Re: [courier-users] No SPF reject during DNS outage. How come?
Hi Mitch, On Fri 13/Nov/2015 02:04:29 +0100 you wrote: > Hey Alessandro - did you receive any replies not cc'd to the list? Nope. > Just thinking out loud here... does courier cache lookups or is it possible > your local resolver did? > Maybe something cached the lookup of your SPF for your domain - and then the > non-cached lookup of the IP failed... > Could that result in the behaviour you see? > Maybe you would have to have timed your test to occur during the cache > lifetime of the spf record? I don't think I got cache hits, although that's a possibility. There's something which works counter-intuitively in the SPF module, but that's probably not even covered clearly by the RFC. I'd have preferred a 417 reply code in this case. Thank you for your interest Ale > -Original Message- > From: Alessandro Vesely [mailto:ves...@tana.it] > Sent: November-12-15 3:23 AM > To: Courier Users > Subject: [courier-users] No SPF reject during DNS outage. How come? > > Hi! > > I received a bunch of spam marked like this: > > Return-Path: <zl...@tana.it> > Received: from [210.205.1.118] (softdnserr [210.205.1.118]) > by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100 > id 005DC042.56445431.5BFC > Received-SPF: error (Address does not pass the Sender Policy Framework) > SPF=MAILFROM; > sender=zl...@tana.it; > remoteip=210.205.1.118; > remotehost=softdnserr; > helo=[210.205.1.118]; > receiver=wmail.tana.it; > > The "softdnserr" presumably came from DNS outage. The NS was disconnected > for quite some time, so only internal stuff was being resolved during > reception. > Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP > for that Korean address. > > However, I tried to reproduce that behavior to no avail. At the console, I > always got _517 SPF fail_ after MAIL FROM:, even if I disconnected the NS > again. My Courier version is getting old, but this doesn't seem to be > related to the recent SPF fix, does it? > > Any other idea? > > TIA > Ale > > -- > ___ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users > > -- > ___ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users > -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] No SPF reject during DNS outage. How come?
417 is what I'm used to seeing ... in my case the 417 was triggered by a lookup failure being negatively cached by a ms Windows DNS server. Have you checked your configuration for spf? What version are you running and what does the config look like? Cheers Sent from my Samsung device Original message From: Alessandro Vesely <ves...@tana.it> Date: 2015-11-13 03:23 (GMT-08:00) To: "Mitch (BitBlock)" <mi...@bitblock.net>, Courier Users <courier-users@lists.sourceforge.net> Subject: Re: [courier-users] No SPF reject during DNS outage. How come? Hi Mitch, On Fri 13/Nov/2015 02:04:29 +0100 you wrote: > Hey Alessandro - did you receive any replies not cc'd to the list? Nope. > Just thinking out loud here... does courier cache lookups or is it possible > your local resolver did? > Maybe something cached the lookup of your SPF for your domain - and then the > non-cached lookup of the IP failed... > Could that result in the behaviour you see? > Maybe you would have to have timed your test to occur during the cache > lifetime of the spf record? I don't think I got cache hits, although that's a possibility. There's something which works counter-intuitively in the SPF module, but that's probably not even covered clearly by the RFC. I'd have preferred a 417 reply code in this case. Thank you for your interest Ale > -Original Message- > From: Alessandro Vesely [mailto:ves...@tana.it] > Sent: November-12-15 3:23 AM > To: Courier Users > Subject: [courier-users] No SPF reject during DNS outage. How come? > > Hi! > > I received a bunch of spam marked like this: > > Return-Path: <zl...@tana.it> > Received: from [210.205.1.118] (softdnserr [210.205.1.118]) > by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100 > id 005DC042.56445431.5BFC > Received-SPF: error (Address does not pass the Sender Policy Framework) > SPF=MAILFROM; > sender=zl...@tana.it; > remoteip=210.205.1.118; > remotehost=softdnserr; > helo=[210.205.1.118]; > receiver=wmail.tana.it; > > The "softdnserr" presumably came from DNS outage. The NS was disconnected > for quite some time, so only internal stuff was being resolved during > reception. > Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP > for that Korean address. > > However, I tried to reproduce that behavior to no avail. At the console, I > always got _517 SPF fail_ after MAIL FROM:, even if I disconnected the NS > again. My Courier version is getting old, but this doesn't seem to be > related to the recent SPF fix, does it? > > Any other idea? > > TIA > Ale > > -- > ___ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users > > -- > ___ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users > -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] No SPF reject during DNS outage. How come?
On Thu 12/Nov/2015 17:04:29 +0100 Sam Varshavchik wrote: > Alessandro Vesely writes: > >> I received a bunch of spam marked like this: >> >> Return-Path:>> Received: from [210.205.1.118] (softdnserr [210.205.1.118]) >> by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100 >> id 005DC042.56445431.5BFC >> Received-SPF: error (Address does not pass the Sender Policy Framework) >> SPF=MAILFROM; >> sender=zl...@tana.it; >> remoteip=210.205.1.118; >> remotehost=softdnserr; >> helo=[210.205.1.118]; >> receiver=wmail.tana.it; >> >> The "softdnserr" presumably came from DNS outage. The NS was disconnected >> for >> quite some time, so only internal stuff was being resolved during reception. >> Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP >> for that Korean address. > > A failed SPF DNS lookup results in a status of "error". > > Check your "error" status handling. If you have "error" included in the > BOFHSPF > settings, it is considered a pass. Yup, you nailed it. I have: opt BOFHSPFHELO=pass,none,neutral,softfail,unknown,error,fail opt BOFHSPFMAILFROM=allowok,pass,none,neutral,softfail,unknown,error opt BOFHSPFFROM=all In fact, I could not reproduced it because I tried from the internal network, which can be resolved locally even if the NS is disconnected. Today I tried from an external IP and obtained the same result as the spammer quoted above. I'm still somewhat puzzled because my SPF record requires a further (external) lookup which fails silently, while the reverse IP lookup doesn't seem to be related to SPFMAILFROM at a first glance. I'll look deeper after I upgrade Courier... Thank you for putting me on the right track Ale -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] No SPF reject during DNS outage. How come?
Hey Alessandro - did you receive any replies not cc'd to the list? Just thinking out loud here... does courier cache lookups or is it possible your local resolver did? Maybe something cached the lookup of your SPF for your domain - and then the non-cached lookup of the IP failed... Could that result in the behaviour you see? Maybe you would have to have timed your test to occur during the cache lifetime of the spf record? Mitch -Original Message- From: Alessandro Vesely [mailto:ves...@tana.it] Sent: November-12-15 3:23 AM To: Courier Users Subject: [courier-users] No SPF reject during DNS outage. How come? Hi! I received a bunch of spam marked like this: Return-Path: <zl...@tana.it> Received: from [210.205.1.118] (softdnserr [210.205.1.118]) by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100 id 005DC042.56445431.5BFC Received-SPF: error (Address does not pass the Sender Policy Framework) SPF=MAILFROM; sender=zl...@tana.it; remoteip=210.205.1.118; remotehost=softdnserr; helo=[210.205.1.118]; receiver=wmail.tana.it; The "softdnserr" presumably came from DNS outage. The NS was disconnected for quite some time, so only internal stuff was being resolved during reception. Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP for that Korean address. However, I tried to reproduce that behavior to no avail. At the console, I always got _517 SPF fail_ after MAIL FROM:, even if I disconnected the NS again. My Courier version is getting old, but this doesn't seem to be related to the recent SPF fix, does it? Any other idea? TIA Ale -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] No SPF reject during DNS outage. How come?
Hi! I received a bunch of spam marked like this: Return-Path:Received: from [210.205.1.118] (softdnserr [210.205.1.118]) by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100 id 005DC042.56445431.5BFC Received-SPF: error (Address does not pass the Sender Policy Framework) SPF=MAILFROM; sender=zl...@tana.it; remoteip=210.205.1.118; remotehost=softdnserr; helo=[210.205.1.118]; receiver=wmail.tana.it; The "softdnserr" presumably came from DNS outage. The NS was disconnected for quite some time, so only internal stuff was being resolved during reception. Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP for that Korean address. However, I tried to reproduce that behavior to no avail. At the console, I always got _517 SPF fail_ after MAIL FROM:, even if I disconnected the NS again. My Courier version is getting old, but this doesn't seem to be related to the recent SPF fix, does it? Any other idea? TIA Ale -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] No SPF reject during DNS outage. How come?
Alessandro Vesely writes: Hi! I received a bunch of spam marked like this: Return-Path:Received: from [210.205.1.118] (softdnserr [210.205.1.118]) by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100 id 005DC042.56445431.5BFC Received-SPF: error (Address does not pass the Sender Policy Framework) SPF=MAILFROM; sender=zl...@tana.it; remoteip=210.205.1.118; remotehost=softdnserr; helo=[210.205.1.118]; receiver=wmail.tana.it; The "softdnserr" presumably came from DNS outage. The NS was disconnected for quite some time, so only internal stuff was being resolved during reception. Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP for that Korean address. However, I tried to reproduce that behavior to no avail. At the console, I always got _517 SPF fail_ after MAIL FROM:, even if I disconnected the NS again. My Courier version is getting old, but this doesn't seem to be related to the recent SPF fix, does it? Any other idea? A failed SPF DNS lookup results in a status of "error". Check your "error" status handling. If you have "error" included in the BOFHSPF settings, it is considered a pass. pgpIh7qEXCkYV.pgp Description: PGP signature -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users