> > b.news.saksoff5th.com, I get
> > > b.news.saksoff5th.com
> > Server: google-public-dns-a.google.com
> > Address: 8.8.8.8
> > b.news.saksoff5th.com text =
> >
> > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> ip4:8.7.44.123/32
> > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > 25.54.0/24 ip4:2"
> > "08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > p4:63.236.31.128"
> > "/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
> >
> > Looking at the mail analyzer, I get:
> > Received-SPF: permerror (b.news.saksoff5th.com: Missing required IPv4
> > address in 'ip4:2') receiver=antispam.nexario.net; identity=mailfrom;
> >
envelope-from="bo-b9vk0mvatcv9czaumtyq5qcby69...@b.news.saksoff5th.com";
> > helo=mta954.news.saksoff5th.com; client-ip=8.7.44.125
> >
> > So ASSP doesn't like ip4:2 which is't seeing at the end of line 1 of
the
> > DNS entry.
> >
> > I think this might be a windows problem. If I go here:
> >
> >
>
>
http://mxtoolbox.com/SuperTool.aspx?action=txt%3ab.news.saksoff5th.com&run=toolpage
>
> > I see the entire record, without the line splits.
> >
> > Any chance of having ASSP combine records like this? I feel like it
> could
> > potentially be a problem for DKIM and DMARC records too, though I'm
just
> > guessing based on potential length, not experience.
> >
> >
> > thanks
> >
>
>
--
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support w
Re: [Assp-test] SPF record from DNS received in 2 lines probelm
This tool: http://www.kitterman.com/spf/validate.html claims that the SPF
record is fine, it also shows it on one line.
It seems like the Windows DNS mechanism is splitting the results, or at
least NSLOOKUP does. Does Mail::SPF use windows for DNS? Probably, I'd
think.
Does ASSP have access to an array of results from Mail::SPF::Query? Maybe
they're supposed to be concatenated or something? Really just a wild
guess. I'm going to try to find some time later today to play with the
module, though I'm no perl wiz.
On Fri, May 8, 2015 at 4:22 AM, Thomas Eckardt
wrote:
> > b.news.saksoff5th.com text =
> >
> > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> ip4:8.7.44.123/32
> > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > 25.54.0/24 ip4:2"
> > "08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > p4:63.236.31.128"
> > "/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
>
> There is nothing to fix - everything is working OK. IMHO this SPF record
> is simply wrong.
> How should an SPF application know, that the second part is an addition to
> the first part, if the first part is terminated (").
> It should be:
>
> > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> ip4:8.7.44.123/32
> > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > 25.54.0/24 ip4:2
> > 08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > p4:63.236.31.128
> > /26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
>
> The line processing is done by Mail::SPF not by ASSP!
>
> Thomas
>
>
>
>
> Von:K Post
> An: ASSP development mailing list
> Datum: 07.05.2015 17:32
> Betreff:Re: [Assp-test] SPF record from DNS received in 2 lines
> probelm
>
>
>
> This seems to be happening regularly - enough to be causing serious SPF
> reliability errors
>
> Received-SPF: permerror (homedepot.com: Unknown mechanism type 'inclu' in
> 'v=spf1' record) receiver=assp.OurCharity.org; identity=mailfrom;
> envelope-from="homede...@homedepot.com"; helo=mail-ext.escalate.com;
> client-ip=64.124.92.69
>
> When I do a NSLookup in Windows 8 or Windows 2012, I see:
> "v=spf1 ip4:207.11.40.24 ip4:207.11.40.25 ip4:207.11.27.104
> ip4:207.11.27.105 ip4:50.57.54.137 ip4:64.124.92.69
> a:smtp01.edifecs.com a:smtp02.edifecs.com include:
> spf.messaging.microsoft.com include:cust-spf.exacttarget.com include:s
> pf.mailengine1.com inclu"<--- note the quote and the line break
> "de:spf.mtasv.net ~all"
>
> That "inclu" at the end of the line is interpreted as ASSP as invalid,
> which it IS, but assp should be seeing that 2nd line that starts "de" to
> make "include." Of course this seems like more of a problem with windows
> DNS. It dosn't matter if I use internal windows DNS servers or Google's
> (presumably Linux) 8.8.8.8 server. Same formatting of the results.
>
> Anyone else seeing this on windows?
>
> On Tue, May 5, 2015 at 10:22 AM, K Post wrote:
>
> > On my windows systems, when I do a NSLookup for the SPF record for
> > b.news.saksoff5th.com, I get
> > > b.news.saksoff5th.com
> > Server: google-public-dns-a.google.com
> > Address: 8.8.8.8
> > b.news.saksoff5th.com text =
> >
> > "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
> ip4:8.7.44.123/32
> > ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> > 25.54.0/24 ip4:2"
> > "08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> > 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> > p4:63.236.31.128"
> > "/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
> >
> > Looking at the mail analyzer, I get:
> > Received-SPF: permerror (b.news.saksoff5th.com: Missing required IPv4
> > address in 'ip4:2') receiver=antispam.nexario.net; identity=mailfrom;
> > envelope-from="bo-b9vk0mvatcv9czaumtyq5qcby69...@b.news.saksoff5th.com";
> > helo=mta954.news.saksoff5th.com; client-ip=8.7.44.125
> >
> > So ASSP doesn't like ip4:2 which is't seeing at the end of line 1 of the
> > DNS entry.
> >
> > I think this might be a windows problem. If I go here:
> >
> >
>
> http://mxtoolbox.com/SuperTool.aspx?action=txt%3ab.news.saksoff5th.com&run=toolpage
>
> > I see the entire record, without the line splits.
> >
> > Any chance of having ASSP combine records like this? I feel like it
> could
> > potentially be a problem for DKIM and DMARC records too, though I'm just
> > guessing based on potential length, not experience.
> >
> >
> > thanks
> >
>
> --
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> ___
Re: [Assp-test] Senderbase not always matching domain
>Shouldn't it? No - it is not used. >, , Y, 11 the Y shows that the hostname matches the IP Thomas Von:K Post An: ASSP development mailing list Datum: 08.05.2015 17:11 Betreff:Re: [Assp-test] Senderbase not always matching domain And here's another, also from a delta.com address, this time them sending (legitimate) boarding passes. Came from IP 153.69.214.203 querying 203.214.69.153.query.senderbase.org (yes I reversed it) returns 0-0=1|1=NCR CORPORATION|2=6.2|3=6.2|6=0|7=2|8=3410716|9=4530|20= csmail03.ncrwebhost.com|22=Y|40=4.6|41=4.5|43=4 .4|44=12.2|45=N|46=11|48=24|50=Duluth|51=GA|52=30096|53=US|54=-84.1494|55=33.9791 parameter 20 shows the hostname However, in the analyze GUI, it shows: 153.69.214.203 SenderBase: status=not classified, data=US, NCR CORPORATION, , , Y, 11 The hostname doesn't appear. Shouldn't it? On Fri, May 8, 2015 at 10:28 AM, K Post wrote: > Thank you both for sticking with this. > > Greyhat, my name's Ken :) Seriously though, the Force has taught me that > you need to reverse the IP, which makes much more sense. Thanks. > > Thomas, I know ASSP uses DNS, I just didn't know if it was querying > differently than I was testing - and it is, the RIGHT way - reversing the > IP. > > I now see the hostname being returned, and I can match on that through a > regex. Doesn't that open up vulnerability though if a spammer has their > SMTP server's IP address reverse to mtaxxx.e.delta.com? Likely, > probably not, but it's what I would do if I were trying to send spam > appearing to be from Delta - or worse, one of the banks. > > My language was also incorrect in my original post. I talked about > hostname, but what I'd really like to do is match on the "guess" DOMAIN > name that the senderbase website shows, in this case e.delta.com. So: > 1) Is there a way to have Senderbase return the DOMAIN that it's guessing? > 2) Is there a way to specify in the White Org file that ASSP uses to only > match against network name, hostname, or domain name? > > > > > On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt > wrote: > >> ASSP uses DNS queries for Senderbase. >> >> Thomas >> >> >> >> >> >> Von:K Post >> An: ASSP development mailing list >> Datum: 07.05.2015 20:36 >> Betreff:Re: [Assp-test] Senderbase not always matching domain >> >> >> >> It doesn't seem like the domain is being returned, just the network name, >> so a lot domains that should result in a white org score, aren't hitting. >> This doesn't appear to be an ASSP problem >> >> I just did a lookup for the ip 38.100.169.66 >> At the senderbase website, it shows a domain of e.delta.com, which I have >> whitelisted (Delta Airlines) >> >> However, a nslookup for the txt record only shows >> 38.100.169.66.query.senderbase.org text = >> >> "0-0=1|1=CHARTER >> >> COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort >> Worth|5 >> 1=TX|52=76114|53=US|54=-97.3972|55=32.7807" >> >> Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is >> this the same way that ASSP queries senderbase? Is there a way to have >> ASSP ask senderbase to return the best guess domain name just like >> SenderBase does on its website? That would solve the problem where the >> netblock is a major carrier, that carrier can't be whitelisted, but the >> domain that's returned (or hostname) is whitelisted. >> >> >> >> >> >> >> On Tue, May 5, 2015 at 5:34 PM, K Post wrote: >> >> > SenderBaseLog was set to standard before. Set it to diagnostic. >> > >> > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt < >> > thomas.ecka...@thockar.com> wrote: >> > >> >> > > but where's the senderbase line in the log? >> >> >> >> check SenderBaseLog >> >> >> >> Thomas >> >> >> >> >> >> >> >> >> >> Von:K Post >> >> An: ASSP development mailing list > > >> >> Datum: 05.05.2015 18:21 >> >> Betreff:Re: [Assp-test] Senderbase not always matching domain >> >> >> >> >> >> >> >> >good point but I've no answer, sounds like you found a bug >> >> Hopefully Thomas will have some time to look into this. >> >> >> >> Thanks again. >> >> >> >> On Tue, May 5, 2015 at 11:42 AM, Grayhat wrote: >> >> >> >> > :: On Tue, 5 May 2015 11:22:07 -0400 >> >> > :: >> >> >> > :: K Post wrote: >> >> > >> >> > > > Sorry Greyhat, you lost me. What does this show different from >> >> > > > what I was >> >> > > saying? Maybe I wasn't clear. >> >> > > When I pull up the analyze interface in assp it shows only Cogent, >> >> > > doesn't show e.delta.com, do it's not a match to my regex, and >> >> > > thereby doesn't get the whitesenderorg bonus. >> >> > >> >> > yeah, you're right, it's a strange behavior; I wonder if ASSP is >> using >> >> > the /24 instead of the IP (didn't check the code) ... >> >> > >> >> > > And here's another issue I'm seeing with Senderbase: >> >> > > >> >> > > 12.130.137.89 to: >> >> u...@ourcharity.org >> >> > > DKIM-Signature found >> >> > >
Re: [Assp-test] Senderbase not always matching domain
I hear ya... What about the senderbase result as it appears in the analyze gui? Why isn't this showing the hostname? On Fri, May 8, 2015 at 11:46 AM, Thomas Eckardt wrote: > >1) Is there a way to have Senderbase return the DOMAIN that it's > guessing? > > ASSP has to take what it gets - DNS is used - retun values are the same > like in nslookup or other DNS tools. > > 2) Is there a way to specify in the White Org file that ASSP uses to only > > the 'White Org file' (regex) is checked against the SB-org and the domai - > no other way. > > Thomas > > > > > Von:K Post > An: ASSP development mailing list > Datum: 08.05.2015 16:31 > Betreff:Re: [Assp-test] Senderbase not always matching domain > > > > Thank you both for sticking with this. > > Greyhat, my name's Ken :) Seriously though, the Force has taught me that > you need to reverse the IP, which makes much more sense. Thanks. > > Thomas, I know ASSP uses DNS, I just didn't know if it was querying > differently than I was testing - and it is, the RIGHT way - reversing the > IP. > > I now see the hostname being returned, and I can match on that through a > regex. Doesn't that open up vulnerability though if a spammer has their > SMTP server's IP address reverse to mtaxxx.e.delta.com? Likely, probably > not, but it's what I would do if I were trying to send spam appearing to > be > from Delta - or worse, one of the banks. > > My language was also incorrect in my original post. I talked about > hostname, but what I'd really like to do is match on the "guess" DOMAIN > name that the senderbase website shows, in this case e.delta.com. So: > 1) Is there a way to have Senderbase return the DOMAIN that it's guessing? > 2) Is there a way to specify in the White Org file that ASSP uses to only > match against network name, hostname, or domain name? > > > > > On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt > > wrote: > > > ASSP uses DNS queries for Senderbase. > > > > Thomas > > > > > > > > > > > > Von:K Post > > An: ASSP development mailing list > > Datum: 07.05.2015 20:36 > > Betreff:Re: [Assp-test] Senderbase not always matching domain > > > > > > > > It doesn't seem like the domain is being returned, just the network > name, > > so a lot domains that should result in a white org score, aren't > hitting. > > This doesn't appear to be an ASSP problem > > > > I just did a lookup for the ip 38.100.169.66 > > At the senderbase website, it shows a domain of e.delta.com, which I > have > > whitelisted (Delta Airlines) > > > > However, a nslookup for the txt record only shows > > 38.100.169.66.query.senderbase.org text = > > > > "0-0=1|1=CHARTER > > > > > > COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort > > Worth|5 > > 1=TX|52=76114|53=US|54=-97.3972|55=32.7807" > > > > Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is > > this the same way that ASSP queries senderbase? Is there a way to have > > ASSP ask senderbase to return the best guess domain name just like > > SenderBase does on its website? That would solve the problem where the > > netblock is a major carrier, that carrier can't be whitelisted, but the > > domain that's returned (or hostname) is whitelisted. > > > > > > > > > > > > > > On Tue, May 5, 2015 at 5:34 PM, K Post wrote: > > > > > SenderBaseLog was set to standard before. Set it to diagnostic. > > > > > > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt < > > > thomas.ecka...@thockar.com> wrote: > > > > > >> > > but where's the senderbase line in the log? > > >> > > >> check SenderBaseLog > > >> > > >> Thomas > > >> > > >> > > >> > > >> > > >> Von:K Post > > >> An: ASSP development mailing list > > > >> Datum: 05.05.2015 18:21 > > >> Betreff:Re: [Assp-test] Senderbase not always matching domain > > >> > > >> > > >> > > >> >good point but I've no answer, sounds like you found a bug > > >> Hopefully Thomas will have some time to look into this. > > >> > > >> Thanks again. > > >> > > >> On Tue, May 5, 2015 at 11:42 AM, Grayhat wrote: > > >> > > >> > :: On Tue, 5 May 2015 11:22:07 -0400 > > >> > :: > > > > >> > :: K Post wrote: > > >> > > > >> > > > Sorry Greyhat, you lost me. What does this show different from > > >> > > > what I was > > >> > > saying? Maybe I wasn't clear. > > >> > > When I pull up the analyze interface in assp it shows only > Cogent, > > >> > > doesn't show e.delta.com, do it's not a match to my regex, and > > >> > > thereby doesn't get the whitesenderorg bonus. > > >> > > > >> > yeah, you're right, it's a strange behavior; I wonder if ASSP is > > using > > >> > the /24 instead of the IP (didn't check the code) ... > > >> > > > >> > > And here's another issue I'm seeing with Senderbase: > > >> > > > > >> > > 12.130.137.89 to: > > >> u...@ourcharity.org > > >> > > DKIM-Signature found > > >> > > > >> > and here ASSP says that the message contains a DKIM signature > > >> > > > >> > > 12.1
Re: [Assp-test] Senderbase not always matching domain
>1) Is there a way to have Senderbase return the DOMAIN that it's guessing? ASSP has to take what it gets - DNS is used - retun values are the same like in nslookup or other DNS tools. 2) Is there a way to specify in the White Org file that ASSP uses to only the 'White Org file' (regex) is checked against the SB-org and the domai - no other way. Thomas Von:K Post An: ASSP development mailing list Datum: 08.05.2015 16:31 Betreff:Re: [Assp-test] Senderbase not always matching domain Thank you both for sticking with this. Greyhat, my name's Ken :) Seriously though, the Force has taught me that you need to reverse the IP, which makes much more sense. Thanks. Thomas, I know ASSP uses DNS, I just didn't know if it was querying differently than I was testing - and it is, the RIGHT way - reversing the IP. I now see the hostname being returned, and I can match on that through a regex. Doesn't that open up vulnerability though if a spammer has their SMTP server's IP address reverse to mtaxxx.e.delta.com? Likely, probably not, but it's what I would do if I were trying to send spam appearing to be from Delta - or worse, one of the banks. My language was also incorrect in my original post. I talked about hostname, but what I'd really like to do is match on the "guess" DOMAIN name that the senderbase website shows, in this case e.delta.com. So: 1) Is there a way to have Senderbase return the DOMAIN that it's guessing? 2) Is there a way to specify in the White Org file that ASSP uses to only match against network name, hostname, or domain name? On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt wrote: > ASSP uses DNS queries for Senderbase. > > Thomas > > > > > > Von:K Post > An: ASSP development mailing list > Datum: 07.05.2015 20:36 > Betreff:Re: [Assp-test] Senderbase not always matching domain > > > > It doesn't seem like the domain is being returned, just the network name, > so a lot domains that should result in a white org score, aren't hitting. > This doesn't appear to be an ASSP problem > > I just did a lookup for the ip 38.100.169.66 > At the senderbase website, it shows a domain of e.delta.com, which I have > whitelisted (Delta Airlines) > > However, a nslookup for the txt record only shows > 38.100.169.66.query.senderbase.org text = > > "0-0=1|1=CHARTER > > COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort > Worth|5 > 1=TX|52=76114|53=US|54=-97.3972|55=32.7807" > > Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is > this the same way that ASSP queries senderbase? Is there a way to have > ASSP ask senderbase to return the best guess domain name just like > SenderBase does on its website? That would solve the problem where the > netblock is a major carrier, that carrier can't be whitelisted, but the > domain that's returned (or hostname) is whitelisted. > > > > > > > On Tue, May 5, 2015 at 5:34 PM, K Post wrote: > > > SenderBaseLog was set to standard before. Set it to diagnostic. > > > > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt < > > thomas.ecka...@thockar.com> wrote: > > > >> > > but where's the senderbase line in the log? > >> > >> check SenderBaseLog > >> > >> Thomas > >> > >> > >> > >> > >> Von:K Post > >> An: ASSP development mailing list > >> Datum: 05.05.2015 18:21 > >> Betreff:Re: [Assp-test] Senderbase not always matching domain > >> > >> > >> > >> >good point but I've no answer, sounds like you found a bug > >> Hopefully Thomas will have some time to look into this. > >> > >> Thanks again. > >> > >> On Tue, May 5, 2015 at 11:42 AM, Grayhat wrote: > >> > >> > :: On Tue, 5 May 2015 11:22:07 -0400 > >> > :: > > >> > :: K Post wrote: > >> > > >> > > > Sorry Greyhat, you lost me. What does this show different from > >> > > > what I was > >> > > saying? Maybe I wasn't clear. > >> > > When I pull up the analyze interface in assp it shows only Cogent, > >> > > doesn't show e.delta.com, do it's not a match to my regex, and > >> > > thereby doesn't get the whitesenderorg bonus. > >> > > >> > yeah, you're right, it's a strange behavior; I wonder if ASSP is > using > >> > the /24 instead of the IP (didn't check the code) ... > >> > > >> > > And here's another issue I'm seeing with Senderbase: > >> > > > >> > > 12.130.137.89 to: > >> u...@ourcharity.org > >> > > DKIM-Signature found > >> > > >> > and here ASSP says that the message contains a DKIM signature > >> > > >> > > 12.130.137.89 to: > >> u...@ourcharity.org > >> > > info: domain emails.snapfish.com has published a DMARC record > >> > > >> > and that the sending MTA domain (emails...) publishes a DMARC record > >> > > >> > http://www.senderbase.org/lookup/?search_string=12.130.137.89 > >> > > >> > > [MissingMX] 12.130.137.89 to: > >> > > u...@ourcharity.org [scoring] MX missing: emails.snapfish.com > >> > > 12.130.137.89 to: > >> u...@ourcharity.org > >> > > Message-Score:
Re: [Assp-test] Senderbase not always matching domain
And here's another, also from a delta.com address, this time them sending (legitimate) boarding passes. Came from IP 153.69.214.203 querying 203.214.69.153.query.senderbase.org (yes I reversed it) returns 0-0=1|1=NCR CORPORATION|2=6.2|3=6.2|6=0|7=2|8=3410716|9=4530|20= csmail03.ncrwebhost.com|22=Y|40=4.6|41=4.5|43=4 .4|44=12.2|45=N|46=11|48=24|50=Duluth|51=GA|52=30096|53=US|54=-84.1494|55=33.9791 parameter 20 shows the hostname However, in the analyze GUI, it shows: 153.69.214.203 SenderBase: status=not classified, data=US, NCR CORPORATION, , , Y, 11 The hostname doesn't appear. Shouldn't it? On Fri, May 8, 2015 at 10:28 AM, K Post wrote: > Thank you both for sticking with this. > > Greyhat, my name's Ken :) Seriously though, the Force has taught me that > you need to reverse the IP, which makes much more sense. Thanks. > > Thomas, I know ASSP uses DNS, I just didn't know if it was querying > differently than I was testing - and it is, the RIGHT way - reversing the > IP. > > I now see the hostname being returned, and I can match on that through a > regex. Doesn't that open up vulnerability though if a spammer has their > SMTP server's IP address reverse to mtaxxx.e.delta.com? Likely, > probably not, but it's what I would do if I were trying to send spam > appearing to be from Delta - or worse, one of the banks. > > My language was also incorrect in my original post. I talked about > hostname, but what I'd really like to do is match on the "guess" DOMAIN > name that the senderbase website shows, in this case e.delta.com. So: > 1) Is there a way to have Senderbase return the DOMAIN that it's guessing? > 2) Is there a way to specify in the White Org file that ASSP uses to only > match against network name, hostname, or domain name? > > > > > On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt > wrote: > >> ASSP uses DNS queries for Senderbase. >> >> Thomas >> >> >> >> >> >> Von:K Post >> An: ASSP development mailing list >> Datum: 07.05.2015 20:36 >> Betreff:Re: [Assp-test] Senderbase not always matching domain >> >> >> >> It doesn't seem like the domain is being returned, just the network name, >> so a lot domains that should result in a white org score, aren't hitting. >> This doesn't appear to be an ASSP problem >> >> I just did a lookup for the ip 38.100.169.66 >> At the senderbase website, it shows a domain of e.delta.com, which I have >> whitelisted (Delta Airlines) >> >> However, a nslookup for the txt record only shows >> 38.100.169.66.query.senderbase.org text = >> >> "0-0=1|1=CHARTER >> >> COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort >> Worth|5 >> 1=TX|52=76114|53=US|54=-97.3972|55=32.7807" >> >> Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is >> this the same way that ASSP queries senderbase? Is there a way to have >> ASSP ask senderbase to return the best guess domain name just like >> SenderBase does on its website? That would solve the problem where the >> netblock is a major carrier, that carrier can't be whitelisted, but the >> domain that's returned (or hostname) is whitelisted. >> >> >> >> >> >> >> On Tue, May 5, 2015 at 5:34 PM, K Post wrote: >> >> > SenderBaseLog was set to standard before. Set it to diagnostic. >> > >> > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt < >> > thomas.ecka...@thockar.com> wrote: >> > >> >> > > but where's the senderbase line in the log? >> >> >> >> check SenderBaseLog >> >> >> >> Thomas >> >> >> >> >> >> >> >> >> >> Von:K Post >> >> An: ASSP development mailing list > > >> >> Datum: 05.05.2015 18:21 >> >> Betreff:Re: [Assp-test] Senderbase not always matching domain >> >> >> >> >> >> >> >> >good point but I've no answer, sounds like you found a bug >> >> Hopefully Thomas will have some time to look into this. >> >> >> >> Thanks again. >> >> >> >> On Tue, May 5, 2015 at 11:42 AM, Grayhat wrote: >> >> >> >> > :: On Tue, 5 May 2015 11:22:07 -0400 >> >> > :: >> >> >> > :: K Post wrote: >> >> > >> >> > > > Sorry Greyhat, you lost me. What does this show different from >> >> > > > what I was >> >> > > saying? Maybe I wasn't clear. >> >> > > When I pull up the analyze interface in assp it shows only Cogent, >> >> > > doesn't show e.delta.com, do it's not a match to my regex, and >> >> > > thereby doesn't get the whitesenderorg bonus. >> >> > >> >> > yeah, you're right, it's a strange behavior; I wonder if ASSP is >> using >> >> > the /24 instead of the IP (didn't check the code) ... >> >> > >> >> > > And here's another issue I'm seeing with Senderbase: >> >> > > >> >> > > 12.130.137.89 to: >> >> u...@ourcharity.org >> >> > > DKIM-Signature found >> >> > >> >> > and here ASSP says that the message contains a DKIM signature >> >> > >> >> > > 12.130.137.89 to: >> >> u...@ourcharity.org >> >> > > info: domain emails.snapfish.com has published a DMARC record >> >> > >> >> > and that the sending MTA domain (emails...) publish
Re: [Assp-test] Senderbase not always matching domain
Thank you both for sticking with this. Greyhat, my name's Ken :) Seriously though, the Force has taught me that you need to reverse the IP, which makes much more sense. Thanks. Thomas, I know ASSP uses DNS, I just didn't know if it was querying differently than I was testing - and it is, the RIGHT way - reversing the IP. I now see the hostname being returned, and I can match on that through a regex. Doesn't that open up vulnerability though if a spammer has their SMTP server's IP address reverse to mtaxxx.e.delta.com? Likely, probably not, but it's what I would do if I were trying to send spam appearing to be from Delta - or worse, one of the banks. My language was also incorrect in my original post. I talked about hostname, but what I'd really like to do is match on the "guess" DOMAIN name that the senderbase website shows, in this case e.delta.com. So: 1) Is there a way to have Senderbase return the DOMAIN that it's guessing? 2) Is there a way to specify in the White Org file that ASSP uses to only match against network name, hostname, or domain name? On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt wrote: > ASSP uses DNS queries for Senderbase. > > Thomas > > > > > > Von:K Post > An: ASSP development mailing list > Datum: 07.05.2015 20:36 > Betreff:Re: [Assp-test] Senderbase not always matching domain > > > > It doesn't seem like the domain is being returned, just the network name, > so a lot domains that should result in a white org score, aren't hitting. > This doesn't appear to be an ASSP problem > > I just did a lookup for the ip 38.100.169.66 > At the senderbase website, it shows a domain of e.delta.com, which I have > whitelisted (Delta Airlines) > > However, a nslookup for the txt record only shows > 38.100.169.66.query.senderbase.org text = > > "0-0=1|1=CHARTER > > COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort > Worth|5 > 1=TX|52=76114|53=US|54=-97.3972|55=32.7807" > > Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is > this the same way that ASSP queries senderbase? Is there a way to have > ASSP ask senderbase to return the best guess domain name just like > SenderBase does on its website? That would solve the problem where the > netblock is a major carrier, that carrier can't be whitelisted, but the > domain that's returned (or hostname) is whitelisted. > > > > > > > On Tue, May 5, 2015 at 5:34 PM, K Post wrote: > > > SenderBaseLog was set to standard before. Set it to diagnostic. > > > > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt < > > thomas.ecka...@thockar.com> wrote: > > > >> > > but where's the senderbase line in the log? > >> > >> check SenderBaseLog > >> > >> Thomas > >> > >> > >> > >> > >> Von:K Post > >> An: ASSP development mailing list > >> Datum: 05.05.2015 18:21 > >> Betreff:Re: [Assp-test] Senderbase not always matching domain > >> > >> > >> > >> >good point but I've no answer, sounds like you found a bug > >> Hopefully Thomas will have some time to look into this. > >> > >> Thanks again. > >> > >> On Tue, May 5, 2015 at 11:42 AM, Grayhat wrote: > >> > >> > :: On Tue, 5 May 2015 11:22:07 -0400 > >> > :: > > >> > :: K Post wrote: > >> > > >> > > > Sorry Greyhat, you lost me. What does this show different from > >> > > > what I was > >> > > saying? Maybe I wasn't clear. > >> > > When I pull up the analyze interface in assp it shows only Cogent, > >> > > doesn't show e.delta.com, do it's not a match to my regex, and > >> > > thereby doesn't get the whitesenderorg bonus. > >> > > >> > yeah, you're right, it's a strange behavior; I wonder if ASSP is > using > >> > the /24 instead of the IP (didn't check the code) ... > >> > > >> > > And here's another issue I'm seeing with Senderbase: > >> > > > >> > > 12.130.137.89 to: > >> u...@ourcharity.org > >> > > DKIM-Signature found > >> > > >> > and here ASSP says that the message contains a DKIM signature > >> > > >> > > 12.130.137.89 to: > >> u...@ourcharity.org > >> > > info: domain emails.snapfish.com has published a DMARC record > >> > > >> > and that the sending MTA domain (emails...) publishes a DMARC record > >> > > >> > http://www.senderbase.org/lookup/?search_string=12.130.137.89 > >> > > >> > > [MissingMX] 12.130.137.89 to: > >> > > u...@ourcharity.org [scoring] MX missing: emails.snapfish.com > >> > > 12.130.137.89 to: > >> u...@ourcharity.org > >> > > Message-Score: added 10 (mxValencePB) for MX missing: > >> > > emails.snapfish.com, total score for this message is now 10 > >> > > >> > wrong, the domain has two MX records, that is > >> > > >> > MX 10 imh.rsys2.net. > >> > MX 20 imh2.rsys2.net. > >> > > >> > > 12.130.137.89 to: > >> > > u...@ourcharity.org HMM Check [scoring] - Prob: 1.0 => spam > >> > > 12.130.137.89 to: > >> u...@ourcharity.org > >> > > Message-Score: added 49 for HMM Probability: 1., total score > for > >> > > this message is now 59 > >> > > >> > ok sou
Re: [Assp-test] Analyze Mail extra analysis possible?
The analyzer shows matches - it has no (better less) logic behind. It shows IMHO nearly all matches (IP and domains and mail addresses). Scores are shown - if the analyzer got some - for example URIBL or RBL or spam bombs. Thomas Von:K Post An: ASSP development mailing list Datum: 07.05.2015 19:44 Betreff:[Assp-test] Analyze Mail extra analysis possible? And chance of adding some functionality to the analyze gui? I'm thinking it would be nice to see all classifications llike: Message set to non-processing because sen...@address.com matches NPre or Message set to non-processing because the domain of sen...@address.com in NoProcessingDomains or Message set to non-processing because sen...@address.com is in NoProcessingFroms and show all other matches. Also, show how a message is scored: -10 for KnowGoodHelo, total score -10 5 for failed SPF. total score 5 etc... showing the score for each hit and the resulting total score after each I think that would really help us admins figure out exactly how a message was scored so we could adjust settings as necessary. If this is a big deal to implement, it's not worth it. -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] SPF record from DNS received in 2 lines probelm
> b.news.saksoff5th.com text =
>
> "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
ip4:8.7.44.123/32
> ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> 25.54.0/24 ip4:2"
> "08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> p4:63.236.31.128"
> "/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
There is nothing to fix - everything is working OK. IMHO this SPF record
is simply wrong.
How should an SPF application know, that the second part is an addition to
the first part, if the first part is terminated (").
It should be:
> "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
ip4:8.7.44.123/32
> ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> 25.54.0/24 ip4:2
> 08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> p4:63.236.31.128
> /26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
The line processing is done by Mail::SPF not by ASSP!
Thomas
Von:K Post
An: ASSP development mailing list
Datum: 07.05.2015 17:32
Betreff:Re: [Assp-test] SPF record from DNS received in 2 lines
probelm
This seems to be happening regularly - enough to be causing serious SPF
reliability errors
Received-SPF: permerror (homedepot.com: Unknown mechanism type 'inclu' in
'v=spf1' record) receiver=assp.OurCharity.org; identity=mailfrom;
envelope-from="homede...@homedepot.com"; helo=mail-ext.escalate.com;
client-ip=64.124.92.69
When I do a NSLookup in Windows 8 or Windows 2012, I see:
"v=spf1 ip4:207.11.40.24 ip4:207.11.40.25 ip4:207.11.27.104
ip4:207.11.27.105 ip4:50.57.54.137 ip4:64.124.92.69
a:smtp01.edifecs.com a:smtp02.edifecs.com include:
spf.messaging.microsoft.com include:cust-spf.exacttarget.com include:s
pf.mailengine1.com inclu"<--- note the quote and the line break
"de:spf.mtasv.net ~all"
That "inclu" at the end of the line is interpreted as ASSP as invalid,
which it IS, but assp should be seeing that 2nd line that starts "de" to
make "include." Of course this seems like more of a problem with windows
DNS. It dosn't matter if I use internal windows DNS servers or Google's
(presumably Linux) 8.8.8.8 server. Same formatting of the results.
Anyone else seeing this on windows?
On Tue, May 5, 2015 at 10:22 AM, K Post wrote:
> On my windows systems, when I do a NSLookup for the SPF record for
> b.news.saksoff5th.com, I get
> > b.news.saksoff5th.com
> Server: google-public-dns-a.google.com
> Address: 8.8.8.8
> b.news.saksoff5th.com text =
>
> "v=spf1 ip4:63.232.236.204/30 ip4:8.7.44.124/31
ip4:8.7.44.123/32
> ip4:8.7.44.126/32 ip4:207.251.96.0/24 ip4:65.1
> 25.54.0/24 ip4:2"
> "08.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 ip4:
> 8.7.43.16/29 ip4:63.232.236.144/29 ip4:8.7.44.144/29 i
> p4:63.236.31.128"
> "/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
>
> Looking at the mail analyzer, I get:
> Received-SPF: permerror (b.news.saksoff5th.com: Missing required IPv4
> address in 'ip4:2') receiver=antispam.nexario.net; identity=mailfrom;
> envelope-from="bo-b9vk0mvatcv9czaumtyq5qcby69...@b.news.saksoff5th.com";
> helo=mta954.news.saksoff5th.com; client-ip=8.7.44.125
>
> So ASSP doesn't like ip4:2 which is't seeing at the end of line 1 of the
> DNS entry.
>
> I think this might be a windows problem. If I go here:
>
>
http://mxtoolbox.com/SuperTool.aspx?action=txt%3ab.news.saksoff5th.com&run=toolpage
> I see the entire record, without the line splits.
>
> Any chance of having ASSP combine records like this? I feel like it
could
> potentially be a problem for DKIM and DMARC records too, though I'm just
> guessing based on potential length, not experience.
>
>
> thanks
>
--
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
***
--
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics,
