PDA

View Full Version : Checking SPF Record functionality.



pandymic
05-10-2007, 02:15 PM
The technical staff at WestHost were kind enough to add an SPF record to my account at my request. The record is set to fail all e-mails that aren't sent from my server.

This morning I got this in my inbox:


Return-Path: <****@pandymic.com>
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on pandymic.com
X-Spam-Level:
X-Spam-Status: No, score=-67.8 required=7.0 tests=MISSING_SUBJECT,
MSGID_FROM_MTA_ID,NO_REAL_NAME,RCVD_HELO_IP_MISMAT CH,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_XBL,RC VD_NUMERIC_HELO,
RDNS_NONE,TVD_RCVD_IP,TVD_RCVD_IP4,URIBL_AB_SURBL, URIBL_JP_SURBL,
URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_S URBL,
USER_IN_WHITELIST autolearn=no version=3.1.7
Received: from 206.130.97.159 ([221.238.16.59])
by pandymic.com (8.12.11.20060308/8.12.11) with SMTP id l4A7absM006755
for <****@pandymic.com>; Thu, 10 May 2007 01:37:11 -0600
Date: Thu, 10 May 2007 01:36:38 -0600
From: ****@pandymic.com
Message-Id: <200705100737.l4A7absM006755@pandymic.com>
To: ****@pandymic.com

we email advertise your charity web site to 7,500,000 people. free.

http://www.theemailbroadcastingcompany.com


I've run several tests of my SPF record an everything seems to be working correctly. All e-mails from @pandymic.com that aren't sent through my server fail. The IP address in blue is that of my server. The one in red I'm unfamiliar with. I'm assuming that it could only be the source of the spam.

Is there a way to check whether this e-mail was sent from my server? Or whether it's just some clever masking scheme? All e-mail from pandymic.com has been whitelisted by Spam Assassin, hence the negative score.

Thank you for your support.

testbenchdude
05-10-2007, 05:39 PM
Spammers are evil. In this situation they have spoofed your domain name (pandymic.com). Since you have whitelisted pandymic.com this spam got through.


All e-mails from @pandymic.com that aren't sent through my server fail.
This statement is only true if the receiving email server does strict SPF checking. Very few actually do this today. It is a practice that is slowly gaining a following.

This particular email would have failed an SPF check had the check actually been performed. Unfortunately I don't know how to configure WestHost 2.0 to reject SPF fails. After my account is upgraded to WestHost 3.0 I will work on setting up my WestHost VPS to reject email that fails the SPF check.



The one in red I'm unfamiliar with. I'm assuming that it could only be the source of the spam.
Assuming that you have done very little tampering of this header I would agree with your assumption that the source of the spam was 221.238.16.59. With a little digging that ip address belongs to a Chinese computer network.

inetnum: 221.238.0.0 - 221.239.127.255
netname: CHINANET-TJ
descr: CHINANET TIANJIN PROVINCE NETWORK
descr: Tianjin Telecom Corporation
descr: NO.11 LIUJING ROAD,HEDONG DISTRICT,TIANJIN
country: CN



-Ed

pandymic
05-10-2007, 08:52 PM
Unfortunately I don't know how to configure WestHost 2.0 to reject SPF fails.

Theoretically, couldn't this could be as simple as writing a Perl or Python script using the Mail::SPF or pyspf libraries which checks headers against your SPF records? It's just a simple matter of executing it at the procmail level. It's not as resource efficient rejecting emails before they're processed by sendmail, but the same end result is eventually achieved at the expense of a minuscule amount of bandwidth.

Unfortunately, I have no experience with Python, and I haven't had any luck installing the Mail::SPF library.

testbenchdude
05-11-2007, 11:51 AM
Theoretically, couldn't this could be as simple as ...
I never find any of this configuration stuff to be simple. ;)

There are several SPF milters available for sendmail. I'm not in a big hurry to use the milter interface of sendmail 8.12.x. The socketmap approach used in sendmail 8.13.x looks like something I will be able to handle, so I'll wait for the WestHost upgrade before trying milters. Scroll about half way down the link below and there is a list of about 8 different sendmail milters that do SPF.

http://www.openspf.org/Implementations


RCVD_IN_BL_SPAMCOP_NET
I just noticed that SpamAssassin found that ip address in the SpamCop block list. Have you thought about trying the dynamic spam rejection with RBL's? This particular spam would have been blocked.

In your site manager go to Site Applications. Under dynamic spam rejection I have one box checked (bl.spamcop.net) in the space below I have entered (zen.spamhaus.org). Those two lists are blocking lots of spam for me.

Avoid using dnsbl.sorbes.net because that list contains a lot of legitimate email servers. Many servers that had a spam problem in the past but have since resolved the issue will remain on sorbes. Once on the sorbes list it is difficult to get removed. The sorbes list is good for a low score in SpamAssassin but is too aggresive for outright rejection.

-Ed