----- Original Message -----
From: "Harry Katz" <hkatz(_at_)exchange(_dot_)microsoft(_dot_)com>
To: <ietf-mxcomp(_at_)imc(_dot_)org>
Sent: Saturday, April 24, 2004 3:05 AM
Subject: RE: RE: Can you ever reject mail based on RFC2821 MAIL FROM?
I just these three transactions a few minutes ago from the same sender.
The first transaction shows a SPF reject. It is based on the return path
DOMAIN not associated with the IP.
20040424 10:54:18 -------------------------------------
20040424 10:54:18 version : 1.61 / 1.54
20040424 10:54:18 state : rcpt
20040424 10:54:18 srvdom : winserver.com
20040424 10:54:18 srvip : 208.247.131.9
20040424 10:54:18 cip : 218.69.147.199
20040424 10:54:18 cdn : readthismessage.com
20040424 10:54:18 from : <pistils(_at_)knock-on(_dot_)com>
20040424 10:54:18 rcpt : <hector(_dot_)santos(_at_)santronics(_dot_)com>
20040424 10:54:18 testorder : FLT RBL SPF CEP CBV
20040424 10:54:18 sapfilter : pass (time:32)
20040424 10:54:18 saprbl : testing 199.147.69.218.sbl.spamhaus.org
20040424 10:54:18 saprbl : testing 199.147.69.218.list.dsbl.org
20040424 10:54:18 saprbl : testing 199.147.69.218.bl.spamcop.net
20040424 10:54:18 saprbl : pass (time:15)
20040424 10:54:21 sapspf : v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24
a:send1.surgeweb.com mx -all
20040424 10:54:21 sapspf : fail (time:2453)
20040424 10:54:21 finaltest : SPF GlobalResult=0 CodeResponse=550
20040424 10:54:21 result : reject (0)
20040424 10:54:21 smtp code : 550
20040424 10:54:21 reason : Rejected by WCSAP SPF Fail
20040424 10:54:21 wcsap finish (2562 msecs)
Here he comes again but this time uses a difference return path address.
However, if you verify the information, the HELO readthismessage.com also
returns the same SPF record. For SPF, I had argued for a modified
provision of allowing for HELO checks even for non-NULL return paths. Meng
added the provision. But I added logic only to do this for Local Domain
checks, because in general I felt it would unnecessary overhead. So this
snuck thru the cracks and it also passed the CBV test.
20040424 10:54:31 -------------------------------------
20040424 10:54:31 version : 1.61 / 1.54
20040424 10:54:31 calltype : SMTP
20040424 10:54:31 state : rcpt
20040424 10:54:31 srvdom : winserver.com
20040424 10:54:31 srvip : 208.247.131.9
20040424 10:54:31 cip : 218.69.147.199
20040424 10:54:31 cdn : readthismessage.com
20040424 10:54:31 from : <genesis(_at_)thebluebirds(_dot_)com>
20040424 10:54:31 rcpt : <asantos(_at_)santronics(_dot_)com>
20040424 10:54:31 ruid : 20844
20040424 10:54:31 testorder : FLT RBL SPF CEP CBV
20040424 10:54:31 sapfilter : pass (time:31)
20040424 10:54:31 saprbl : testing 199.147.69.218.sbl.spamhaus.org
20040424 10:54:31 saprbl : testing 199.147.69.218.list.dsbl.org
20040424 10:54:31 saprbl : testing 199.147.69.218.bl.spamcop.net
20040424 10:54:31 saprbl : pass (time:16)
20040424 10:54:32 sapspf : none (time:1187)
20040424 10:54:32 sapcep : test from=thebluebirds.com
20040424 10:54:34 sapcep : test cdn=readthismessage.com
20040424 10:54:35 sapcep : none (time:2657)
20040424 10:54:40 sapcbv : total mx records: 1
20040424 10:54:42 try mx : mercury.shreve.net ip: 207.254.192.4
20040424 10:54:42 # connecting to 207.254.192.4
20040424 10:54:42 S: 220 **02*****************
20040424 10:54:42 C: NOOP WCSAP v1.61 Wildcat! Sender Authentication
Protocol http://www.santronics.com
20040424 10:54:42 S: 502 unimplemented (#5.5.1)
20040424 10:54:42 C: HELO mail.winserver.com
20040424 10:54:43 S: 250 mx02.shreve.net
20040424 10:54:43 C: MAIL FROM: <>
20040424 10:54:43 S: 250 ok
20040424 10:54:43 C: RCPT TO: <genesis(_at_)thebluebirds(_dot_)com>
20040424 10:54:43 S: 250 ok
20040424 10:54:43 C: RCPT TO:
<wcsap-openrelay-test-123sxa23(_at_)alqwejad(_dot_)com>
20040424 10:54:43 S: 553 sorry, that domain isn't in my list of allowed
rcpthosts (#5.7.1)
20040424 10:54:43 C: QUIT
20040424 10:54:43 sapcbv : 250
20040424 10:54:43 result : accept (-1)
20040424 10:54:43 wcsap finish (11782 msecs)
However, it was rejected at the DATA hook as a spam so it tries again, using
another return path address which also returns a SPF record that rejects the
transaction
20040424 10:55:09 -------------------------------------
20040424 10:55:09 version : 1.61 / 1.54
20040424 10:55:09 calltype : SMTP
20040424 10:55:09 state : rcpt
20040424 10:55:09 srvdom : winserver.com
20040424 10:55:09 srvip : 208.247.131.9
20040424 10:55:09 cip : 218.69.147.199
20040424 10:55:09 cdn : readthismessage.com
20040424 10:55:09 from : <reading(_at_)snails-pace(_dot_)com>
20040424 10:55:09 rcpt : <andrea(_dot_)santos(_at_)santronics(_dot_)com>
20040424 10:55:09 ruid : 20844
20040424 10:55:09 trcpt : 1
20040424 10:55:09 testorder : FLT RBL SPF CEP CBV
20040424 10:55:09 sapfilter : pass (time:31)
20040424 10:55:09 saprbl : testing 199.147.69.218.sbl.spamhaus.org
20040424 10:55:09 saprbl : testing 199.147.69.218.list.dsbl.org
20040424 10:55:09 saprbl : testing 199.147.69.218.bl.spamcop.net
20040424 10:55:11 saprbl : pass (time:1562)
20040424 10:55:27 sapspf : v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24
a:send1.surgeweb.com mx -all
20040424 10:55:27 sapspf : fail (time:15735)
20040424 10:55:27 finaltest : SPF GlobalResult=0 CodeResponse=550
20040424 10:55:27 result : reject (0)
20040424 10:55:27 smtp code : 550
20040424 10:55:27 reason : Rejected by WCSAP SPF Fail
20040424 10:55:27 wcsap finish (17391 msecs)
Lets look at the 2nd transaction that was rejected at the DATA stage as a
spam. Here is the saved rejected header:
FROM: <genesis(_at_)thebluebirds(_dot_)com>
TO: <asantos(_at_)santronics(_dot_)com>
DATA:
Received: from ([218.69.147.199]) HELO=readthismessage.com
by winserver.com (Wildcat! SMTP v6.0.451.1) with SMTP
id 924099890; Sat, 24 Apr 2004 10:54:43 -0400
Received: from thebluebirds.com (mercury.shreve.net [207.254.192.4])
by readthismessage.com (Postfix) with ESMTP id CED95B6199
for <asantos(_at_)santronics(_dot_)com>; Sat, 24 Apr 2004 07:48:08 -0700
Date: Sat, 24 Apr 2004 07:48:08 -0700
From: "Arider H. Luckiest" <genesis(_at_)thebluebirds(_dot_)com>
X-Mailer: The Bat! (v2.00.1) Personal
X-Priority: 3
Message-ID: <8099466723(_dot_)20040424074808(_at_)thebluebirds(_dot_)com>
To: Asantos <asantos(_at_)santronics(_dot_)com>
Subject: Asantos, lowest rates around on medication
MIME-Version: 1.0
Content-Type: multipart/alternative;
Now can you tell me how the the above can be used to reject the message via
RFC 2822 headers? not using a spam filter as it was done in this case.
The 2822 From: header matches the 2821 MAIL FROM. There is no Sender:
address.
Lets look at the first hop:
Received: from thebluebirds.com (mercury.shreve.net [207.254.192.4])
by readthismessage.com (Postfix) with ESMTP id CED95B6199
for <asantos(_at_)santronics(_dot_)com>; Sat, 24 Apr 2004 07:48:08 -0700
According to this, the originating server, thebluebirds.com routed the
message to readthismessage.com which has a SPF record.
Now is this a SPF compliant spammer?
Why is the originating server not SPF ready? It broke the CHAIN of TRUST.
So, POSSIBLY, we can use the Received: information. But SPF would of
rejected this by using the modified provision. In my setup, I have it so
that only checks HELO for local domains. I am going to change this option
now to gather SPF stats on both MAIL FROM and HELO checking.
The point?
RFC 2821 validation works! and it if there is no-decision, you can go to RFC
2822 but what do you do? Hop checking is all I can see and the key problem
I see there is the broken chain of trust. That originating server should be
SPF ready if it has SPF compliant mail routers for outbound mail. This was
most like a spammer and looking at its mail content, it was.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com