Mailing List Archive

At 19:37 10/03/2010 Wednesday, Aaron Moon wrote:
>can someone please review this port25 check auth tool response

ok

>I am in an argument about this FAILURE

it is non-obvious {and i can't {cursory glance} see why, but can see more serious problems with your records as stated so will go through the usual check-list now

><cut for berivity>
> HELO hostname: s53.gogvo.com
>> Source IP: 12.97.188.229
>> mail-from: aaron.m@gogvo.com

ok first up what is the spf record for s53.gogvo.com, is it "verified by spf to be a non-forged, useable HELO-identity"
{i checked it has no spf record so not good, it could be as simple as "v=spf1 a -all" or as complex as say my entry for bigsvr.alandoherty.net which passes only if the name is used in helo {by passing only postmaster@helo}

>> DNS record(s):
>> gogvo.com. 300 IN TXT "v=spf1 include:spf1.gogvo.com
>> include:spf2.gogvo.com -all"

seems fine {but fail to see why all ip4 records in includes, versus v=spf1 {first bunch of ip4s} include:_spf1_2.gogvo.com -all, with _spf1_2 carrying the second {less used} bunch of ip's, drops one whole dns lookup
{additionally domains used for spf-only or txt-only {ie domains without A or MX} should strongly consider using a leading _ as its illegal in a hostname* and a domain for mx-use thus you don't inadvertently allow forgeries of user@spf1.gogvo.com from the ip's mentioned}

>> gogvo.com. 300 IN TXT "v=spf2.0/pra include:2spf1.gogvo.com
>> include:2spf2.gogvo.com -all"

broken syntactically and logically
the syntax for sender-id is "spf2.0/pra {no v=}
also it logically means sender-id users should only check the the FROM: header and not perform the normal spf checks on the mfrom {envelope-sender} at all
also as your sender-id pra record ends -all it would also {if syntactically valid} instruct receivers to dump all mails from you via for-example this mailing list

to work as intended it should be replaced with
gogvo.com. 300 IN TXT "spf2.0/pra include:2spf1.gogvo.com include:2spf2.gogvo.com ?all" <PASS all from your listed servers, but don't fail mail via mailinglists {or use~}
gogvo.com. 300 IN TXT "spf2.0/mfrom include:spf1.gogvo.com include:spf2.gogvo.com -all" <SENDER-ID checkers should also perform the normal SPF checks {as otherwise they wont look at spfv1 IF spf2.0 records exist}

>> spf1.gogvo.com. 300 IN TXT "v=spf1 ip4:12.68.137.213
>> ip4:12.204.164.198 ip4:12.204.164.163 ip4:12.204.164.52/29
>> ip4:12.68.141.86/28 ip4:12.204.164.91/30 ip4:12.204.164.93/30
>> ip4:12.204.164.92/30 ip4:12.68.140.17/32 -all"
>> spf2.gogvo.com. 300 IN TXT "v=spf1 ip4:12.68.141.104 ip4:12.204.164.49
>> ip4:12.204.164.86/26 ip4:12.68.140.10/28 ip4:12.97.188.200/29
>> ip4:12.97.188.208/28 ip4:12.97.188.223/27 ip4:12.68.140.16
>> ip4:12.68.140.18 ip4:12.132.193.241/30 ip4:12.132.193.245/29 -all"

these do seem to suggest your ip should pass {assuming the spf record for the HELO-id also passes}
but ip4:12.97.188.223/27 is so badly wrong
12.97.188.223 is not the first ip of any /27 {its the last in the /27 starting at 192}
so i'm guessing most of your cidrs need to be re-checked

but changing it to ip4:12.97.188.224/27 will fix this hosts issues

or forward the list of ip's in
xx.xx.xx.xx-yy.yy.yy.yy format , to us {or me} and i'll give you the correct cidr notation for all


>>From my understanding the -all statement is strictly enforcing anything in the spf record (include the include statements) and hard failing anything not defined here
>
>am I understanding this incorrectly should I be using a ~all (because I do not want mail to originate from anything NOT found in my SPF or sender ID records

your issue is not the -all its math
{and sender-id syntax errors}


>-Aaron
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Aaron Moon wrote on Wed, Mar 10 2010 at 1:37 pm:

> can someone please review this port25 check auth tool response
>
> I am in an argument about this FAILURE

>> HELO hostname: s53.gogvo.com
>> Source IP: 12.97.188.229
>> mail-from: aaron.m@gogvo.com

12.97.188.229 is not in the (many) IP ranges covered by your SPF record.

12.97.188.208-12.97.188.215 is covered twice? See http://www.subnet-calculator.com/cidr.php and enter your ranges/masks.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- If the universe is everything, and scientists say that the universe is expanding, what is it expanding into?

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

The include statement shows 12.97.188.223/27 which I would assume woud be 32 address starting with 12.97.188.223 so this should cover up to 12.97.188.255 correct?

here is the SPF again for review

gogvo.com. 300 IN TXT "v=spf2.0/pra include:2spf1.gogvo.com
include:2spf2.gogvo.com -all"

gogvo.com. 300 IN TXT "v=spf1 include:spf1.gogvo.com include:spf2.gogvo.com -all"

spf1.gogvo.com. 300 IN TXT "v=spf1 ip4:12.68.137.213 ip4:12.204.164.198 ip4:12.204.164.163 ip4:12.204.164.52/29 ip4:12.68.141.86/28 ip4:12.204.164.91/30 ip4:12.204.164.93/30 ip4:12.204.164.92/30 ip4:12.68.140.17/32 -all"

spf2.gogvo.com. 300 IN TXT "v=spf1 ip4:12.68.141.104 ip4:12.204.164.49 ip4:12.204.164.86/26 ip4:12.68.140.10/28 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.223/27 ip4:12.68.140.16 ip4:12.68.140.18 ip4:12.132.193.241/30 ip4:12.132.193.245/29 -all"

2spf1.gogvo.com. 300 IN TXT "v=spf2.0/pra ip4:12.68.137.213 ip4:12.204.164.198 ip4:12.204.164.163 ip4:12.204.164.52/29 ip4:12.68.141.86/28 ip4:12.204.164.91/30 ip4:12.204.164.93/30 ip4:12.204.164.92/30 ip4:12.68.140.17/32 -all"

2spf2.gogvo.com. 300 IN TXT "v=spf2.0/pra ip4:12.68.141.104 ip4:12.204.164.49 ip4:12.204.164.86/26 ip4:12.68.140.10/28 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.223/27 ip4:12.68.140.16 ip4:12.68.140.18 ip4:12.132.193.241/30 ip4:12.132.193.245/29 -all"

----- Original Message -----
From: "Steve Yates" <steve@teamITS.com>
To: spf-help@v2.listbox.com
Sent: Wednesday, March 10, 2010 4:12:30 PM GMT -06:00 US/Canada Central
Subject: RE: [spf-help] using Include statements

Aaron Moon wrote on Wed, Mar 10 2010 at 1:37 pm:

> can someone please review this port25 check auth tool response
>
> I am in an argument about this FAILURE

>> HELO hostname: s53.gogvo.com
>> Source IP: 12.97.188.229
>> mail-from: aaron.m@gogvo.com

12.97.188.229 is not in the (many) IP ranges covered by your SPF record.

12.97.188.208-12.97.188.215 is covered twice? See http://www.subnet-calculator.com/cidr.php and enter your ranges/masks.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- If the universe is everything, and scientists say that the universe is expanding, what is it expanding into?

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

At 23:01 10/03/2010 Wednesday, Aaron Moon wrote:
>The include statement shows 12.97.188.223/27 which I would assume woud be 32 address starting with 12.97.188.223 so this should cover up to 12.97.188.255 correct?

no its not a valid cidr
it is the last ip of 12.97.188.192/27 {which is what any spf reader will understand it as if not just FAILING the record for syntax errors}
the next /27 is
12.97.188.224/27

did you even bother to read my last mail where i spelled all this and more out????



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

On Wed, Mar 10, 2010 at 18:01, Aaron Moon <aaron.m@gogvo.com> wrote:
> The include statement shows 12.97.188.223/27 which I would assume woud be 32 address starting with 12.97.188.223

No, that's for the /27 that includes 223:

223: 11011111
/27: 11100000
--------
11000000 (192) to
11011111 (223)

> so this should cover up to 12.97.188.255 correct?

No - I'd strongly recommend you learn how netmasks actually work ;)

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

No actually i didn't get your last reply, before the most recent posting, and they did point it out!

But, I will say that you seem like a very irritated person perhaps you should leave the replies to others.

If we were all experts we wouldn't ask for help m8!

have a nice day!
Aaron
----- Original Message -----
From: "alan" <spfdiscuss@alandoherty.net>
To: spf-help@v2.listbox.com, spf-help@v2.listbox.com
Sent: Wednesday, March 10, 2010 5:21:41 PM GMT -06:00 US/Canada Central
Subject: Re: [spf-help] using Include statements

At 23:01 10/03/2010 Wednesday, Aaron Moon wrote:
>The include statement shows 12.97.188.223/27 which I would assume woud be 32 address starting with 12.97.188.223 so this should cover up to 12.97.188.255 correct?

no its not a valid cidr
it is the last ip of 12.97.188.192/27 {which is what any spf reader will understand it as if not just FAILING the record for syntax errors}
the next /27 is
12.97.188.224/27

did you even bother to read my last mail where i spelled all this and more out????



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

yes I realize this, and I did use that tool, it was a syntax error, and for some reason reading the record over and over I just plain missed it. Thank you though for pointing this out. my CIDR skills need some work.

-Aaron
----- Original Message -----
From: "Rob MacGregor" <rob.macgregor@gmail.com>
To: spf-help@v2.listbox.com
Sent: Wednesday, March 10, 2010 5:26:43 PM GMT -06:00 US/Canada Central
Subject: Re: [spf-help] using Include statements

On Wed, Mar 10, 2010 at 18:01, Aaron Moon <aaron.m@gogvo.com> wrote:
> The include statement shows 12.97.188.223/27 which I would assume woud be 32 address starting with 12.97.188.223

No, that's for the /27 that includes 223:

223: 11011111
/27: 11100000
--------
11000000 (192) to
11011111 (223)

> so this should cover up to 12.97.188.255 correct?

No - I'd strongly recommend you learn how netmasks actually work ;)

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

From: Aaron Moon <aaron.m@gogvo.com>
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] using Include statements

No actually i didn't get your last reply, before the most recent posting, and they did point it out!

ok here it is again

But, I will say that you seem like a very irritated person perhaps you should leave the replies to others.

{i am only irritated when my detailed and time consuming to write replies are {apparently} ignored, if i left replies to others the host of other issues i pointed out and suggested fixes for would continue to go unnoticed and unfixed, so i will continue to reply until the day others start being as comprehensive in their finding/fixing of issues}

If we were all experts we wouldn't ask for help m8!

I know this, thats why we experts volunteer our help, because long term less accidentally-broken senders will make it easier for us as receivers to tell ham/spam {because we can start outright rejecting broken senders, which currently throws out too many accidentally-broken otherwise legit mail}

have a nice day!
Aaron

At 22:09 10/03/2010 Wednesday, you wrote:
>At 19:37 10/03/2010 Wednesday, Aaron Moon wrote:
>>can someone please review this port25 check auth tool response
>
>ok
>
>>I am in an argument about this FAILURE
>
>it is non-obvious {and i can't {cursory glance} see why, but can see more serious problems with your records as stated so will go through the usual check-list now
>
>><cut for berivity>
>> HELO hostname: s53.gogvo.com
>>> Source IP: 12.97.188.229
>>> mail-from: aaron.m@gogvo.com
>
>ok first up what is the spf record for s53.gogvo.com, is it "verified by spf to be a non-forged, useable HELO-identity"
>{i checked it has no spf record so not good, it could be as simple as "v=spf1 a -all" or as complex as say my entry for bigsvr.alandoherty.net which passes only if the name is used in helo {by passing only postmaster@helo}
>
>>> DNS record(s):
>>> gogvo.com. 300 IN TXT "v=spf1 include:spf1.gogvo.com
>>> include:spf2.gogvo.com -all"
>
>seems fine {but fail to see why all ip4 records in includes, versus v=spf1 {first bunch of ip4s} include:_spf1_2.gogvo.com -all, with _spf1_2 carrying the second {less used} bunch of ip's, drops one whole dns lookup
>{additionally domains used for spf-only or txt-only {ie domains without A or MX} should strongly consider using a leading _ as its illegal in a hostname* and a domain for mx-use thus you don't inadvertently allow forgeries of user@spf1.gogvo.com from the ip's mentioned}
>
>>> gogvo.com. 300 IN TXT "v=spf2.0/pra include:2spf1.gogvo.com
>>> include:2spf2.gogvo.com -all"
>
>broken syntactically and logically
>the syntax for sender-id is "spf2.0/pra {no v=}
>also it logically means sender-id users should only check the the FROM: header and not perform the normal spf checks on the mfrom {envelope-sender} at all
>also as your sender-id pra record ends -all it would also {if syntactically valid} instruct receivers to dump all mails from you via for-example this mailing list
>
>to work as intended it should be replaced with
>gogvo.com. 300 IN TXT "spf2.0/pra include:2spf1.gogvo.com include:2spf2.gogvo.com ?all" <PASS all from your listed servers, but don't fail mail via mailinglists {or use~}
>gogvo.com. 300 IN TXT "spf2.0/mfrom include:spf1.gogvo.com include:spf2.gogvo.com -all" <SENDER-ID checkers should also perform the normal SPF checks {as otherwise they wont look at spfv1 IF spf2.0 records exist}
>
>>> spf1.gogvo.com. 300 IN TXT "v=spf1 ip4:12.68.137.213
>>> ip4:12.204.164.198 ip4:12.204.164.163 ip4:12.204.164.52/29
>>> ip4:12.68.141.86/28 ip4:12.204.164.91/30 ip4:12.204.164.93/30
>>> ip4:12.204.164.92/30 ip4:12.68.140.17/32 -all"
>>> spf2.gogvo.com. 300 IN TXT "v=spf1 ip4:12.68.141.104 ip4:12.204.164.49
>>> ip4:12.204.164.86/26 ip4:12.68.140.10/28 ip4:12.97.188.200/29
>>> ip4:12.97.188.208/28 ip4:12.97.188.223/27 ip4:12.68.140.16
>>> ip4:12.68.140.18 ip4:12.132.193.241/30 ip4:12.132.193.245/29 -all"
>
>these do seem to suggest your ip should pass {assuming the spf record for the HELO-id also passes}
>but ip4:12.97.188.223/27 is so badly wrong
>12.97.188.223 is not the first ip of any /27 {its the last in the /27 starting at 192}
>so i'm guessing most of your cidrs need to be re-checked
>
>but changing it to ip4:12.97.188.224/27 will fix this hosts issues
>
>or forward the list of ip's in
>xx.xx.xx.xx-yy.yy.yy.yy format , to us {or me} and i'll give you the correct cidr notation for all
>
>
>>>From my understanding the -all statement is strictly enforcing anything in the spf record (include the include statements) and hard failing anything not defined here
>>
>>am I understanding this incorrectly should I be using a ~all (because I do not want mail to originate from anything NOT found in my SPF or sender ID records
>
>your issue is not the -all its math
>{and sender-id syntax errors}
>
>
>>-Aaron
>>
>>
>>-------------------------------------------
>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>>Archives: https://www.listbox.com/member/archive/1020/=now
>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>Powered by Listbox: http://www.listbox.com
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com