Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

Is SPF implementation broken in MailEssential

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Web & Mail Security] >> GFI MailEssentials >> Is SPF implementation broken in MailEssential Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Is SPF implementation broken in MailEssential - 21.Oct.2009 9:26:53 AM   
morphus

 

Posts: 14
Joined: 9.Jun.2008
Status: offline 		Hello,

I'm currently wondering if SPF implementation in GFI Mail Essential is working properly.

Again this morning I've a flood of microsoft email about a supposed Outlook Update, which is obviously forged but not caught by SPF in GFI. But flag as Forged by Exchange 2007 SPF. This is not the first time I see this behavior.

Any idea why?

Here is the header

Received: from ppp-58-11-81-43.revip2.asianet.co.th (58.11.81.43) by
mail.-----.com (---.---.---.---) with Microsoft SMTP Server id 8.1.393.1;
Wed, 21 Oct 2009 10:18:43 -0400
Received: from 58.11.81.43 by mail.seil-frey.de; Wed, 21 Oct 2009 21:18:00
+0700
From: Microsoft Update Center <noreply@microsoft.com>
To: <------@-----.com>
Subject: Install Update for Microsoft Outlook
Date: Wed, 21 Oct 2009 21:18:00 +0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01CA5259.4B2E8F70"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: Aca6QO707D5BQGGTO0C4HL87UZ3S90==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID: <000d01ca5259$4b2e8f70$6400a8c0@deletednf4>
Return-Path: deletednf4@seil-frey.de
X-MS-Exchange-Organization-PRD: microsoft.com
X-MS-Exchange-Organization-SenderIdResult: SoftFail
Received-SPF: SoftFail (---.-------.com: domain of transitioning
noreply@microsoft.com discourages use of 58.11.81.43 as permitted sender)
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-HelloDomain: ppp-58-11-81-43.revip2.asianet.co.th
X-GFI-SMTP-RemoteIP: 58.11.81.43
Post #: 1
RE: Is SPF implementation broken in MailEssential - 21.Oct.2009 9:35:30 AM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		Nope, it's a SOFTFAIL, and if you've got SPF set to Low, it won't catch it. Moan at Microsoft to fix their SPF record.

If you set SPF to Medium, you will probably get a lot of false positives.

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to morphus)
Post #: 2
RE: Is SPF implementation broken in MailEssential - 21.Oct.2009 9:37:31 AM   
morphus

 

Posts: 14
Joined: 9.Jun.2008
Status: offline 		I know it's a soft-fail, but GFI doesn't marked it as Soft-Fail, only exchange does. Therefore GFI doesn't block it.

(in reply to RSP)
Post #: 3
RE: Is SPF implementation broken in MailEssential - 21.Oct.2009 9:49:44 AM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		ME will only block it if you have the SPF module set to Medium or High.

When it's set to Low, the SPF module will only perform the action if it's a FAIL. Any other result will pass the message untouched.

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to morphus)
Post #: 4
RE: Is SPF implementation broken in MailEssential - 21.Oct.2009 11:37:31 AM   
morphus

 

Posts: 14
Joined: 9.Jun.2008
Status: offline 		Even at medium or high, there is many SPF that is caught by Exchange that is not trigger by GFI.

ML

(in reply to RSP)
Post #: 5
RE: Is SPF implementation broken in MailEssential - 22.Oct.2009 3:40:18 AM   
peters.tom

 

Posts: 3
Joined: 22.Oct.2009
Status: offline 		I have seen this as well in our company. There are mass of emails coming with my email adress for example and the SPF Module is not catching it. There is even a SPF record in our DNS server which points to the right IP adress and mx entry and the mails are still coming in.

I always thought, that the SPF Module would check if the ip in the header is allowed to send the email and it is obviously not but the Module is just passing it 80% of the time. It's quit enoying.

Here is one example which did not get caught by the GFI SPF Module. The email comes from "62.182.211.145" which is NOT the IP if our mx entry and the email adress is mine.

Microsoft Mail Internet Headers Version 2.0
Received: from LANBOTB ([62.182.211.145]) by mail.dnp.de with Microsoft SMTPSVC(6.0.3790.3959);
    Thu, 22 Oct 2009 10:53:01 +0200
Received: from 62.182.211.145 by robertinventor.com; Thu, 22 Oct 2009 19:50:32 +1000
Date: Thu, 22 Oct 2009 19:50:32 +1000
From: "Celina Rangel" <xxx@dnp.de>

< Message edited by peters.tom -- 22.Oct.2009 3:55:52 AM >

_____________________________

Tom Peters

(in reply to morphus)
Post #: 6
RE: Is SPF implementation broken in MailEssential - 22.Oct.2009 4:04:03 AM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		Tom (& morphus), is your internal SPF record the same as your external one? "v=spf1 mx ip4:217.6.113.235 -all"
Check that ME is receiving it correctly by doing the following:
nslookup
server <ME's DNS server>
set type=txt
dnp.de. <-- or your own domain, morphus.
exit

What does the dashboard say happened to these emails? If it says "Whitelisted", check your whitelist carefully.

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to peters.tom)
Post #: 7
RE: Is SPF implementation broken in MailEssential - 22.Oct.2009 4:47:42 AM   
peters.tom

 

Posts: 3
Joined: 22.Oct.2009
Status: offline 		the dns record is the same and my email is not on the whitelist, other adresses are not on the whitelist aswell

_____________________________

Tom Peters

(in reply to RSP)
Post #: 8
RE: Is SPF implementation broken in MailEssential - 22.Oct.2009 5:06:09 AM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		What does the dashboard say happened to the emails?

Post your spf.txt debug log file for the message in question; the info for a message is bounded by InitMessage/UnInitMessage.

Also, what's in the ase.gfi_log.txt file; the info is bounded by ::MTAM_IM,iFlags[0] and ::MTAM_UM,return[0x0]

Finally, there should be a single line in ase_action.gfi_log.txt describing the action taken.

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to peters.tom)
Post #: 9
RE: Is SPF implementation broken in MailEssential - 22.Oct.2009 7:48:06 AM   
morphus

 

Posts: 14
Joined: 9.Jun.2008
Status: offline 		In my case those email are not coming as one of our internal email, had those in the past and been fix since a while.

They are coming from a domain not under my control, and as mention, Exchange SPF validation catch them, not GFI one

ML

(in reply to RSP)
Post #: 10
RE: Is SPF implementation broken in MailEssential - 22.Oct.2009 7:53:51 AM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		This is the problem when a thread is hijacked, it all gets confusing I meant to only ask the last question to you, morphus, in post #7.

morphus, please can you answer the questions in post #9 too?

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to morphus)
Post #: 11
RE: Is SPF implementation broken in MailEssential - 22.Oct.2009 7:58:10 AM   
morphus

 

Posts: 14
Joined: 9.Jun.2008
Status: offline 		They were Whitelisted, but the SPF module is running before the Whitelist.

ML

(in reply to RSP)
Post #: 12
RE: Is SPF implementation broken in MailEssential - 22.Oct.2009 8:31:06 AM   
joestern

 

Posts: 273
Joined: 18.Sep.2003
From: Philadelphia, PA
Status: offline 		One thing to keep in mind is that GFI's SPF module checks the REPLY-TO address and not the FROM address. That had me confused until I figured it out.

(in reply to morphus)
Post #: 13
RE: Is SPF implementation broken in MailEssential - 22.Oct.2009 9:03:57 AM   
morphus

 

Posts: 14
Joined: 9.Jun.2008
Status: offline 		That I know, that's why I believe it's badly implemented...

It's easy to register a valid domain and put a SPF in it, then use this address as a reply to.

I'm I the only one that believe that Exchange implementation that check at least the FROM address, not sure if they check the reply to also is better than just the reply To? It's just to easy to go around that check...

ML

(in reply to joestern)
Post #: 14
RE: Is SPF implementation broken in MailEssential - 22.Oct.2009 9:12:28 AM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
quote:

From www.openspf.org:
SPF (defined in RFC 4408) validates the HELO domain and the MAIL FROM address given as part of the SMTP protocol (RFC 2821 – the "envelope" layer). The MAIL FROM address is usually displayed as "Return-Path" if you select the "Show all headers" option in your e-mail client. Domain owners publish records via DNS that describe their policy for which machines are authorized to use their domain in the HELO and MAIL FROM addresses, which are part of the SMTP protocol.


_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to morphus)
Post #: 15
Page:   [1] 2   next >   >>
All Forums >> [Web & Mail Security] >> GFI MailEssentials >> Is SPF implementation broken in MailEssential Page: [1] 2   next >   >>
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts