Spam Filter ISP Support - Possible bug or issue

Print Page | Close Window

Possible bug or issue

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6056
Printed Date: 02 April 2025 at 12:39am

Topic: Possible bug or issue

Posted By: Dan B
Subject: Possible bug or issue
Date Posted: 02 May 2007 at 3:03pm

Roberto,

I'm seeing an issue with SPF where a domain that has a valid spf record and the ip address that it's originating from is valid but it still fails the spf ruling.

The domain name that we are having problems with is wayne-dalton.com. Here is their spf record that they publish.

wayne-dalton.com text = "v=spf1 mx a:mail2.wayne-dalton.com,da.wayne-dalton.com,cn.wayne-dalton .com,pl.wayne-dalton.com,as2.wayne-walton.com,telnet.wayne-d alton.com,ps.wayne-da

lton.com mx:mail.wayne-dalton.com ~all"

Here is a snippit of our SFE logs and

05/02/07 11:44:19:937 -- (1292) Connection from: 12.168.83.85 - Originating country : United States

05/02/07 11:44:20:468 -- (1292) found SPF record for wayne-dalton.com: v=spf1 mx a:mail2.wayne-dalton.com,da.wayne-dalton.com,cn.wayne-dalton .com,pl.wayne-dalton.com,as2.wayne-dalton.com,telnet.wayne-d alton.com,ps.wayne-dalton.com mx:mail.wayne-dalton.com ~all

05/02/07 11:44:20:796 -- (1292) - SPF analysis for wayne-dalton.com done: - softfail

05/02/07 11:44:20:796 -- (1292) failed SPF test (softfail) - Disconnecting 12.168.83.85

05/02/07 11:44:20:796 -- (1292) 12.168.83.85 - Mail from: thisaddress@wayne-dalton.com To: thatemail@thisdomain.com will be rejected

If you do a nslookup on the ip address 12.168.83.85 it resolves to mail2.wayne-dalton.com

Does the logic within SFE have an issue with the comas that is in the spf record. I�ve seen a lot of spf records and this is the first one that I�ve seen with coma delimiters on the qualified names.

Thanks,
Dan B

Replies:

Posted By: LogSat
Date Posted: 02 May 2007 at 7:55pm

Dan,

Actually the SPF record does indeed indicate that the email should have been a "softfail", just like SpamFilter logged. As you configured SpamFilter to block softfails, the email was stopped.

You can verify the correct interpretation for the SPF record from the openspf.org official site itself using:

http://www.openspf.org/Why?show-form=1&identity=thisaddr ess%40wayne-dalton.com&ip-address=12.168.83.85&.subm it=Submit

It returns:

An SPF-enabled mail server rejected a message that claimed an envelope sender address of thisaddress@wayne-dalton.com.

An SPF-enabled mail server received a message from mail2.wayne-dalton.com (12.168.83.85) that claimed an envelope sender address of thisaddress@wayne-dalton.com.

The domain wayne-dalton.com has declared using SPF that it does not send mail through mail2.wayne-dalton.com (12.168.83.85). However, the domain is still testing its SPF policy, so the message should not have been rejected.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: Desperado
Date Posted: 02 May 2007 at 10:05pm

The passing of soft fails is the correct answer but actually renders it semi-usless as most SPF records are still in the "we are not sure" mode. It would be nice if we could somehow tag the soft-fails if enabled to pass. Just my 2-1/2 cents.

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Print Page | Close Window