Just saw this in my logs. A spammer tried 5 times, each time rejected by
SPF. But what I found interesting is how this particular software simply
retried by changing the HELO client domain name (cdn), and then switching to
our address for the final 2 tries!
Also, is the aquila.com SPF record correct?
20040316 14:37:11 -------------------------------------
20040316 14:37:11 version : 1.55 / 1.54
20040316 14:37:11 calltype : SMTP
20040316 14:37:11 state : rcpt
20040316 14:37:11 cip : 68.163.53.8
20040316 14:37:11 cdn : jentz.org
20040316 14:37:11 from : <iiftp(_at_)aquila(_dot_)com>
20040316 14:37:11 rcpt : <hector(_at_)santronics(_dot_)com>
20040316 14:37:11 srvip : 208.247.131.9
20040316 14:37:11 sapfilter : pass (time:16)
20040316 14:37:11 saprbl : testing 8.53.163.68.sbl.spamhaus.org
20040316 14:37:13 saprbl : testing 8.53.163.68.list.dsbl.org
20040316 14:37:15 saprbl : testing 8.53.163.68.bl.spamcop.net
20040316 14:37:18 saprbl : pass
20040316 14:37:25 sapspf : v=spf1 mx
a:mail-out-1.aquila.com,mail-out-2.aquila.com
ip4:205.142.239.106,205.142.239.107 -all
20040316 14:37:25 sapspf : fail (time:7641)
20040316 14:37:25 smtp code : 550
20040316 14:37:25 reason : Rejected by WCSAP SPF Fail
20040316 14:37:25 wcsap finish (14688 msecs)
20040316 14:37:26 -------------------------------------
20040316 14:37:26 version : 1.55 / 1.54
20040316 14:37:26 calltype : SMTP
20040316 14:37:26 state : rcpt
20040316 14:37:26 cip : 68.163.53.8
20040316 14:37:26 cdn : jentz.net
20040316 14:37:26 from : <iiftp(_at_)aquila(_dot_)com>
20040316 14:37:26 rcpt : <hector(_at_)santronics(_dot_)com>
20040316 14:37:26 srvip : 208.247.131.9
20040316 14:37:26 sapfilter : pass (time:16)
20040316 14:37:26 saprbl : testing 8.53.163.68.sbl.spamhaus.org
20040316 14:37:26 saprbl : testing 8.53.163.68.list.dsbl.org
20040316 14:37:26 saprbl : testing 8.53.163.68.bl.spamcop.net
20040316 14:37:26 saprbl : pass
20040316 14:37:28 sapspf : v=spf1 mx
a:mail-out-1.aquila.com,mail-out-2.aquila.com
ip4:205.142.239.106,205.142.239.107 -all
20040316 14:37:28 sapspf : fail (time:1172)
20040316 14:37:28 smtp code : 550
20040316 14:37:28 reason : Rejected by WCSAP SPF Fail
20040316 14:37:28 wcsap finish (1250 msecs)
20040316 14:37:32 -------------------------------------
20040316 14:37:32 version : 1.55 / 1.54
20040316 14:37:32 calltype : SMTP
20040316 14:37:32 state : rcpt
20040316 14:37:32 cip : 68.163.53.8
20040316 14:37:32 cdn : jentz.org
20040316 14:37:32 from : <iiftp(_at_)aquila(_dot_)com>
20040316 14:37:32 rcpt : <hector(_at_)santronics(_dot_)com>
20040316 14:37:32 srvip : 208.247.131.9
20040316 14:37:32 sapfilter : pass (time:15)
20040316 14:37:32 saprbl : testing 8.53.163.68.sbl.spamhaus.org
20040316 14:37:32 saprbl : testing 8.53.163.68.list.dsbl.org
20040316 14:37:32 saprbl : testing 8.53.163.68.bl.spamcop.net
20040316 14:37:32 saprbl : pass
20040316 14:37:32 sapspf : v=spf1 mx
a:mail-out-1.aquila.com,mail-out-2.aquila.com
ip4:205.142.239.106,205.142.239.107 -all
20040316 14:37:32 sapspf : fail (time:0)
20040316 14:37:32 smtp code : 550
20040316 14:37:32 reason : Rejected by WCSAP SPF Fail
20040316 14:37:32 wcsap finish (94 msecs)
20040316 14:38:02 -------------------------------------
20040316 14:38:02 version : 1.55 / 1.54
20040316 14:38:02 calltype : SMTP
20040316 14:38:02 state : rcpt
20040316 14:38:02 cip : 68.163.53.8
20040316 14:38:02 cdn : jentz.com
20040316 14:38:02 from : <hector(_at_)santronics(_dot_)com>
20040316 14:38:02 rcpt : <sales(_at_)santronics(_dot_)com>
20040316 14:38:02 srvip : 208.247.131.9
20040316 14:38:02 sapfilter : pass (time:32)
20040316 14:38:02 saprbl : testing 8.53.163.68.sbl.spamhaus.org
20040316 14:38:02 saprbl : testing 8.53.163.68.list.dsbl.org
20040316 14:38:02 saprbl : testing 8.53.163.68.bl.spamcop.net
20040316 14:38:02 saprbl : pass
20040316 14:38:02 sapspf : v=spf1 ip4:208.247.131.10
mx:winserver.com -all
20040316 14:38:02 sapspf : fail (time:0)
20040316 14:38:02 smtp code : 550
20040316 14:38:02 reason : Rejected by WCSAP SPF Fail
20040316 14:38:02 wcsap finish (78 msecs)
20040316 14:38:03 -------------------------------------
20040316 14:38:03 version : 1.55 / 1.54
20040316 14:38:03 calltype : SMTP
20040316 14:38:03 state : rcpt
20040316 14:38:03 cip : 68.163.53.8
20040316 14:38:03 cdn : jentz.net
20040316 14:38:03 from : <hector(_at_)santronics(_dot_)com>
20040316 14:38:03 rcpt : <sales(_at_)santronics(_dot_)com>
20040316 14:38:03 srvip : 208.247.131.9
20040316 14:38:03 sapfilter : pass (time:16)
20040316 14:38:03 saprbl : testing 8.53.163.68.sbl.spamhaus.org
20040316 14:38:03 saprbl : testing 8.53.163.68.list.dsbl.org
20040316 14:38:03 saprbl : testing 8.53.163.68.bl.spamcop.net
20040316 14:38:03 saprbl : pass
20040316 14:38:03 sapspf : v=spf1 ip4:208.247.131.10
mx:winserver.com -all
20040316 14:38:03 sapspf : fail (time:0)
20040316 14:38:03 smtp code : 550
20040316 14:38:03 reason : Rejected by WCSAP SPF Fail
20040316 14:38:03 wcsap finish (94 msecs)
20040316 14:38:04 -------------------------------------
20040316 14:38:04 version : 1.55 / 1.54
20040316 14:38:04 calltype : SMTP
20040316 14:38:04 state : rcpt
20040316 14:38:04 cip : 68.163.53.8
20040316 14:38:04 cdn : jentz.net
20040316 14:38:04 from : <hector(_at_)santronics(_dot_)com>
20040316 14:38:04 rcpt : <sales(_at_)santronics(_dot_)com>
20040316 14:38:04 srvip : 208.247.131.9
20040316 14:38:04 sapfilter : pass (time:32)
20040316 14:38:04 saprbl : testing 8.53.163.68.sbl.spamhaus.org
20040316 14:38:04 saprbl : testing 8.53.163.68.list.dsbl.org
20040316 14:38:04 saprbl : testing 8.53.163.68.bl.spamcop.net
20040316 14:38:04 saprbl : pass
20040316 14:38:04 sapspf : v=spf1 ip4:208.247.131.10
mx:winserver.com -all
20040316 14:38:04 sapspf : fail (time:0)
20040316 14:38:04 smtp code : 550
20040316 14:38:04 reason : Rejected by WCSAP SPF Fail
20040316 14:38:04 wcsap finish (78 msecs)
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com