Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Discuss
Obivous forged email reply with bad SPF info... Here is a header...
gerberb at zenez
Jul 31, 2008, 3:26 PM
Post #1 of 12 (5873 views)
Permalink
Hi,

This is the header from an Mail-Daemon from today. This is after all my
CNAME changes.

Return-Path: <gerberb@mail.zenez.com>
Received: (qmail 51102 invoked from network); 31 Jul 2008 18:46:39 -0300
Received: from 84.123.65.48.dyn.user.ono.com (HELO LUISDAVID)
(84.123.65.48)
by webhost.convex.com.br with SMTP; 31 Jul 2008 18:46:38 -0300
Received-SPF: unknown ?ip:67.91.130.5 (webhost.convex.com.br: SPF record
at
mail.zenez.com uses mechanism not recognized by this client)
Received: from [84.123.65.48] by zenez.com; Thu, 31 Jul 2008 22:51:48
+0100
From: "Vince Welsh" <gerberb@mail.zenez.com>
To: <petgord34truew@costapereira.com>
Subject: Free dating in Nevada =181
Date: Thu, 31 Jul 2008 22:51:48 +0100
Message-ID: <01c8f360$036dda00$30417b54@gerberb>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_000E_01C8F360.036DDA00"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Importance: Normal



--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: Obivous forged email reply with bad SPF info... Here is a header... [ In reply to ]
stuart at bmsi
Jul 31, 2008, 4:00 PM
Post #2 of 12 (5781 views)
Permalink
On Thu, 31 Jul 2008, Boyd Lynn Gerber wrote:

> This is the header from an Mail-Daemon from today. This is after all my
> CNAME changes.
>
> ...
> by webhost.convex.com.br with SMTP; 31 Jul 2008 18:46:38 -0300
> Received-SPF: unknown ?ip:67.91.130.5 (webhost.convex.com.br: SPF record
> at
> mail.zenez.com uses mechanism not recognized by this client)
> ...

Well, this time they are right. "ip" is not a valid mechanism. I think
you meant "ip4".

I agree with others that spf3 should have "A" for a,ip4,ip6 and distinguish by
syntax. There are far too many errors of this sort.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: Obivous forged email reply with bad SPF info... Here is a header... [ In reply to ]
gerberb at zenez
Jul 31, 2008, 4:56 PM
Post #3 of 12 (5782 views)
Permalink
On Thu, 31 Jul 2008, Stuart D. Gathman wrote:
> On Thu, 31 Jul 2008, Boyd Lynn Gerber wrote:
> > This is the header from an Mail-Daemon from today. This is after all my
> > CNAME changes.
> >
> > ...
> > by webhost.convex.com.br with SMTP; 31 Jul 2008 18:46:38 -0300
> > Received-SPF: unknown ?ip:67.91.130.5 (webhost.convex.com.br: SPF record
> > at
> > mail.zenez.com uses mechanism not recognized by this client)
> > ...
>
> Well, this time they are right. "ip" is not a valid mechanism. I think
> you meant "ip4".

Yes, that is what I get for trying to manually type in 200 plus records
late last night. Fixed now. Just have to wait for the DNS update.

Thanks,

> I agree with others that spf3 should have "A" for a,ip4,ip6 and distinguish by
> syntax. There are far too many errors of this sort.

It would be nice.

--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: Obivous forged email reply with bad SPF info... Here is a header... [ In reply to ]
hmdmhdfmhdjmzdtjmzdtzktdkztdjz at gmail
Jul 31, 2008, 5:34 PM
Post #4 of 12 (5775 views)
Permalink
Boyd Lynn Gerber wrote:

>> spf3 should have "A" for a,ip4,ip6 and distinguish by
>> syntax. There are far too many errors of this sort.

> It would be nice.

But it cannot work. It is like saying that it would be
nice if all odd numbers are primes. Now if that future
SPF has no macros some syntax issues disappear, IPv4 is
anyway obsolete, and this version could try to "anything
with a colon is an IPv6" or similar.

Ignoring decades of lessons learned why mixing name and
IP syntax is wrong. Neither URIs (for IPv6) nor SMTP
(IPv4 + IPv6) allow this, they require square brackets
to disambiguate domains and domain literals.

Frank



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: Obivous forged email reply with bad SPF info... Here is a header... [ In reply to ]
gerberb at zenez
Jul 31, 2008, 7:38 PM
Post #5 of 12 (5776 views)
Permalink
Hi,

Now the emails are telling me my email was rejected. Why do the send
emails telling me when I know this already. I do not want any forged mail
coming back telling me they are rejected. I asked the to do it. I
responded back to a couple telling them I created the record, and they
tried to tell me that SPF requires them to respond to the rejected email.
I told them I created the record to protect my domains. I do not need 200
emails telling me that the email was rejected and to stop spamming me.
These ISP really do not read their references. I told them to read their
own email and look at the reference. The email was obviously forged. So
stop spamming me. I have not reported their 200 emails as spam. What do
the list members do when people send them 200+ emails referenceing the SPF
website and why?

Thanks,

--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: Obivous forged email reply with bad SPF info... Here is a header... [ In reply to ]
scott at kitterman
Jul 31, 2008, 7:44 PM
Post #6 of 12 (5771 views)
Permalink
On Thursday 31 July 2008 22:38, Boyd Lynn Gerber wrote:
> Hi,
>
> Now the emails are telling me my email was rejected. Why do the send
> emails telling me when I know this already. I do not want any forged mail
> coming back telling me they are rejected. I asked the to do it. I
> responded back to a couple telling them I created the record, and they
> tried to tell me that SPF requires them to respond to the rejected email.
> I told them I created the record to protect my domains. I do not need 200
> emails telling me that the email was rejected and to stop spamming me.
> These ISP really do not read their references. I told them to read their
> own email and look at the reference. The email was obviously forged. So
> stop spamming me. I have not reported their 200 emails as spam. What do
> the list members do when people send them 200+ emails referenceing the SPF
> website and why?
>
I don't seem to get SPF specific ones, but spamcop is the usual destination
for me for bounces to mail I didn't send.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re[2]: Obivous forged email reply with bad SPF info... Here is a header... [ In reply to ]
sandy at cypressintegrated
Jul 31, 2008, 8:27 PM
Post #7 of 12 (5770 views)
Permalink
>> I have not reported their 200 emails as spam. What do the list
>> members do when people send them 200+ emails referenceing the SPF
>> website and why?

You could try getting them listed at backscatterer.org for a minor bit
of revenge.

I think pursuing this further is probably not worth your while,
though. The fact is that your SPF record was broken, and while these
guys were sorely misguided in backscattering their post-rejection
'long form' DSNs, the assault did help you find a problem that you
probably would not have noticed otherwise. So just call it even.

--Sandy



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re[2]: Obivous forged email reply with bad SPF info... Here is a header... [ In reply to ]
gerberb at zenez
Jul 31, 2008, 9:41 PM
Post #8 of 12 (5767 views)
Permalink
On Thu, 31 Jul 2008, Sanford Whiteman wrote:
> >> I have not reported their 200 emails as spam. What do the list
> >> members do when people send them 200+ emails referenceing the SPF
> >> website and why?
>
> You could try getting them listed at backscatterer.org for a minor bit
> of revenge.
>
> I think pursuing this further is probably not worth your while,
> though. The fact is that your SPF record was broken, and while these
> guys were sorely misguided in backscattering their post-rejection
> 'long form' DSNs, the assault did help you find a problem that you
> probably would not have noticed otherwise. So just call it even.

I would but now I have received 2000 of these emails...

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The Postfix program

<dsha@jetbrains.com>: host mail.intellij.net[213.182.181.98] said: 550

Please%see%http://spf.pobox.com/why.html?sender=gerber%40zenez.com&ip=83
.149.198.201&receiver=is.intellij.net
: Reason: mechanism (#5.7.1) (in reply to MAIL FROM command)

but nothing more than this...


--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re[3]: Obivous forged email reply with bad SPF info... Here is a header... [ In reply to ]
sandy at cypressintegrated
Jul 31, 2008, 10:20 PM
Post #9 of 12 (5767 views)
Permalink
> I would but now I have received 2000 of these emails...

Okay, if they are looking at your current, valid SPF record, I do take
back my call for leniency. Still backscattering when you have a valid
record that concludes SPF FAIL? These people are a scourge. To me,
this is as stupid as servers that accept mail that FAILs, even when
their implementation could have rejected at envelope-time and they did
not have the sender pre-whitelisted. This kind of
pussyfooting/underreaching/overreaching by people who pretend to
'speak' SPF ridiculous.

And yet... it's rare to get satisfaction unless you have spare time
_and_ you can get one of their IT staff to take a gentle, learning
interest in the problem. You won't do that by attacking their skills,
even if they deserve it. You might start by saying that their servers
appear to have been hijacked by spammers and that you are calling as a
public service.

--Sandy



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re[2]: Obivous forged email reply with bad SPF info... Here is a header... [ In reply to ]
sandy at cypressintegrated
Jul 31, 2008, 10:31 PM
Post #10 of 12 (5765 views)
Permalink
> I agree with others that spf3 should have "A" for a,ip4,ip6 and
> distinguish by syntax. There are far too many errors of this sort.

I agree with Frank that this would be inadvisable and unnecessary.

Still, should it continue to be considered, please don't propose 'A'
as the name of the mechanism. More appropriate would be 'N' as in
'Name'.

Reason: Many APIs forgive, or even invite, a call to gethostbyname()
that passes a string representation of an IP4/6 address, echoing that
address instead of looking it up as an (invalid) FQDN. On the other
hand -- assuming 'A' was meant to stand for a general type 'Address'
-- I don't know of any that will take a string hostname into an
(overloaded?) gethostbyaddr(). So 'N' is closer to real-world
generalization. My take, at least.

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: sandy@cypressintegrated.com
------------------------------------



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: Obivous forged email reply with bad SPF info... Here is a header... [ In reply to ]
vesely at tana
Aug 1, 2008, 1:39 AM
Post #11 of 12 (5777 views)
Permalink
Boyd Lynn Gerber wrote:
>
> [...] now I have received 2000 of these emails...
>
> I'm sorry to have to inform you that your message could not
> be delivered to one or more recipients. It's attached below.
>
> For further assistance, please send mail to <postmaster>
>
> If you do so, please include this problem report. You can
> delete your own text from the attached returned message.
>
> The Postfix program
>
> <dsha@jetbrains.com>: host mail.intellij.net[213.182.181.98] said: 550
>
> Please%see%http://spf.pobox.com/why.html?sender=gerber%40zenez.com&ip=83
> .149.198.201&receiver=is.intellij.net
> : Reason: mechanism (#5.7.1) (in reply to MAIL FROM command)
>
> but nothing more than this...

The bounce is apparently generated by smtp.ispras.ru after intellij.net
rejected the message. Correctly, since they are the MX of jetbrains.com,
and SPF test fails. Obviously, smtp.ispras.ru does no SPF checks...


Perhaps someone should advise the postmaster at intellij.net (in CC)
that the url they have configured results in

HTTP/1.1 301 Moved Permanently
Date: Fri, 01 Aug 2008 07:48:56 GMT
Server: Apache/2.0.55 (Debian) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8g mod_apreq2-20051231/2.6.0 mod_perl/2.0.2 Perl/v5.8.8
Location: http://www.openspf.org/why.html?sender=gerber%40zenez.com&ip=83.149.198.201&receiver=is.intellij.net

It means that

The requested resource has been assigned a new permanent URI and any
future references to this resource SHOULD use one of the returned
URIs.


Except for the obsolete pointer, the advice in the page thus referenced
seems valid ("This means SPF is working as designed"). Does that imply
that ispras.ru is _not_ working as it should? The text could be more
explicit on that point...


Finally, note that googling for `site:trusted-forwarders.org spf' yields
no results. That domain name has expired, so it is probably not a good
idea to include it in spf records, for the time being...




-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: Obivous forged email reply with bad SPF info... Here is a header... [ In reply to ]
hmdmhdfmhdjmzdtjmzdtzktdkztdjz at gmail
Aug 1, 2008, 10:25 AM
Post #12 of 12 (5735 views)
Permalink
Boyd Lynn Gerber wrote:

> I have not reported their 200 emails as spam. What do
> the list members do when people send them 200+ emails
> referenceing the SPF website and why?

If that's about mails I have NOT sent, ideally SPF FAIL,
I'd report this as spam. That is a core concept of SPF:

(1) spammer forges my FAIL-protected address
(2) receiver rejects FAIL at their border MTA
(3) spammer won't create a bounce to me - in theory
they could, but of course it would be reportable
spam, what else ?

Alternative scenario (relevant for SPF):

(1) spammer forges my FAIL-protected address
(2) primary receiver forwards to third party
(3) 3rd party rejects FAIL at their border MTA
(4) primary receiver (forwarder) sends bounce to me.
Same result as above, this *IS* reportable spam.
Taking "traditional forwarders" out of business
(half-open relays) is a core point of SPF FAIL.

Frank



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal