Mailing List Archive

Depends on what your set-up is. I discovered that my server - which I share
with a few guys - actually only runs one instance of sendmail and we all use
it, so mails go out with the server base domain name, not our own. Fix it
by adding the server base domain name to your spf record.


Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492



----- Original Message -----
From: <spf-help@rusticweb.com>
To: <spf-help@v2.listbox.com>
Sent: Friday, September 03, 2004 6:09 PM
Subject: [spf-help] Header Checker at InfinitePenguins


> Does the header checker at infinitepenguins (
> http://spftools.infinitepenguins.net/headercheck.php ) usually work. I
> realize that it's in alpha, so wouldn't be surprised if it doesn't, but
> I can't find any similar tools anywhere.
>
> My problem is that I have a very simple SPF record published ( "v=spf1 a
> -all" ) and the header checker finds the record, but then reports the
> headers from an email sent from the requisite domain (rusticweb.com) to
> a friend on a different mail server is suspect. The IP in the first
> "Recieved:" header perfectly matches the A record for my domain, so
> either the tool itself isn't working right, or I'm doing something
> really stupid (wouldn't be the first time).
>
> Thanks!
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

jpinkerton wrote:

>Depends on what your set-up is. I discovered that my server - which I share
>with a few guys - actually only runs one instance of sendmail and we all use
>it, so mails go out with the server base domain name, not our own. Fix it
>by adding the server base domain name to your spf record.
>
>
>
Thanks for the response. I don't think that's the trouble here though,
as the headers clearly show the email coming from my domain. I've
included the email headers (with my friends email address x'd out for
privacy's sake), a copy of my zone file, and the output from the header
check tool below, in hopes that it'll help someone point out my mistake.

Headers...
--------------------------------

Return-Path: <jon@[deleted]>
Received: from rusticweb.com (rusticweb.com [66.160.153.44] (may be forged))
by main2.ezpublishing.com (8.9.3p2/8.9.3) with SMTP id GAA07563
for <xxx@xxx.org>; Fri, 3 Sep 2004 06:51:24 -0700
Received: from [127.0.0.1] ([204.250.85.4]) by rusticweb.com for
<rye@[deleted]>; Fri, 3 Sep 2004 06:51:24 -0700
Message-ID: <413876F3.90808@rusticweb.com>
Date: Fri, 03 Sep 2004 07:51:47 -0600
From: Jonathan Motta <jon@[deleted]>
User-Agent: Mozilla Thunderbird 0.7.3 (Windows/20040803)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: <xxx@xxx.org>
Subject: email
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=-99.6 required=0.0
tests=AWL,RCVD_IN_ORBS,RCVD_IN_OSIRUSOFT_COM,USER_AGENT,
USER_IN_WHITELIST,X_ACCEPT_LANG
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
------------------------------------

Zone File....
------------------------------------
IN MX 1 <server>
IN A <ip>
www IN CNAME @
ftp IN CNAME @
mail IN CNAME @
IN TXT "v=spf1 a -all"
-------------------------------------

Header Check Output...
-------------------------------------


Gathering Data


Transmission Path


Recipient

Now let's work out who the message was delivered To:
According to the latest Received: header, the message was delivered for
xx@xxx.org


Sender

And the last piece of data that we need is the sender of the message.
First, let's look at the initial 'From' line...
No, there's no email address there... maybe your mail reader ate it
(they often do)...
We'll look for a "From:" line inside the headers instead... (this isn't
ideal for SPF checking, but it's worth a go).
Ok, the headers say "From: jon@[deleted]"... that'll do.


Analysis

Right... now to see if the data we've gathered above appears to make
sense for a message from jon@[deleted] to xxx@xxx.org.


Entry into receiving network

First step: we'll see where the message entered the receiver's network.


Release from sender's network

Now we'll work out where the sending domain appears to have released the
message - we'll work backwards from the step before your servers took over.

To do this we need the SPF record for the sending domain (rusticweb.com)...
Oh good, they've published one; it's
v=spf1 a -all

SPF checks on the previous steps look like:


Path Summary

Whole path unexplained rusticweb.com / 66.160.153.44
main2.ezpublishing.com / 216.121.96.240

It looks like nothing in that set of SMTP hops should have sent the
message from rusticweb.com... this message should be considered suspect!


Result

(for mail from jon@[deleted] to xxx@xxx.org)

*Worried*

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Looks like you're relaying through main2.ezpublishing.com so include them
in your TXT record


Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492




----- Original Message -----
From: <spf-help@rusticweb.com>
To: <spf-help@v2.listbox.com>
Sent: Friday, September 03, 2004 7:09 PM
Subject: Re: [spf-help] Header Checker at InfinitePenguins


> jpinkerton wrote:
>
> >Depends on what your set-up is. I discovered that my server - which I
share
> >with a few guys - actually only runs one instance of sendmail and we all
use
> >it, so mails go out with the server base domain name, not our own. Fix
it
> >by adding the server base domain name to your spf record.
> >
> >
> >
> Thanks for the response. I don't think that's the trouble here though,
> as the headers clearly show the email coming from my domain. I've
> included the email headers (with my friends email address x'd out for
> privacy's sake), a copy of my zone file, and the output from the header
> check tool below, in hopes that it'll help someone point out my mistake.
>
> Headers...
> --------------------------------
>
> Return-Path: <jon@[deleted]>
> Received: from rusticweb.com (rusticweb.com [66.160.153.44] (may be
forged))
> by main2.ezpublishing.com (8.9.3p2/8.9.3) with SMTP id GAA07563
> for <xxx@xxx.org>; Fri, 3 Sep 2004 06:51:24 -0700
> Received: from [127.0.0.1] ([204.250.85.4]) by rusticweb.com for
> <rye@[deleted]>; Fri, 3 Sep 2004 06:51:24 -0700
> Message-ID: <413876F3.90808@rusticweb.com>
> Date: Fri, 03 Sep 2004 07:51:47 -0600
> From: Jonathan Motta <jon@[deleted]>
> User-Agent: Mozilla Thunderbird 0.7.3 (Windows/20040803)
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> To: <xxx@xxx.org>
> Subject: email
> Content-Type: text/plain; charset=us-ascii; format=flowed
> Content-Transfer-Encoding: 7bit
> X-Spam-Status: No, hits=-99.6 required=0.0
> tests=AWL,RCVD_IN_ORBS,RCVD_IN_OSIRUSOFT_COM,USER_AGENT,
> USER_IN_WHITELIST,X_ACCEPT_LANG
> version=2.55
> X-Spam-Level:
> X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
> ------------------------------------
>
> Zone File....
> ------------------------------------
> IN MX 1 <server>
> IN A <ip>
> www IN CNAME @
> ftp IN CNAME @
> mail IN CNAME @
> IN TXT "v=spf1 a -all"
> -------------------------------------
>
> Header Check Output...
> -------------------------------------
>
>
> Gathering Data
>
>
> Transmission Path
>
>
> Recipient
>
> Now let's work out who the message was delivered To:
> According to the latest Received: header, the message was delivered for
> xx@xxx.org
>
>
> Sender
>
> And the last piece of data that we need is the sender of the message.
> First, let's look at the initial 'From' line...
> No, there's no email address there... maybe your mail reader ate it
> (they often do)...
> We'll look for a "From:" line inside the headers instead... (this isn't
> ideal for SPF checking, but it's worth a go).
> Ok, the headers say "From: jon@[deleted]"... that'll do.
>
>
> Analysis
>
> Right... now to see if the data we've gathered above appears to make
> sense for a message from jon@[deleted] to xxx@xxx.org.
>
>
> Entry into receiving network
>
> First step: we'll see where the message entered the receiver's network.
>
>
> Release from sender's network
>
> Now we'll work out where the sending domain appears to have released the
> message - we'll work backwards from the step before your servers took
over.
>
> To do this we need the SPF record for the sending domain
(rusticweb.com)...
> Oh good, they've published one; it's
> v=spf1 a -all
>
> SPF checks on the previous steps look like:
>
>
> Path Summary
>
> Whole path unexplained rusticweb.com / 66.160.153.44
> main2.ezpublishing.com / 216.121.96.240
>
> It looks like nothing in that set of SMTP hops should have sent the
> message from rusticweb.com... this message should be considered suspect!
>
>
> Result
>
> (for mail from jon@[deleted] to xxx@xxx.org)
>
> *Worried*
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

jpinkerton wrote:

>Looks like you're relaying through main2.ezpublishing.com so include them
>in your TXT record
>
>
No, that's the recipient's ISP.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Fri, Sep 03, 2004 at 11:09:27AM -0600, spf-help@rusticweb.com wrote:
>
> Path Summary
>
> Whole path unexplained rusticweb.com / 66.160.153.44
> main2.ezpublishing.com / 216.121.96.240
>
> It looks like nothing in that set of SMTP hops should have sent the
> message from rusticweb.com... this message should be considered suspect!

Obviously, as the A for rusticweb.com is 66.160.153.44 and there's a +a
in the spf record for rusticweb.com, the header checker seems to be
broken. I don't see what an spf header checker should be doing with
these headers anyway: spf checking is done against envelope from (which
was not present in the headers you fed the header checker anyway).
Presuming that in your case envelope from == from: (which is
@rusticweb.com), there is no problem at all I think.

Fwiw, here's the output of spfquery for your example:

srs# spfquery -ip 66.160.153.44 -sender jon@[deleted] -rcpt-to
xxx@xxx.org
pass,pass

spfquery: domain of rusticweb.com designates 66.160.153.44 as permitted
sender
Received-SPF: pass (spfquery: domain of rusticweb.com designates
66.160.153.44 as permitted sender) client-ip=66.160.153.44;
envelope-from=jon@[deleted];
srs#

All ok!

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Koen Martens wrote:

>Obviously, as the A for rusticweb.com is 66.160.153.44 and there's a +a
>in the spf record for rusticweb.com, the header checker seems to be
>broken. I don't see what an spf header checker should be doing with
>these headers anyway: spf checking is done against envelope from (which
>was not present in the headers you fed the header checker anyway).
>Presuming that in your case envelope from == from: (which is
>@rusticweb.com), there is no problem at all I think.
>
>Fwiw, here's the output of spfquery for your example:
>
>srs# spfquery -ip 66.160.153.44 -sender jon@[deleted] -rcpt-to
>xxx@xxx.org
>pass,pass
>
>spfquery: domain of rusticweb.com designates 66.160.153.44 as permitted
>sender
>Received-SPF: pass (spfquery: domain of rusticweb.com designates
>66.160.153.44 as permitted sender) client-ip=66.160.153.44;
>envelope-from=jon@[deleted];
>srs#
>
>All ok!
>
>Koen
>
>
>
Cool, thanks. Also, I hadn't heard of spfquery before... but a little
googling got me the info I needed on that front.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com