Why is this failing SPF???
According to my understanding of the way SPF works the following message should not be failing. Can anyone tell me why this failed? Here's the pertinent parts of the log: -- Apr 11 15:00:18 maildrop postgrey[2407]: request: client_address=66.179.38.26 client_name=hamhock-outbound.hoovers.com etrn_domain= helo_name=hamhock.hoovers.com instance=7dbd.461d3042.a4146.0 protocol_name=ESMTP protocol_state=RCPT queue_id= [EMAIL PROTECTED] recipient_count=0 request=smtpd_access_policy reverse_client_name=hamhock-outbound.hoovers.com [EMAIL PROTECTED] size=18654 action=PREPEND X-Greylist: delayed 1063 seconds by postgrey-1.27 at maildrop.domain.com; Wed, 11 Apr 2007 15:00:18 EDT Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP< MAIL FROM:<[EMAIL PROTECTED]> SIZE=18654\r\n Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) lookup (debug_sender) => undef, "[EMAIL PROTECTED]" does not match Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP> 250 2.1.0 Sender <[EMAIL PROTECTED]> OK Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP::10024 /var/amavisd/tmp/amavis-20070411T141549-32198: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> SIZE=18654 Received: from maildrop.domain.com ([127.0.0.1]) by localhost (maildrop.domain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <[EMAIL PROTECTED]>; Wed, 11 Apr 2007 15:00:18 -0400 (EDT) Apr 11 15:00:19 maildrop amavisd[32198]: (32198-06) Checking: pOlR15g8xTwO [66.179.38.26] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) SPAM, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Yes, score=9.243 tag=3 tag2=6.31 kill=6.31 tests=[BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, HTML_MESSAGE=0.001, SARE_GIF_ATTACH=0.75, SPF_HELO_FAIL=10], autolearn=no, quarantine pOlR15g8xTwO (spam-quarantine) Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) one_response_for_all <[EMAIL PROTECTED]>: REJECTs, '554 5.7.0 Reject, id=32198-06 - SPAM' Here's the SPF record for hoovers.com: -- hoovers.com text = "v=spf1 ip4:66.179.38.0/23 ip4:66.45.81.128/27 ip4:66.45.81.160/27 ip4:66.179.85.192/27 ip4:216.234.248.64/26 ip4:216.234.248.78 ip4:216.234.248.82 ip4:66.162.217.59 mx ptr a:exchange.hoovers.com a:mail.eca.com include:dartmail.net ~all" The sending server is hamhock-outbound.hoovers.com [66.179.38.26] and that IP address is within the range listed in the first SPF entry. Why did this fail? Thanks! Ken Morley JM Technology Group Ken -AT- jmtg.com
Re: Why is this failing SPF???
Ken Morley wrote: > According to my understanding of the way SPF works the following message > should not be failing. Can anyone tell me why this failed? > > > Here's the pertinent parts of the log: > -- > Apr 11 15:00:18 maildrop postgrey[2407]: request: > client_address=66.179.38.26 client_name=hamhock-outbound.hoovers.com > etrn_domain= helo_name=hamhock.hoovers.com > > > Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) SPAM, > <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Yes, score=9.243 tag=3 > tag2=6.31 kill=6.31 tests=[BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, > HTML_MESSAGE=0.001, SARE_GIF_ATTACH=0.75, SPF_HELO_FAIL=10], > autolearn=no, quarantine pOlR15g8xTwO (spam-quarantine) > > Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) one_response_for_all > <[EMAIL PROTECTED]>: REJECTs, '554 5.7.0 Reject, id=32198-06 - SPAM' > > > Here's the SPF record for hoovers.com: > -- > hoovers.com text = "v=spf1 ip4:66.179.38.0/23 ip4:66.45.81.128/27 > ip4:66.45.81.160/27 ip4:66.179.85.192/27 ip4:216.234.248.64/26 > ip4:216.234.248.78 ip4:216.234.248.82 ip4:66.162.217.59 mx ptr > a:exchange.hoovers.com a:mail.eca.com include:dartmail.net ~all" > > > The sending server is hamhock-outbound.hoovers.com [66.179.38.26] and > that IP address is within the range listed in the first SPF entry. Why > did this fail? First, this was SPF_HELO_FAIL, not SPF_FAIL. This rule by default has a score of zero, and is not really a proper way to test SPF. Why'd you raise it from 0 to 10? Since it was SPF_HELO_FAIL we need to look at the HELO, not the real host delivering the mail. According to your server logs, the HELO was hamhock.hoovers.com, not hamhock-outbound.hoovers.com. That said, from my perspective hamhock.hoovers.com resolves to 66.179.38.137, which should also match the first clause of the SPF record. Does hamhock.hoovers.com resolve to anything else on your spamassassin system? It's also possible that SA's trust-path auto-guesser is confused and it used the wrong Received: headers. But there's not enough information here to debug that. You'd have to take a copy of the message and run it through spamassassin -D to see how SA parsed the various Received: headers.
Re: Why is this failing SPF???
On 13-Apr-07, at 9:41 AM, Ken Morley wrote: According to my understanding of the way SPF works the following message should not be failing. Can anyone tell me why this failed? Here's the pertinent parts of the log: -- Apr 11 15:00:18 maildrop postgrey[2407]: request: client_address=66.179.38.26 client_name=hamhock-outbound.hoovers.com etrn_domain= helo_name=hamhock.hoovers.com instance=7dbd.461d3042.a4146.0 protocol_name=ESMTP protocol_state=RCPT queue_id= [EMAIL PROTECTED] recipient_count=0 request=smtpd_access_policy reverse_client_name=hamhock-outbound.hoovers.com [EMAIL PROTECTED] size=18654 action=PREPEND X-Greylist: delayed 1063 seconds by postgrey-1.27 at maildrop.domain.com; Wed, 11 Apr 2007 15:00:18 EDT Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP< MAIL FROM:<[EMAIL PROTECTED]> SIZE=18654\r\n Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) lookup (debug_sender) => undef, "[EMAIL PROTECTED]" does not match Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP> 250 2.1.0 Sender <[EMAIL PROTECTED]> OK Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP::10024 /var/amavisd/tmp/amavis-20070411T141549-32198: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> SIZE=18654 Received: from maildrop.domain.com ([127.0.0.1]) by localhost (maildrop.domain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <[EMAIL PROTECTED]>; Wed, 11 Apr 2007 15:00:18 -0400 (EDT) Apr 11 15:00:19 maildrop amavisd[32198]: (32198-06) Checking: pOlR15g8xTwO [66.179.38.26] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) SPAM, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Yes, score=9.243 tag=3 tag2=6.31 kill=6.31 tests=[BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, HTML_MESSAGE=0.001, SARE_GIF_ATTACH=0.75, SPF_HELO_FAIL=10], autolearn=no, quarantine pOlR15g8xTwO (spam-quarantine) Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) one_response_for_all <[EMAIL PROTECTED]>: REJECTs, '554 5.7.0 Reject, id=32198-06 - SPAM' Here's the SPF record for hoovers.com: -- hoovers.com text = "v=spf1 ip4:66.179.38.0/23 ip4:66.45.81.128/27 ip4:66.45.81.160/27 ip4:66.179.85.192/27 ip4:216.234.248.64/26 ip4:216.234.248.78 ip4:216.234.248.82 ip4:66.162.217.59 mx ptr a:exchange.hoovers.com a:mail.eca.com include:dartmail.net ~all" The sending server is hamhock-outbound.hoovers.com [66.179.38.26] and that IP address is within the range listed in the first SPF entry. Why did this fail? It didn't fail SPF, it failed SPF_HELO. The sending server said: helo_name=hamhock.hoovers.com' SPF policy for hamhock.hoovers.com is: hamhock.hoovers.com. IN TXT "v=spf1 a -all" Which resolves to: hamhock.hoovers.com. IN A 66.179.38.137 Which does not match 66.179.38.26 -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740