| SPF issue - strange false positive [message #128305] |
Thu, 03 March 2016 12:20  |
bandicootltd
Messages: 30
Registered: May 2012
|
|
|
|
Hi
Just received a report of an email that wasn't delivered to our kerio server. The mail server blocks emails with a failed SPF. All makes sense. Apart from the fact that the link in the undeliverable email sent back includes a link to OpenSPF.Net which shows a different sending IP address than the one in the headers.
The domain xxx.com has authorized exch-smtp-out.livemail.co.uk (213.171.216.29) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.
However the last IP in the header is...
Received: from WINHEXFEEU1.win.mail (unknown [217.160.154.162]) by exch-2010-smtp-out-03.livemail.co.uk (Postfix) with ESMTP id 687851CF8E3; Thu, 3 Mar 2016 09:39:50 +0000 (GMT)
The email as far as I can see should have been blocked, but explaining this to the client with the statement in the link saying it should have been accepted isn't great.
Has anyone else seen this?
|
|
|
|
| Re: SPF issue - strange false positive [message #128340 is a reply to message #128305] |
Fri, 04 March 2016 16:11  |
Maerad
Messages: 275
Registered: August 2013
|
|
|
|
Looks like the last hop (or first?!) isn't in the spf. But honestly, with that information it's more of a fortune telling then help. If you give us the sending domain and the whole header, maybe we can figure something out together. With those infos right now, I wouldn't even know where to look.
Btw. I would suggest to change the SPF stuff from a total block to a spam score. We receive a lot legit mail with bad / wrong spf records and it would be bad, if those mails were lost - many of them actual orders. Not to mention that the mail with the wrong SPF Warning goes to a normal user. Experience tells us, those can't do anything with it and most likely will delete the mail.
Had some bad experiences with that. If you set the spam score like one or two points below the block limit, I guess no spam will come trough.
Not to mention, a lot of spam we get to our end users comes of compromised systems that send out in the users name (like infected outlook) and those are with a correct spf record.
[Updated on: Fri, 04 March 2016 16:13] Report message to a moderator |
|
|
|
| Re: SPF issue - strange false positive [message #128385 is a reply to message #128340] |
Mon, 07 March 2016 16:19 |
bandicootltd
Messages: 30
Registered: May 2012
|
|
|
|
the hops in order as shown in the headers are
Received: from WINHEXFEEU1.win.mail (unknown [217.160.154.162])
by exch-2010-smtp-out-03.livemail.co.uk (Postfix) with ESMTP id 687851CF8E3;
Thu, 3 Mar 2016 09:39:50 +0000 (GMT)
Received: from winhexbeeu43.win.mail (10.76.18.52) by winhexbeeu47.win.mail
(10.76.18.54) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Thu, 3 Mar
2016 10:39:49 +0100
Received: from winhexbeeu43.win.mail ([fe80::e077:6b30:5ffd:b2c9]) by
winhexbeeu43.win.mail ([fe80::e077:6b30:5ffd:b2c9%15]) with mapi id
15.00.1130.005; Thu, 3 Mar 2016 10:39:49 +0100
the spf for the domain is
v=spf1 a ip4:213.171.216.0/24 mx -all
The rejection makes sense since the sending servers IP address is not on the SPF. The bit I dont understand is the undeliverable sent back contains the SPF link
Remote Server returned '<mail.bandicoot.co.uk #5.7.0 smtp; 550 5.7.0 Please see http://www.openspf.net/why.html?sender=email%40address.com&a mp;ip=213.171.216.29&receiver=mail.bandicoot.co.uk>'
This link will not work for you since I have altered the senders domain, but the IP address in the link doesn't feature on the hops list in the original email so where does it come from. Because the IP is on the SPF record and you click on the link it states:
The domain xxx.com has authorized exch-smtp-out.livemail.co.uk (213.171.216.29) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.
|
|
|
|
| Re: SPF issue - strange false positive [message #128402 is a reply to message #128305] |
Tue, 08 March 2016 14:24 |
freakinvibe
Messages: 589
Registered: April 2004
|
|
|
|
The mail should have been accepted as your last hop is:
WINHEXFEEU1.win.mail [217.160.154.162] ===> exch-2010-smtp-out-03.livemail.co.uk [213.171.216.26]
So the question is rather why it was not accepted. You have to look through your Kerio logs why the mail has been rejected (Security and Debug log).
Dexion Services AG - IT Support Services in Basel, Switzerland
https://dexionag.ch
|
|
|
|
Members
Search
Help
Register
Login
Home
