SPF_FAIL entries from local mail user. What's going on?

E

evil_smurf

Verified User
Joined
Mar 3, 2006
Messages
112
I have received an email from [email protected] sent to [email protected]. Spamassassin labeled it as spam, and also tagged it with SPF_FAIL.

I do not understand why it tagged this mail as SPF_FAIL when the user was authenticated to send the mail. My box is not an open relay (tested it many times), and the weird issue is the from IP address included this user's home IP address instead of mail.eggycrew.com.

Below is the header. What's causing this and how do I fix it?

Thanks! This is driving me nuts!


From [email protected] Wed Sep 19 07:16:37 2007
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 19 Sep 2007 07:16:37 -0500
Received: from mail by mail.eggycrew.com with spam-scanned (Exim 4.67)
(envelope-from <[email protected]>)
id 1IXyTr-0007u0-Rj
for [email protected]; Wed, 19 Sep 2007 07:16:37 -0500
Received: from localhost by server1.eggycrew.com
with SpamAssassin (version 3.2.0);
Wed, 19 Sep 2007 07:16:37 -0500
From: Bob Terry <[email protected]>
To: Dave <[email protected]>
Subject: *****SPAM***** good morning!
Date: Wed, 19 Sep 2007 08:17:23 -0400
Message-Id: <[email protected]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on server1.eggycrew.com
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.6 required=5.0 tests=AWL,FH_HOST_EQ_D_D_D_D,
FH_HOST_EQ_D_D_D_DB,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,SPF_FAIL,
TVD_RCVD_IP autolearn=disabled version=3.2.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_46F11325.A1E62156"

This is a multi-part message in MIME format.





Here are the entries spamassassin showed:


Content analysis details: (5.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.1 FH_HOST_EQ_D_D_D_DB Host is d-d-d-d
2.0 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
1.6 TVD_RCVD_IP TVD_RCVD_IP
1.0 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/why.html?send....eggycrew.com]
1.6 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[68.184.113.21 listed in dnsbl.sorbs.net]
0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[68.184.113.21 listed in zen.spamhaus.org]
0.1 RDNS_DYNAMIC Delivered to trusted network by host with
dynamic-looking rDNS
-1.3 AWL AWL: From: address is in the auto white-list
Reply With Quote
 
Last edited:
Perhaps SpamAssassin doesn't like the fact that the email originated at localhost and localhost isn't in the spf record?

Have you asked on the SpamAssassin mailing list? I think someone there might understand the rule.

Jeff
 
Also something else is really, really weird, an email received from a desktop on the SAME internet connection freaks out:

From [email protected] Thu Sep 20 00:00:48 2007
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 20 Sep 2007 00:00:48 -0500
Received: from mail by mail.eggycrew.com with spam-scanned (Exim 4.67)
(envelope-from <[email protected]>)
id 1IYE9d-0005Sr-3X
for [email protected]; Thu, 20 Sep 2007 00:00:47 -0500
Received: from localhost by server1.eggycrew.com
with SpamAssassin (version 3.2.0);
Thu, 20 Sep 2007 00:00:47 -0500
From: Allison Terry <[email protected]>
To: Russell <[email protected]>
Subject: *****SPAM***** laptop
Date: Thu, 20 Sep 2007 01:01:23 -0400
Message-Id: <[email protected]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on server1.eggycrew.com
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.2 required=5.0 tests=AWL,BAYES_50,
FH_HOST_EQ_D_D_D_D,FH_HOST_EQ_D_D_D_DB,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,
RDNS_DYNAMIC,SPF_FAIL,TVD_RCVD_IP autolearn=disabled version=3.2.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_46F1FE7F.0C1AC6C9"

This is a multi-part message in MIME format.

------------=_46F1FE7F.0C1AC6C9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "server1.eggycrew.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: this email is from my laptop [...]

Content analysis details: (5.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.2 FH_HOST_EQ_D_D_D_DB Host is d-d-d-d
1.2 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
1.9 TVD_RCVD_IP TVD_RCVD_IP
0.7 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/why.html?sen...=68.184.113.21&receiver=server1.eggycrew.com]
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[68.184.113.21 listed in zen.spamhaus.org]
0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[68.184.113.21 listed in dnsbl.sorbs.net]
0.1 RDNS_DYNAMIC Delivered to trusted network by host with
dynamic-looking rDNS
-0.8 AWL AWL: From: address is in the auto white-list
Click to expand...



But when the SAME email, sent on the SAME internet connection (router on a cable modem), from a laptop instead of the desktop, it DOESN'T freak out!

eturn-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 19 Sep 2007 23:46:24 -0500
Received: from mail by mail.eggycrew.com with spam-scanned (Exim 4.67)
(envelope-from <[email protected]>)
id 1IYDvk-00058r-Of
for [email protected]; Wed, 19 Sep 2007 23:46:24 -0500
X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on server1.eggycrew.com
X-Spam-Level: **
X-Spam-Status: No, score=2.5 required=5.0 tests=ALL_TRUSTED,AWL,TVD_RCVD_IP
autolearn=disabled version=3.2.0
Received: from 68-184-113-21.dhcp.smyr.ga.charter.com ([68.184.113.21] helo=[127.0.0.1])
by mail.eggycrew.com with esmtpa (Exim 4.67)
(envelope-from <[email protected]>)
id 1IYDvk-00058e-IU
for [email protected]; Wed, 19 Sep 2007 23:46:24 -0500
Message-ID: <[email protected]>
Date: Thu, 20 Sep 2007 00:44:53 -0400
From: Allison Terry <[email protected]>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Russell Jones <[email protected]>
Subject: laptop
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Antivirus: avast! (VPS 000775-3, 09/19/2007), Outbound message
X-Antivirus-Status: Clean
X-Antivirus-ClamAV-Scanner: This message was scanned for viruses and other harmful content on server1.eggycrew.com before being delivered.

this email is from my laptop
Click to expand...



What the heck is going on? The exim server is smtp-auth enabled and there are NO open relay's allowed (you are more than welcome to test it yourself: mail.eggycrew.com). What would cause this??
 
Nevermind, figured it out. In thunderbird on the desktop, under the outgoing server "use username and password" was not checked and the username was not set.

But *why* was the server letting the desktop send email out in the first place if the desktop was not being authenticated on sending?
 
The server automatically authenticates for sending any user who has received email within the last fifteen minutes.

But perhaps SpamAssassin doesn't like that. It shouldn't care because authentication is authentication.

You might want to check to see if the headers on your outgoing messages are different based on the type of authentication.

Otherwise it's probably a question for the SpamAssassin list.

Jeff
 
The headers above are the headers for both the desktop message sent that had issues, and the laptop message sent that was authenticating correctly and didn't have issues.

The only line that looks different is this one:

Desktop:
Received: from mail by mail.eggycrew.com with spam-scanned (Exim 4.67)
(envelope-from <[email protected]>)
id 1IYE9d-0005Sr-3X
for [email protected]; Thu, 20 Sep 2007 00:00:47 -0500
Received: from localhost by server1.eggycrew.com
with SpamAssassin (version 3.2.0);
Click to expand...

Laptop:
Received: from mail by mail.eggycrew.com with spam-scanned (Exim 4.67)
(envelope-from <[email protected]>)
id 1IYDvk-00058r-Of
for [email protected]; Wed, 19 Sep 2007 23:46:24 -0500
X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on server1.eggycrew.com
X-Spam-Level: **
X-Spam-Status: No, score=2.5 required=5.0 tests=ALL_TRUSTED,AWL,TVD_RCVD_IP
autolearn=disabled version=3.2.0
Received: from 68-184-113-21.dhcp.smyr.ga.charter.com ([68.184.113.21] helo=[127.0.0.1])
by mail.eggycrew.com with esmtpa (Exim 4.67)
Click to expand...



received from "localhost" is in the desktop headers but not the laptop
"esmpta" is in the laptop headers but not the desktop

If you believe this is a bug I will go post it on the SA bug tracker, but I'm pretty sure you know more about this than I do, so I will let you decide if you think it's a bug or not! =)
 
I have no idea, and I've not heard from anyone else on the issue. Rather than entering it as a bug, why not just ask some questions on the userlist?

Jeff
 
You must log in or register to reply here.
Back
Top