Need help with SPF

Junior Member
Posts: 31
Joined: Wed Sep 02, 2009 6:27 pm

Need help with SPF

Postby mahonri » Mon Apr 21, 2014 6:38 pm

We use SPF with good results and block all hard fails. Unfortunately we occasionally see false positives. Here is the latest example:

Sender has email address @fedex.com
Sending IP: 199.81.217.44
EHLO: mx21.infosec.fedex.com

Logs show:
Code: Select all
2014-04-21 10:08:09     9800    5735    SPF result: FAIL
2014-04-21 10:08:09     9800    5735    fedex.com: v=spf1 redirect=_spf.infosec.fedex.com
2014-04-21 10:08:09     9800    5735    _spf.infosec.fedex.com: v=spf1 a:smtp.dmz.fedex.com include:salesforce.com include:spf.mandrillapp.com ip4:216.136.162.123 ip4:
2014-04-21 10:08:09     9800    5735    salesforce.com: v=spf1 include:_spf.google.com  ip4:96.43.144.0/20 ip4:182.50.76.0/22 ip4:202.129.242.0/23 ip4:204.14.232.0/21
2014-04-21 10:08:09     9800    5735    _spf.google.com: v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
2014-04-21 10:08:09     9800    5735    _netblocks.google.com: v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17
2014-04-21 10:08:09     9800    5735    _netblocks2.google.com: v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 i
2014-04-21 10:08:09     9800    5735    _netblocks3.google.com: v=spf1 ~all
2014-04-21 10:08:09     9800    5735    spf.mandrillapp.com: v=spf1 ip4:205.201.136.0/24 ip4:205.201.137.0/24 ip4:205.201.131.128/25 ip4:205.201.139.0/24 ip4:205.201.1
2014-04-21 10:08:09     9800    5735    Stop all filters
2014-04-21 10:08:09     9800    5735    <-- 554 SPF Failure: See http://www.openspf.org/Why?id=prvs=918808f9bd=juan.burgos@fedex.com;ip=199.81.217.44 (ID:1404211008030200)
2014-04-21 10:08:09     9800    5782    Disconnect


The openspf.org URL listed in the log says that the email should have passed. Various other online tools agree.

Any idea why eWall's SPF test shows this as FAIL when other tools see it as a pass?

Our filter looks like this:
Code: Select all
//---------------------------------- [FILTER "SPF Fail Test" (custom:SPF_Fail_Test)]
if ( ew_can_apply('SPF Fail Test', 'custom', 'SPF_Fail_Test') ) {

if ( spf_result() == SPF_FAIL
   && !$EW_SESSION['ip_local']
   && !$EW_SESSION['is_ip_good']
   && !ew_addrs_in_file( $EW_SESSION['sender'], "C:\\ProgramData\\Server Side Solutions\\eWall 4.0\\lists\\SPFBypass.txt" ) ) {
      $EW_SESSION['reply'] = "554 SPF Failure: See http://www.openspf.org/Why?id=$EW_SESSION[sender];ip=$EW_SESSION[client_ip] (ID:$EW_SESSION[sid])";
   $EW_STATS['BLOCKED'] = 1;
   $EW_STATS['SPF'] = 1;
   $EW_SESSION['disconnect'] = true;
   stop_all();
}
}

The SPFBypass.txt file is used as a workaround for this issue when it arises.

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: Need help with SPF

Postby Alexander Telegin » Mon Apr 21, 2014 9:11 pm

Must be a bug, checking...

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: Need help with SPF

Postby Alexander Telegin » Tue Apr 22, 2014 2:53 pm

Please unpack attached file into <eWall installation>\api folder. It will fix the problem.
Attachments
inc_spf.zip
(4.95 KiB) Downloaded 143 times

Return to Filters and scripts

Who is online

Users browsing this forum: No registered users and 1 guest