Mailing List Archive

artistdomain wrote on Mon, Oct 19 2009 at 3:50 pm:

> Sorry, you lost me a little bit. This response is going from my
Outlook Express, not
> Spamarrest this time.
>
> I don't anyone know of anyone besides Spamarrest that has inbound SPF
filtering
> for me to test my record.

See the testers at http://www.openspf.org/Tools .

The only servers/IPs that are listed in your SPF record should
be those delivering outgoing mail. If you do not send mail through
AT&T's mail servers, you should not list them in your SPF record.


-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- I went to a bookstore and asked the saleswoman, "Where's the
self-help section?" She said if she told me, it would defeat the
purpose.

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

At 21:50 19/10/2009 Monday, artistdomain wrote:
>Hi Alan,
>
>Sorry, you lost me a little bit. This response is going from my Outlook Express, not Spamarrest this time.


ok on this mail {cc'd to list for others to see}

it comes from blue.olm.net {your outgoing server i suspect}

Received: from blue.olm.net ([69.94.102.4])
by bigsvr.alandoherty.net with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.69)
(envelope-from <wsmith@artistdomain.net>)
id 1MzzET-0001aD-Co
for spfdiscuss@alandoherty.net; Mon, 19 Oct 2009 20:53:35 +0000
Received: from adsl-11-145-117.mia.bellsouth.net ([65.11.145.117] helo=organicc5rdsgk)
by blue.olm.net with esmtpa (Exim 4.69)
(envelope-from <wsmith@artistdomain.net>)
id 1MzzBK-0005p0-SF; Mon, 19 Oct 2009 16:50:19 -0400

X-AD-RPFS-HEAD: for info on below codes http://www.alandoherty.net/mailsystem/mail-tagging/

X-AD-RPFS-DUMB-0: HELO-SPF-NONE HELO-CSA-NONE

blue.olm.net has no SPF record {idealy it should be "v=spf1 A -all"} but few receivers check this for anything other than treating senders with full spf as trusted for greylisting etc

X-AD-RPFS-INFO-0: IP-CC-US

X-AD-RPFS-GOOD-0: HELO-DNS-PASS IP=69.94.102.4 HELO=FQDNS=blue.olm.net ES-SPF-PASS AV-SCAN-PASS SA-SCORE--1.7 SA-BAR-(-)

this says that the envelope sender SPF test passed

so you seem to have your spf setup fine*

*assuming they do not have more ip's you might occasionally use {multihomed systems}


the ATT IPs are and will never be relevant, whatever is generating the fail when you send to yourself it is not correctly setup SPF checker


>I don't anyone know of anyone besides Spamarrest that has inbound SPF filtering for me to test my record.
>
>Is this mail failing? If so it still failing due to that ATT IP#?
>
>My mailserver is only set for authentication not SPF filtering. My mailserver doesn't have inbound SPF filtering. I use Spamarrest for that on my inbound mail.
>
>So, not sending from one "box to another box on same mail server. My tests to myself are going from OLM.Net and coming back to my my Spamarrest box on Spamarrest's network.
>
>Thanks,
>
>wade
>
>Your previous response:
>no you are testing for spf mail sent from a mail client
>{your server is misconfigured it should not require spf from mail clients, only authentication}
>
>send a mail to anyone else via your server
>{even me}* {anywhere else == somewhere your server would have to forward to via smtp following mx records not another mailbox on the same server}
>and we can tell you does your mail pass spf when it arrives here
>
>mail between client<>server {esmtpa authentiacated smtp via port 587, or some smtp-auth workaround kludge on port25}
>nothing to do with SPF {if spf checks are done server is mis-configured}
>
>mail between server<>server [e]smtp on port 25 {the only place SPF is designed to be used}



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Alan, not sure I understand. Are you saying that I'm not really failing
expect according to Spamarrest?

Did my mail fail according to your own filtering?

Thanks,




----- Original Message -----
From: "alan" <spfdiscuss@alandoherty.net>
To: "artistdomain" <wsmith@artistdomain.net>
Cc: <spf-help@v2.listbox.com>
Sent: Monday, October 19, 2009 5:26 PM
Subject: Re:


> At 21:50 19/10/2009 Monday, artistdomain wrote:
>>Hi Alan,
>>
>>Sorry, you lost me a little bit. This response is going from my Outlook
>>Express, not Spamarrest this time.
>
>
> ok on this mail {cc'd to list for others to see}
>
> it comes from blue.olm.net {your outgoing server i suspect}
>
> Received: from blue.olm.net ([69.94.102.4])
> by bigsvr.alandoherty.net with esmtps (TLSv1:AES256-SHA:256)
> (Exim 4.69)
> (envelope-from <wsmith@artistdomain.net>)
> id 1MzzET-0001aD-Co
> for spfdiscuss@alandoherty.net; Mon, 19 Oct 2009 20:53:35 +0000
> Received: from adsl-11-145-117.mia.bellsouth.net ([65.11.145.117]
> helo=organicc5rdsgk)
> by blue.olm.net with esmtpa (Exim 4.69)
> (envelope-from <wsmith@artistdomain.net>)
> id 1MzzBK-0005p0-SF; Mon, 19 Oct 2009 16:50:19 -0400
>
> X-AD-RPFS-HEAD: for info on below codes
> http://www.alandoherty.net/mailsystem/mail-tagging/
>
> X-AD-RPFS-DUMB-0: HELO-SPF-NONE HELO-CSA-NONE
>
> blue.olm.net has no SPF record {idealy it should be "v=spf1 A -all"} but
> few receivers check this for anything other than treating senders with
> full spf as trusted for greylisting etc
>
> X-AD-RPFS-INFO-0: IP-CC-US
>
> X-AD-RPFS-GOOD-0: HELO-DNS-PASS IP=69.94.102.4 HELO=FQDNS=blue.olm.net
> ES-SPF-PASS AV-SCAN-PASS SA-SCORE--1.7 SA-BAR-(-)
>
> this says that the envelope sender SPF test passed
>
> so you seem to have your spf setup fine*
>
> *assuming they do not have more ip's you might occasionally use
> {multihomed systems}
>
>
> the ATT IPs are and will never be relevant, whatever is generating the
> fail when you send to yourself it is not correctly setup SPF checker
>
>
>>I don't anyone know of anyone besides Spamarrest that has inbound SPF
>>filtering for me to test my record.
>>
>>Is this mail failing? If so it still failing due to that ATT IP#?
>>
>>My mailserver is only set for authentication not SPF filtering. My
>>mailserver doesn't have inbound SPF filtering. I use Spamarrest for that
>>on my inbound mail.
>>
>>So, not sending from one "box to another box on same mail server. My tests
>>to myself are going from OLM.Net and coming back to my my Spamarrest box
>>on Spamarrest's network.
>>
>>Thanks,
>>
>>wade
>>
>>Your previous response:
>>no you are testing for spf mail sent from a mail client
>>{your server is misconfigured it should not require spf from mail clients,
>>only authentication}
>>
>>send a mail to anyone else via your server
>>{even me}* {anywhere else == somewhere your server would have to forward
>>to via smtp following mx records not another mailbox on the same server}
>>and we can tell you does your mail pass spf when it arrives here
>>
>>mail between client<>server {esmtpa authentiacated smtp via port 587, or
>>some smtp-auth workaround kludge on port25}
>>nothing to do with SPF {if spf checks are done server is mis-configured}
>>
>>mail between server<>server [e]smtp on port 25 {the only place SPF is
>>designed to be used}
>
>



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

At 22:40 19/10/2009 Monday, artistdomain wrote:
>Alan, not sure I understand. Are you saying that I'm not really failing expect according to Spamarrest?

pretty much
{but i think you are in some way confused as they do not in any way handle the sample of a failed mail you sent}
"Return-path: <wsmith@artistdomain.net>
Envelope-to: wsmith@artistdomain.net
Delivery-date: Mon, 19 Oct 2009 15:01:42 -0400

Received: from adsl-11-145-117.mia.bellsouth.net ([65.11.145.117]
helo=organicc5rdsgk)
by blue.olm.net with esmtpa (Exim 4.69)
(envelope-from <wsmith@artistdomain.net>)
id 1MzxUE-0008Ey-OO
for wsmith@artistdomain.net; Mon, 19 Oct 2009 15:01:42 -0400

Message-ID: <38CA78CFA9B74A93A9D2121B8B877E8F@organicc5rdsgk>
From: "artistdomain" <wsmith@artistdomain.net>
To: "artistdomain" <wsmith@artistdomain.net>
Subject: test
Date: Mon, 19 Oct 2009 15:01:45 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00AD_01CA50CD.12F90D70"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3311
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3311
X-SA-Poll-Id: 1255978924620..UID685-1254077930..1..1255978905000
X-SA-USERIDNR: 3467002
Received-SPF: fail(artistdomain.net: domain of
artistdomain.net does not designate 65.11.145.117 as permitted
sender)
"
one received line only recieved by your server from your client not sent on or recieved by spamarest according to its own headers

even you public mx records which tell us where to send your email so not tell us to send to spamarest for filtering the tell us to send direct to

artistdomain.net mail exchanger = 10 mail.artistdomain.net.
mail.artistdomain.net == 69.94.102.4

which is your server
{whatever service spamarest does for you it is after your server has received the email, thus is too late to refuse/reject , it probably is some sort of pop3/imap based content filter so it is guessing the spf from the headers your server added, thus in the case of any user sending mail via the server to the server the last first==last hop so it blinly checks last hop against SPF without knowing/being able to tell it is not looking at an exaply of locally delivered email}

so ignore the false fails on mail to yourself
or better yet setup some real spam-filtering that rejects spam before it has arrived
but either way do not trust any spf pass/fail determination made after the mail has arrived from any provider


>Did my mail fail according to your own filtering?

not at all


>Thanks,

ok lets break it down
your current envelope-domain is artistdomain.net
its SPF record is currently "v=spf1 IP4:69.94.102.4 IP4:192.168.1.25 -all"

now syntactically/based on results "v=spf1 ip4:69.94.102.4 -all" is what you should have
ip4: not IP4: is what the doc says its possible the other is failing you because they are being sensitive about case

the ip4:192.168 .... MUST GO!

no Internet connected host can or will ever present an IP within this range to anyone outside thus it should and must not appear in an SPF record, its possible they are failing you for this?

for bonus points convince your isp to setup an spf for blue.olm.net

also if you ever want to use tls {as i checked your isp's server does support it}
fix your MX records to pint at the real name of your ISP's mail server

220-blue.olm.net ESMTP Exim 4.69 #1 Mon, 19 Oct 2009 18:40:42 -0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
ehlo test.alandoherty.net
250-blue.olm.net Hello host244.freudenhaus.alandoherty.net [193.120.128.244]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS <<<
250 HELP

your mx records should be
MX 10 blue.olm.net.

nothing to do with spf but does mean people could mail you more securely






>----- Original Message ----- From: "alan" <spfdiscuss@alandoherty.net>
>To: "artistdomain" <wsmith@artistdomain.net>
>Cc: <spf-help@v2.listbox.com>
>Sent: Monday, October 19, 2009 5:26 PM
>Subject: Re:
>
>
>>At 21:50 19/10/2009 Monday, artistdomain wrote:
>>>Hi Alan,
>>>
>>>Sorry, you lost me a little bit. This response is going from my Outlook Express, not Spamarrest this time.
>>
>>
>>ok on this mail {cc'd to list for others to see}
>>
>>it comes from blue.olm.net {your outgoing server i suspect}
>>
>>Received: from blue.olm.net ([69.94.102.4])
>> by bigsvr.alandoherty.net with esmtps (TLSv1:AES256-SHA:256)
>> (Exim 4.69)
>> (envelope-from <wsmith@artistdomain.net>)
>> id 1MzzET-0001aD-Co
>> for spfdiscuss@alandoherty.net; Mon, 19 Oct 2009 20:53:35 +0000
>>Received: from adsl-11-145-117.mia.bellsouth.net ([65.11.145.117] helo=organicc5rdsgk)
>> by blue.olm.net with esmtpa (Exim 4.69)
>> (envelope-from <wsmith@artistdomain.net>)
>> id 1MzzBK-0005p0-SF; Mon, 19 Oct 2009 16:50:19 -0400
>>
>>X-AD-RPFS-HEAD: for info on below codes http://www.alandoherty.net/mailsystem/mail-tagging/
>>
>>X-AD-RPFS-DUMB-0: HELO-SPF-NONE HELO-CSA-NONE
>>
>>blue.olm.net has no SPF record {idealy it should be "v=spf1 A -all"} but few receivers check this for anything other than treating senders with full spf as trusted for greylisting etc
>>
>>X-AD-RPFS-INFO-0: IP-CC-US
>>
>>X-AD-RPFS-GOOD-0: HELO-DNS-PASS IP=69.94.102.4 HELO=FQDNS=blue.olm.net ES-SPF-PASS AV-SCAN-PASS SA-SCORE--1.7 SA-BAR-(-)
>>
>>this says that the envelope sender SPF test passed
>>
>>so you seem to have your spf setup fine*
>>
>>*assuming they do not have more ip's you might occasionally use {multihomed systems}
>>
>>
>>the ATT IPs are and will never be relevant, whatever is generating the fail when you send to yourself it is not correctly setup SPF checker
>>
>>
>>>I don't anyone know of anyone besides Spamarrest that has inbound SPF filtering for me to test my record.
>>>
>>>Is this mail failing? If so it still failing due to that ATT IP#?
>>>
>>>My mailserver is only set for authentication not SPF filtering. My mailserver doesn't have inbound SPF filtering. I use Spamarrest for that on my inbound mail.
>>>
>>>So, not sending from one "box to another box on same mail server. My tests to myself are going from OLM.Net and coming back to my my Spamarrest box on Spamarrest's network.
>>>
>>>Thanks,
>>>
>>>wade
>>>
>>>Your previous response:
>>>no you are testing for spf mail sent from a mail client
>>>{your server is misconfigured it should not require spf from mail clients, only authentication}
>>>
>>>send a mail to anyone else via your server
>>>{even me}* {anywhere else == somewhere your server would have to forward to via smtp following mx records not another mailbox on the same server}
>>>and we can tell you does your mail pass spf when it arrives here
>>>
>>>mail between client<>server {esmtpa authentiacated smtp via port 587, or some smtp-auth workaround kludge on port25}
>>>nothing to do with SPF {if spf checks are done server is mis-configured}
>>>
>>>mail between server<>server [e]smtp on port 25 {the only place SPF is designed to be used}
>>



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

not a problem seems simple enough

first off though does your smarthost provider provide a ready made spf record for customers to "include" within their own
as if they do it will avoid headache if they move/re-ip their servers in the future

second how your incoming is setup is in no way relevant or cared about by spf do not confuse things by referencing this

so essentially you send mail from mail1.stofanet.dk thus you will have an spf allowing this machine(s) ip(s) only to send mail on your behalf
{this machine may be many clustered over multiple ip's thats why if they provide an includable record if the add/remove ips you won't have to edit your spf}
it may be a multi-stage-relay in which case examples of outgoing mail received by others would be needed to 'guess/test' the ip's
but it may be a simple one or two ip's system that can be simply referred to by name {a} record in your spf

so now we just need to know what your domain is and we can show you what your doing wrong + how to fix
{as you mailed us from hotmail and we know that cannot be your domain}

feel free to send me an email direct from your system so i can see your domain {and current issues and sending-ip's if you wish}
but replies will be cc'd to the list for every ones benifit

At 17:08 24/10/2009 Saturday, Vanzi Nzil wrote:

>Hello.
>
>I have read a little about SPF and can not really get it to work. I check with: check-auth@verifier.port25.com and spf-test@openspf.org
>
>I run Exchange 2007 SP2 on W2K3 I sit on a Dynamic IP connection and user GratisDns.dk (domain.dk> backup mx.stofanet.dk) and mail1.stofanet.dk as smarthost in Exchange 2007 SP2
>
>Is there a friendly soul who can help me to put my record up?
>_________________________________________________________________
>Nej, det er ikke svært at samle alle vennerne fra Hotmail, Myspace og Facebook på Messenger. Læs mere her
>http://www.microsoft.com/danmark/windows/windowslive/import-friends/
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

BTW replies will be slow as i go clubbing now till early hours sunday

At 17:08 24/10/2009 Saturday, Vanzi Nzil wrote:

>Hello.
>
>I have read a little about SPF and can not really get it to work. I check with: check-auth@verifier.port25.com and spf-test@openspf.org
>
>I run Exchange 2007 SP2 on W2K3 I sit on a Dynamic IP connection and user GratisDns.dk (domain.dk> backup mx.stofanet.dk) and mail1.stofanet.dk as smarthost in Exchange 2007 SP2
>
>Is there a friendly soul who can help me to put my record up?
>_________________________________________________________________
>Nej, det er ikke svært at samle alle vennerne fra Hotmail, Myspace og Facebook på Messenger. Læs mere her
>http://www.microsoft.com/danmark/windows/windowslive/import-friends/
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com