Re: Strange SPF problem/wrong result

Fri, 01 Sep 2006 05:13:44 -0700 

On 1-Sep-06, at 7:18 AM, decoder wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

today I saw a strange SPF bug occuring. The original mail header was:

Return-Path: <[EMAIL PROTECTED]>
Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200])
    by wjpserver.cs.uni-sb.de (8.12.11.20060308/8.12.11) with ESMTP id
k7T8rU6P012050;
    Tue, 29 Aug 2006 10:53:30 +0200
Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com
[213.199.128.139])
by mail.cs.uni-sb.de (8.13.8/2006081400) with ESMTP id k7T8rT98004989; 
    Tue, 29 Aug 2006 10:53:29 +0200 (CEST)
Received: from xxxxx.europe.corp.microsoft.com ([65.53.193.xxx]) by
mail-eur1.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830);
     Tue, 29 Aug 2006 09:53:29 +0100

(Some unrelated privacy details replaced with xxx).

Now what SPF should do is (as far as I understood):

- - Get the mail server that sent this (mail-eur1.microsoft.com)
- - Check that its IP is in the allowed SPF record of microsoft.com

This check passes as you can see here:
http://www.dnsstuff.com/tools/spf.ch? server=microsoft.com&ip=213.199.128.139 

Now SpamAssassin did something else, it took mail.cs.uni-sb.de as the
mailserver that sent, and tried to match it against microsoft.com's
SPF records which produced a SOFTFAIL:

 1.4 SPF_SOFTFAIL           Sending host does not match SPF-record
(softfail)
[SPF failed: Please see
http://www.openspf.org/why.html?sender=xxx% 40microsoft.com&ip=134.96.254.200&receiver=This%20account%20is% 20currently%20not%20available] 
 2.4 SPF_HELO_SOFTFAIL      HELO-Name does not match SPF-record
                (softfail)
[SPF failed: Please see
http://www.openspf.org/why.html?sender=xxx% 40microsoft.com&ip=134.96.254.200&receiver=This%20account%20is% 20currently%20not%20available] 

Can someone explain me this failure?
Spamassassin gave the correct result. It compared the IP address of the last received server mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) against the SPF record for Microsoft and did not see a match. Result SOFTFAIL
Why do you think it should compare to mail-eur1.microsoft.com (mail- eur1.microsoft.com [213.199.128.139]).
SPF compares the IP address of the last server to handle the message before it was handed off to a server on your receiving end. If the message was sent to someone who is using forwarding and forwarded through mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) then this would explain the SOFTFAIL. Forwarding breaks SPF. 


--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON  M3M 1W6

416-247-7740

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to