Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - SPF return unknown
  FAQ FAQ  Forum Search   Register Register  Login Login

SPF return unknown

 Post Reply Post Reply
Author
vbourbeau View Drop Down
Newbie
Newbie


Joined: 14 April 2010
Status: Offline
Points: 19
Post Options Post Options   Thanks (0) Thanks(0)   Quote vbourbeau Quote  Post ReplyReply Direct Link To This Post Topic: SPF return unknown
    Posted: 05 October 2010 at 2:23pm
Hi
 
Lot of spam pass spamfilter and when I look in log the SPF result return "unknown". What mean this result?
 
The spam is clearly not the domain owners. Example: e-cards@hallmark.com with 65.166.169.23
 
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 05 October 2010 at 10:42pm
SpamFilter will return an "unknown" if the SPF record is malformed, and will skip the SPF filter check to avoid blocking valid emails.

As a side-note, in your specific example, hallmark.com does indeed have what appears as an improperly formatted SPF record, since it contains two v=spf1 mechanisms:

hallmark.com.           1       IN      TXT     "v=spf1 ip4:208.1.139.0/24 ip4:129.33.92.0/24 ip4:65.116.50.141 ip4:65.116.50.144 ip4:65.116.50.142 ip4:65.116.50.143 ip4:162.94.28.0/24 v=spf1 ip4:209.176.191.124 ip4:209.176.191.121 ip4:209.176.191.123 ip4:209.176.191.122 ip4:193.132.80.20 mx ~all"

while this does appear to violate the SPF RFC, we do see that the online verifier for openspf.org themselves marks that SPF record as legitimate. Due to this, we've just uploaded int he registered user area an updated build of SpamFilter (4.2.4.836) that ignores the duplicate v=spf1 mechanisms and continues to validate the remaining of the SPF record for further analysis.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
vbourbeau View Drop Down
Newbie
Newbie


Joined: 14 April 2010
Status: Offline
Points: 19
Post Options Post Options   Thanks (0) Thanks(0)   Quote vbourbeau Quote  Post ReplyReply Direct Link To This Post Posted: 06 October 2010 at 8:06am
ok ...
 
If I understand well, wise spamer can use domain name who don't respect the SPF RFC and bypass most of the SPF rules.
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 272
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 06 October 2010 at 7:13pm
Yes a smart spammer will not pick a domain with valid SPF rules, a much higher % of spam will be stopped when a domain publishes SPF.

By publishing SPF records the domain owner is protecting themselves from spammers trying to forge email from their domain.

It is almost like a lock on a bike or house.  Just because you have a lock does not mean you can't get broken into but a thief is probably just going to hit the house next door that does not have an alarm.

Thanks for the new release Roberto, a couple of nice new additions in there!
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.093 seconds.