On Mon, 02 Mar 2015 22:19:42 -0500 Ken Hornstein <[email protected]> sez:
> >There are three occurrences of the following, associated with > >Received: entries, in the header: > > > > (No client certificate requested) > > > >I'm guessing that those are harmless. > > Yeah, I suspect that's from a TLS connection between client and > server, and the client didn't provide a certificate which is > normal. This seems to be a common occurrence in emails I send to @stanford.edu, at least. > >There's also an "spf=softfail" in there. > > > > Authentication-Results: mx.google.com <http://mx.google.com>; > > spf=softfail (google.com <http://google.com>: domain of > > transitioning [email protected] <[email protected]> does not designate > > 171.67.219.78 as permitted sender) [email protected] > > <[email protected]>; > > dkim=fail [email protected] <http://gmail.com>; > > dmarc=fail (p=NONE dis=NONE) header.from=gmail.com > > <http://gmail.com> > > > >Note that 171.67.219.78 is smtp-grey.stanford.edu. > > Huh. I'd be interested in looking at the whole Received: > header chain, but maybe I don't understand what is going wrong; > it almost seems like smtp-grey.stanford.edu is the one > originating the email and that doesn't make sense to me, if > you're submitting directly to gmail. But yeah, I suspect the > failing SPF, DKIM, and DMARC tests is what is causing the > problem. Appended to the bottom of this message. I redacted all the personal information I could see. Hopefully I didn't go too far. NOTE: the same spf=softfail message as above also appeared in a message I sent while still using sendmail for outbound email! > Okay, this header is actually defined in RFC 5451, see here: > > https://tools.ietf.org/html/rfc5451 Is that still valid? The top of the linked page indicates that RFC 5451 is obsoleted by RFC 7001 (in turn updated by RFC 7410). > But I am still puzzled. I think your original point about Proofpoint being stingy is key. One of my messages tagged as spam had just this for its body: --047d7bfcf7d06fb18e050dadac3b Content-Type: text/plain; charset=ISO-8859-1 ETA: 19:45. Sorry about this! --047d7bfcf7d06fb18e050dadac3b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <p dir=3D"ltr">ETA:=A0 19:45.=A0 Sorry about this!</p> --047d7bfcf7d06fb18e050dadac3b-- The Proofpoint bit in the header was: X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68,1.0.33,0.0.0000 definitions=2015-01-27_04:2015-01-27,2015-01-26,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=spam policy=default score=75 spamscore=75 suspectscore=1 phishscore=1 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1501280032 The Subject: was tagged with a triple-score SPAM: Subject: [SPAM:###] Waaaaay late! This was sent using GMail's web interface, so it's about as "legitimate" as it can be. No failing SPF, DKIM, and DMARC tests (as far as I can tell). I'm beginning to think that Stanford assumes all email from outside @stanford.edu is automatically suspect. (But why a message that looks *more* like it's coming from a compromised user should pass is beyond me.) Bob ------------------------------ Cut Here ------------------------------ > Delivered-To: [email protected] <[email protected]> > Received: by 10.140.34.41 with SMTP id k38csp5438122qgk; > Sun, 1 Mar 2015 14:04:15 -0800 (PST) > X-Received: by 10.68.217.103 with SMTP id ox7mr42477279pbc.56.1425247454837; > Sun, 01 Mar 2015 14:04:14 -0800 (PST) > Return-Path: <[email protected] <[email protected]>> > Received: from smtp-grey.stanford.edu <http://smtp-grey.stanford.edu> > (smtp-grey.stanford.edu <http://smtp-grey.stanford.edu>. [171.67.219.78]) > by mx.google.com <http://mx.google.com> with ESMTPS id > bd5si10126741pbb.59.2015.03.01.14.04.12 > (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); > Sun, 01 Mar 2015 14:04:14 -0800 (PST) > Received-SPF: softfail (google.com <http://google.com>: domain of > transitioning [email protected] <[email protected]> does not designate > 171.67.219.78 as permitted sender) client-ip=171.67.219.78; > Authentication-Results: mx.google.com <http://mx.google.com>; > spf=softfail (google.com <http://google.com>: domain of transitioning > [email protected] <[email protected]> does not designate 171.67.219.78 as > permitted sender) [email protected] <[email protected]>; > dkim=fail [email protected] <http://gmail.com>; > dmarc=fail (p=NONE dis=NONE) header.from=gmail.com <http://gmail.com> > Received: from mx4.stanford.edu <http://mx4.stanford.edu> (mx4.stanford.edu > <http://mx4.stanford.edu> [171.67.219.87]) > (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) > (No client certificate requested) > by smtp-grey.stanford.edu <http://smtp-grey.stanford.edu> (Postfix) with > ESMTPS id AB17E20B81; > Sun, 1 Mar 2015 14:04:12 -0800 (PST) > Received: from pps01.stanford.edu <http://pps01.stanford.edu> > (pps01.stanford.edu <http://pps01.stanford.edu> [171.67.214.163]) > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) > (No client certificate requested) > by mx4.stanford.edu <http://mx4.stanford.edu> (Postfix) with ESMTPS id > 9A8DC80CD1; > Sun, 1 Mar 2015 14:04:12 -0800 (PST) > Received: from pps.filterd (pps01.stanford.edu <http://pps01.stanford.edu> > [127.0.0.1]) > by pps01.stanford.edu <http://pps01.stanford.edu> (8.14.5/8.14.5) with SMTP > id t21M03ir010851; > Sun, 1 Mar 2015 14:04:14 -0800 > Received: from mx3.stanford.edu <http://mx3.stanford.edu> (mx3.stanford.edu > <http://mx3.stanford.edu> [171.67.219.73]) > by pps01.stanford.edu <http://pps01.stanford.edu> with ESMTP id 1sva6d059f-1 > (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); > Sun, 01 Mar 2015 14:04:13 -0800 > Received: from mail-pd0-f179.google.com <http://mail-pd0-f179.google.com> > (mail-pd0-f179.google.com <http://mail-pd0-f179.google.com> [209.85.192.179]) > (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) > (No client certificate requested) > by mx3.stanford.edu <http://mx3.stanford.edu> (Postfix) with ESMTPS id > 5585080B25; > Sun, 1 Mar 2015 14:04:11 -0800 (PST) > Received: by pdbfl12 with SMTP id fl12so3394322pdb.5; > Sun, 01 Mar 2015 14:04:10 -0800 (PST) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; > d=gmail.com <http://gmail.com>; s=20120113; > h=message-id:from:originator:to:cc:reply-to:subject:in-reply-to > :references:mime-version:content-type:content-transfer-encoding:date; > ________ > ________ > ________ > X-Received: by 10.70.44.203 with SMTP id g11mr42282044pdm.130.1425247450905; > Sun, 01 Mar 2015 14:04:10 -0800 (PST) > Received: from localhost.localdomain (c-71-202-61-143.hsd1.ca.comcast.net > <http://c-71-202-61-143.hsd1.ca.comcast.net>. [71.202.61.143]) > by mx.google.com <http://mx.google.com> with ESMTPSA id > dx6sm10044832pab.14.2015.03.01.14.04.09 > (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); > Sun, 01 Mar 2015 14:04:09 -0800 (PST) > Message-ID: <nnnnnnnn <nnnnnnnn>> > From: Bob Carragher <[email protected] <[email protected]>> > Originator: Bob Carragher <[email protected] <[email protected]>> > To: XXXXXXXX <[email protected] <[email protected]>> > Cc: YYYYYYYY <[email protected] <[email protected]>>, > ZZZZZZZZ <[email protected] <[email protected]>> > Reply-To: Bob Carragher <[email protected] <[email protected]>> > In-reply-to: Message <MMMMMM <mmmmmmmm>> > from XXXXXXXX <[email protected] <[email protected]>> > on Sun, 01 Mar 2015 05:05:34 -0800. > References: <MMMMMM <mmmmmmmm>> > MIME-Version: 1.0 > Content-Type: text/plain; charset=iso-8859-1 > Content-Transfer-Encoding: 7bit > Date: Sun, 01 Mar 2015 14:04:02 -0800 > X-Proofpoint-Virus-Version: vendor=fsecure > engine=2.50.10432:5.13.68,1.0.33,0.0.0000 > definitions=2015-03-01_03:2015-02-27,2015-03-01,1970-01-01 signatures=0 > Subject: [SPAM:#####] SSSSSSSS > X-Proofpoint-Spam-Details: rule=spam policy=default score=99 spamscore=99 > suspectscore=7 phishscore=0 > adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 > engine=7.0.1-1402240000 definitions=main-1503010244 > X-Grey: yes _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
