Print Page | Close Window

Another ambiguous SPF Rule confuses admin

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5799
Printed Date: 16 December 2017 at 12:29am


Topic: Another ambiguous SPF Rule confuses admin
Posted By: pcmatt
Subject: Another ambiguous SPF Rule confuses admin
Date Posted: 18 September 2006 at 10:16pm

Thought it was a bug in SpamFilter but really a bug in SPF documentation.  Identifiers are not really clear in some cases.

Example:

TXT Record - "v=spf1 a -all"

the identifyer above "a" does not refer to all host records as it reads literally in the SPF docs, but only refers to the host record for the domain itself.

This was originally mis identified as a bug in SpamFilter.

 



-------------
-Matt R



Replies:
Posted By: LogSat
Date Posted: 19 September 2006 at 8:34am
Matt,

Actually SpamFilter's behavior is correct. You can verify this directly from the official openspf site:

http://www.openspf.org/why.html?sender=joe%40125percent.com&ip=65.166.65.106&formwasused=1&debug=0 - http://www.openspf.org/why.html?sender=joe%40125percent.com& amp;ip=65.166.65.106&formwasused=1&debug=0


The email should indeed be rejected when originating from 65.166.65.106. The nslookup results for an "A" search in fact only show the results for the .108:

> set type=a
> 125percent.com
Server:  ns1.netwide.net
Address:  209.26.140.2

Non-authoritative answer:
Name:    125percent.com
Address:  65.166.65.108

>



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: pcmatt
Date Posted: 19 September 2006 at 8:57am

I would use their test if it was not wrong too.  We should have a program that is correct, not modeled after an incorrect example.

The a mechanism clearly documents that when only the a specifier is used ALL the A records for domain are tested. If the client IP is found among them, this mechanism matches.

-MJR

The a Mechanism

a
a:<domain>
a:<domain>/<cidr-length>
a/<cidr-length>

All the A records for domain are tested. If the client IP is found among them, this mechanism matches.

If domain is not specified, the current-domain is used



-------------
-Matt R


Posted By: mikek
Date Posted: 19 September 2006 at 9:29am
that's the A entries for <domain>, not <host.domain>...

if you have two A records for 125percent.com, they will be checked, but not any host A records.

your dns zone probably looks something like this (here you see the problem, there is no way to list the host A records since the domain was - correctly - set up to deny listing records):
125percent.com A 65.166.65.108
mail.125percent.com A 65.166.65.108
smtp.125percent.com A 65.166.65.106

if you would add
125percent.com A 65.166.65.106

the second address would be output by an nslookup 125percent.com and therefore checked by the SPF A mechanism as well.


Posted By: pcmatt
Date Posted: 19 September 2006 at 10:50am

Roberto,

You are correct.  The documentation on SPF is unclear and has succesfully confused domain admins and myself. 



-------------
-Matt R


Posted By: LogSat
Date Posted: 19 September 2006 at 11:54am
Don't worry Matt... remember all the times when WE were confused with SPF and had it wrong and YOU pointed us in the right direction ?

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window