Re: Checking if SPF is being used
PS in my init.pre SPF is loaded: loadplugin Mail::SpamAssassin::Plugin::SPF Quoting a.sm...@ukgrid.net:
Re: Checking if SPF is being used
On ons 05 maj 2010 14:53:06 CEST, wrote No, score=1.8 required=4.8 tests=BAYES_00,HTML_MESSAGE, MIME_HTML_ONLY,MISSING_MID,RDNS_NONE,URIBL_BLACK autolearn=no version=3.3.0 no spf, and 3.3.1 is latest :) Anyone give me any clues? spamassassin 21 -D -t msg | grep spf | less perldoc Mail::SpamAssassin::Conf see search envelope header perldoc Mail::SpamAssassin::Plugin::SPF more plugin settings here thanks, Andy. -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Checking if SPF is being used
Hi Benny, thanks for the info. As I mentioned in a follow up I have the plugin listed to load in my init.pre. But as you rightly guessed SPF isnt loaded, as per the spamassassin -D -t msg test you described. So what can be missing? I must admit to finding the configuration files quite confusing, there are alot spread across three different directories, the /etc dir the share dir and the home dir of the user that spamd runs as. From the documentation I read: Using whitelist_auth is roughly equivalent to specifying duplicate whitelist_from_spf, whitelist_from_dk, and whitelist_from_dkim lines for each of the addresses speci- fied. So do I just need to put whitelist_from_spf in my user_prefs? Will that actually score down mails that dont comply with SPF or will it simply ensure mails that do comply arent mistaken as spam? The former is the most important one for me, not false positives, thanks, Andy.
Re: Checking if SPF is being used
On ons 05 maj 2010 15:51:31 CEST, wrote thanks for the info. As I mentioned in a follow up I have the plugin listed to load in my init.pre. But as you rightly guessed SPF isnt loaded, as per the spamassassin -D -t msg test you described. any spf from @inc ? -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Checking if SPF is being used
Hi Benny, do you mean in the general perl envrionment? From that I have the following available regarding mail: Actually I just realised I didnt run the test command against a real mail, Ive just rerun it and I get loads of SPF stuff, starting like this: May 5 15:30:31.372 [12084] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC May 5 15:30:34.564 [12084] dbg: config: fixed relative path: /var/db/spamassassin/3.003000/updates_spamassassin_org/25_spf.cf May 5 15:30:34.564 [12084] dbg: config: using /var/db/spamassassin/3.003000/updates_spamassassin_org/25_spf.cf for included file May 5 15:30:34.565 [12084] dbg: config: read file /var/db/spamassassin/3.003000/updates_spamassassin_org/25_spf.cf May 5 15:30:34.638 [12084] dbg: config: fixed relative path: /var/db/spamassassin/3.003000/updates_spamassassin_org/60_whitelist_spf.cf May 5 15:30:34.638 [12084] dbg: config: using /var/db/spamassassin/3.003000/updates_spamassassin_org/60_whitelist_spf.cf for included file May 5 15:30:34.638 [12084] dbg: config: read file /var/db/spamassassin/3.003000/updates_spamassassin_org/60_whitelist_spf.cf May 5 15:30:35.604 [12084] dbg: spf: checking to see if the message has a Received-SPF header that we can use May 5 15:30:35.634 [12084] dbg: spf: using Mail::SPF for SPF checks ending May 5 15:30:40.070 [12084] dbg: timing: total 8709 ms - init: 4081 (46.9%), parse: 1.74 (0.0%), extract_message_metadata: 40 (0.5%), poll_dns_idle: 2497 (28.7%), get_uri_detail_list: 2 (0.0%), tests_pri_-1000: 9 (0.1%), compile_gen: 131 (1.5%), compile_eval: 14 (0.2%), tests_pri_-950: 5 (0.1%), tests_pri_-900: 5 (0.1%), tests_pri_-400: 4 (0.0%), tests_pri_0: 2040 (23.4%), check_spf: 76 (0.9%), check_razor2: 1643 (18.9%), check_pyzor: 0.39 (0.0%), tests_pri_500: 2506 (28.8%) So its using SPF after all? Or it seems perhaps its using SPF when I run a check from the command line but not when the mail server is running normal automatic tests? A bit confusing thanks Andy.
Re: Checking if SPF is being used
On ons 05 maj 2010 16:33:39 CEST, wrote tests_pri_-400: 4 (0.0%), tests_pri_0: 2040 (23.4%), check_spf: 76 (0.9%), check_razor2: 1643 (18.9%), check_pyzor: 0.39 (0.0%), tests_pri_500: 2506 (28.8%) i see check spf there, but might fail on missing perl module Mail::SPF So its using SPF after all? Or it seems perhaps its using SPF when I run a check from the command line but not when the mail server is running normal automatic tests? A bit confusing no its just a learning curve :=) what is the X-Spam-Status header from this maillist saying in your mails ? if your setup works it says something btw have you Mail::SPF perl module installed ?, its not needed when mta does the spf test, but you then have to configure the plugin so and remember the right envelope sender header, its not From: in postfix its Return-Path: -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Checking if SPF is being used
From this maillist the x-spam-status is: No, score=-11.1 required=4.8 tests=BAYES_00,RCVD_IN_DNSWL_HI, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,RDNS_NONE,SPF_PASS autolearn=unavailable version=3.3.1 Hehe, this is another server which is on Spamassassin 3.1.1, seems it is using SPF on this box. So far all mail from the list has come via this server as its the preferred MX server for this domain. Ok, so I just did a search on the last 1000 messages to be delivered via the server we started looking at, and there are many instances where the x-spam-status has some SPF values; ie SPF_PASS, SPF_HELO_FAIL etc So I think that proves it is using SPF doesnt it? If you´d agree then my next question is why did it delivery mail with a spoofed email address of a domain that it is hosted on our mail server? Im using exim and Im looking at an example of this type of spam and its got both the return address and from fields showing an email address from a domain hosted on our mail server :S Thats not what SPF is meant to do surely? Yep I got the Mail::SPF module installed. Quoting Benny Pedersen m...@junc.org:
Re: Checking if SPF is being used
On 5/5/10 11:15 AM, a.sm...@ukgrid.net wrote: So I think that proves it is using SPF doesnt it? If you´d agree then my next question is why did it delivery mail with a spoofed email address of a domain that it is hosted on our mail server? Im using exim and Im looking at an example of this type of spam and its got both the return address and from fields showing an email address from a domain hosted on our mail server :S Thats not what SPF is meant to do surely? maybe your internal server is not able to look up public TXT records and doesn't know your internal domain has them? from the server in question, test spf via dig, nslookup or host. host -t txt domain.com and/or, your spf records are borked. host -t txt ukgrid.net ukgrid.net descriptive text v=spf1 +mx +a:alpha.ukgrid.net -all http://www.kitterman.com/spf/validate.html what is a +mx record? what is a +a:alpha.ukgrid.net record? (I don't know if the + is breaking things, looks optional to me. I guess I have never seen them formatted like that before) still: check internal server on internal dns see if it thinks there is a spf record. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Checking if SPF is being used
Hi Micheal, ok I have to come clean on a little error here which Ive just been thinking over, which by coincidence I have noticed attempting to mail Benny. Benny's email server bounced my mail due to an SPF error, which I have never seen myself on my mail nor reported by anyone using this mail domain. But there you go, Benny has a very strict SPF check and it seems almost everyone else in the world doesnt! Anyway the SPF record was originally v=spf1 +mx +a:alpha -all Which I then checked using the site kitterman.com, which told me it was invalid due to a non-FQDN being used, which Ive now update to alpha.ukgird.net. So I suppose that may well have totally broken SPF for the domain until I fixed it a few minutes ago Im not sure if I can test this, obviously running spamassassin from the command line isnt going to be able check against the sending host of the mail (as there is none). thanks Andy. Quoting Michael Scheidell scheid...@secnap.net:
Re: Checking if SPF is being used
On ons 05 maj 2010 17:15:56 CEST, wrote So I think that proves it is using SPF doesnt it? yes If you´d agree then my next question is why did it delivery mail with a spoofed email address of a domain that it is hosted on our mail server? Im using good question, was it ? read perldoc Mail::SpamAssassin::Conf one more time, find envelope header and set it so it works with envelope header in your mta done -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Checking if SPF is being used
On ons 05 maj 2010 17:45:20 CEST, wrote Im not sure if I can test this, obviously running spamassassin from the command line isnt going to be able check against the sending host of the mail (as there is none). http://old.openspf.org/wizard.html?mydomain=ukgrid.netsubmit=Go! -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Checking if SPF is being used
Thanks, I was meaning I dont know if I can test spamassassin to see if it now correctly scores email. If I can get another server to relay some mail I guess, right now I cant think of one Quoting Benny Pedersen m...@junc.org: On ons 05 maj 2010 17:45:20 CEST, wrote Im not sure if I can test this, obviously running spamassassin from the command line isnt going to be able check against the sending host of the mail (as there is none). http://old.openspf.org/wizard.html?mydomain=ukgrid.netsubmit=Go! -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Checking if SPF is being used
ok for the header bitty, Im using envelope_sender_header Return-path Which I think should be appropriate for exim, and Im sticking it in the user_prefs in the home dir of the user that spamd runs as. Is that the right config file? thanks Andy.
Re: Checking if SPF is being used SOLVED
Hi, thanks a lot for your help, its seems to be working great now. I sent a message from a server not defined in the domain SPF using my email address and it got a failed spam scored based on SPF_FAIL :) Great :) thanks to everyone who commented, Andy.
