SPF check too strict

[Dannik]

Hi all,

Lately I'm having some problems with receiving mails. Apparently when someone send mail from a server which isn't listed in the SPF records, the mail is rejected right away, instead of increasing the spam score:

2021-04-15 12:28:50 H=mx0a-00254701.pphosted.com [148.163.149.246] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<prvs=673991aecb=bounces+srs=xx49d=[email protected]> rejected RCPT <[email protected]>: SPF: 148.163.149.246 is not allowed to send mail from ecentral.onmicrosoft.com: Please see http://www.open-spf.org/Why : Reason: mechanism

Normally I expect something like this:

SPFCheck: Server fails SPF test, +30 Spam score

I'm running latest versions of Exim, Blockcracking, Easy Spamfighter, SpamAssassin, etc. and the exim.conf through Custom Build.

I have been digging out the configuration files (and Google), but I did not find the right settings for this. Can someone please point me to the right direction?

Regards,
Danny

 

[Richard G]

Check the SPF setting. If it's having -all at the end, then it can be refused.

The setting you are looking for is in /etc/exim.easy_spam_fighter/variables.conf like this:
EASY_SPF_SOFT_FAIL = 30
EASY_SPF_FAIL = 100

If you want that set to a lower version, then in that directory, create a exim.variables.conf.custom file and put the value in like this:
EASY_SPF_FAIL == 80

Mind the double == which is needed in there. For the 80 you can use a value at your liking.

However I would advise to only use this with the softfail function.
If you don't want SPF to work strict, people can better use ~all at the end then -all because -all is the hardfail setting which is just intended to block anything not in SPF directly. So adjusting this would mean in fact you would break the purpose of -all and you can just as well use ~all.
Or include the ip which is causing the trouble into the SPF record.

 

[Dannik]

Ah, great. Thanx!
I changed things to:

EASY_HIGH_SCORE_DROP == 120
EASY_SPF_FAIL == 90

Let's see how this works out...

I agree people should correctly use ~all and -all, but when even the sending IP is not configured correctly in the SPF record it's not unusual to also see incorrect use of ~all and -all. And because the problem usually occurs "on the other side" I cannot do anything about it. Except warn them, but without receiving the mail I do not get alerted (except when expecting the mail).

Regards,
Danny

 

[Richard G]

And because the problem usually occurs "on the other side" I cannot do anything about it.

That's correct. But I became very blunt with that. If the other side does not know how to configure a mail system, they are not worth the customer. So if my customers start complaining they can't receive mail because of malconfigured servers with other hosters, I advise them to contact their contact and have them contact their host or else let them advise their contact to move their mail to an experienced hosting company.
As a hoster I'm not there to fix other hosters isseus. I'm trying to help with that here on the forums already.
But in a live situation, especially with mail (I really hate spam), I don't weaking my system for amateurs. Enough places to learn. I had to learn too and sometimes also the hard way.

EASY_HIGH_SCORE_DROP == 120

So you raised the overall score for spam with 20 and for SPF hardfail with an extra 10 (so 30 in total for SPF hardfail).
I would indeed monitor that, so not too much other spam is coming true.
Because this would also allow mail systems without rDNS present getting thru with a score of 20 still left over.

 

[Dannik]

Sorry for my late reply. Personal circumstances...
Untill now I haven't seen strange behaviour. The amount of spam did notably increase, so I think this setting is quite safe for now.

I totally agree with your statement about misconfigured mailservers. But sometimes even I am unaible to reach the right person or company. When my customers complain, I tell them to contact the sending party indeed. But when I myself experience problems, I have to take action myself. However, try contacting a big company like Black&Decker... I wanted to register myself on their site, but the verification mails were blocked due to an SPF problem. After trying to contact them for more than a week (without any luck) I had no other choice than using a Gmail address.
So sometimes there's a good reason to change some default settings.

Regards,
Danny

 

[Richard G]

The amount of spam did notably increase

That is a good thing.

I had no other choice than using a Gmail address.

That is odd, I thougth Gmail also used strict settings.

Indeed sometimes there is a good reason to change some default settings, but not this one imho. If it would not be working I would send an abuse mail to Black & Decker asking them to fix their stuff according to RFC's. Because the -all is a blunt refusal option.

Company's like that cripple (mail) security systems by these kinds of mistakes not being fixed and others play around to be able to get their mails.

Adjusting this setting is like locking your frontdoor, but leaving the key under the door mat because the newspaper delivering guy doesn't know how to use your letter box.

Still.... normally Gmail also just refuses -all spf records so I'm still wondering why it was accepted.

As for the late reply, I really don't mind. Personal circumstances are always more important in life!
So I hope you're well.