The following log entry appeared at a site of an early SPF adaptor.
,----
Jun 23 13:17:42 XXX postfix/smtp[8767]: C1E7629BA6:
to=<Member-LIST1(_at_)ua(_dot_)fm>, relay=mxi1.ua.fm[195.248.190.27], delay=8,
status=bounced (host mxi1.ua.fm[195.248.190.27] said: 550 Please see
http://spf.pobox.com/why.html?sender=poster%40example.net&ip=999.999.999.999&receiver=top.alkar.net)
`----
The owner of a mailing list will have received a DSN representing the
above.
In the above and in the sequel the identity of entities at the site
logging this incident and of the mailing list members are obfuscated.
The URL above showed the following quoted material.
SMTP + SPF
Sender Policy Framework
an essential part of Sender ID
Giving comfort and assistance to the opposition?
If the incident described here was induced by Sender ID, then this may
look like something more serious.
top.alkar.net rejected a message claiming to be from
Poster(_at_)example(_dot_)net(_dot_)
The message claimed to be from a mailing list. The mailing list
submission claimed to be from <Poster(_at_)example(_dot_)net>.
top.alkar.net saw a message coming from the IP address
999.999.999.999 which is lists.example.com; the sender claimed to be
Poster(_at_)example(_dot_)net(_dot_)
The envelope sender was <list1-admin(_at_)lists(_dot_)example(_dot_)com>.
Various
header-sender fields contained the address <Poster(_at_)example(_dot_)net>.
However, example.net has announced using SPF that it does not send mail
out through 999.999.999.999. That is why the mail was rejected. If
you are Poster(_at_)example(_dot_)net:
example.net should have given you a way to send mail through an
approved server.
If you are using a mail program instead of webmail, you may need to
update the SMTP server configuration setting according to your ISP's
instructions. You may also need to turn on authentication, and enter
your username and password in your mail program's "Preferences".
If you run your own MTA, you may need to set a smarthost or
relayhost. If you are mailing from outside your ISP's network, you
may also need to make your MTA authenticate SMTP using SASL. Ideally
your server should listen on port 587 as well as port 25.
If your mail was correctly sent, but was rejected because it passed
through a forwarding service, you can either mail the final
destination address directly (it should be shown in the bounce
message) or you ask the forwarder to implement SRS. If neither of
these suggestions is practical, change your "-all" to "?all" until a
more comprehensive approach to sender authentication involving
cryptography solves the forwarding problem for good. For more
information on this problem, see pages 15-16 of the SPF Whitepaper.
You can also try emailing your recipient at an alternative email
address.
Please contact your ISP for further assistance; ask them for help in
configuring outbound SMTP email.
If your company needs further help, we provide a full range of
consulting services to help you resolve these problems quickly.
Oh, spf.pobox.com is advertising consulting services. Like all the
mails that brag about and advertise anti-spam/anti-virus software that
doesn't seem to know what it is doing.
If you are confident your mail did go through an approved
server:
The system administrator for example.net may have incorrectly
configured its SPF record. This is a common cause of mistakes.
Hmm...
,----[ dig +sh example.net. txt @authoriative-name-server.foo. ]
`----
Where is that faulty SPF record? (dig on real domain came up empty)
Here's what you can do. Contact the system administrator
responsible for example.net and tell them that they need to change
its SPF record so that it contains lists.example.com. For
example, they could change the record to something like
v=spf1 ip4:192.139.46.240/28 a mx a:lists.example.com -all
Why? How does any part of that recommendation pertain to example.net?
If you can show this web page to your system administrator, they
should be able to solve the problem.
Well, were the recipient of the DSN generated by this rejection to
bring this web page to my attention I would not be able to solve this
problem. Give me a break!
If you did not send the message:
SPF successfully blocked a forgery attempt; someone tried to send
mail pretending to be from you, but the message was rejected before
anybody saw it. If you received a bounce message, you can delete
it. This means SPF is working as designed.
Looks like somebody threw a monkey wrench into the works.
All seriousness aside, at this point the "SPF an essential part of
Sender ID" is no help. With help like that who needs enemies?
The web page makes assumptions that were reasonable before sender ID
but that would be seen as foolishness now.
The web page fails the validation at <http://validator.w3.org/>.
Can't blame that on Sender ID. :)
JFTR below is an obfuscated copy of the mail header in the list
archives.
,----
From Poster(_at_)example(_dot_)net Thu Jun 23 10:31:44 2005
Return-Path: <Poster(_at_)example(_dot_)net>
Delivered-To: LIST1(_at_)lists(_dot_)example(_dot_)com
Received: from foobar.example.net (bar.example.net [888.888.888.888])
by lists.example.com (Postfix) with ESMTP
id 8461C29B5F; Thu, 23 Jun 2005 10:31:43 -0400 (EDT)
Received: from [10.10.10.10] (host104-73.unused.cyberus.ca [1.2.3.4] (may be
forged))
(authenticated bits=0)
by foobar.example.net (8.12.10/8.12.10) with ESMTP id j5NEVWte012551
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Thu, 23 Jun 2005 10:31:34 -0400
Message-ID: <42BAC7C6(_dot_)7010103(_at_)example(_dot_)net>
From: Learned Poster <Poster(_at_)example(_dot_)net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803
X-Accept-Language: en, fr
MIME-Version: 1.0
To: BYSTANDER <bystander(_at_)example(_dot_)org>
Cc: LIST2(_at_)lists(_dot_)example(_dot_)com,
LIST1(_at_)lists(_dot_)example(_dot_)com
References: <001a01c57636$51183660$a5aabac3(_at_)BIGDELL>
<082d01c5765d$799178a0$6b00a8c0(_at_)oc08>
In-Reply-To: <082d01c5765d$799178a0$6b00a8c0(_at_)oc08>
X-Scanned-By: MIMEDefang 2.49 on 888.888.888.888
content-transfer-encoding: 7bit
content-type: text/plain;
charset=us-ascii;
format=flowed
Subject: [LIST1] Re: [LIST2] Obfuscated
Sender: LIST1-admin(_at_)lists(_dot_)example(_dot_)com
Errors-To: LIST1-admin(_at_)lists(_dot_)example(_dot_)com
X-BeenThere: LIST1(_at_)lists(_dot_)example(_dot_)com
Precedence: bulk
List-Help:
<mailto:LIST1-request(_at_)lists(_dot_)example(_dot_)com?subject=help>
List-Post: <mailto:LIST1(_at_)lists(_dot_)example(_dot_)com>
List-Subscribe: <http://lists.example.com/mailman/listinfo/LIST1>,
<mailto:LIST1-request(_at_)lists(_dot_)example(_dot_)com?subject=subscribe>
List-Id: <LIST1.lists.example.com>
List-Unsubscribe: <http://lists.example.com/mailman/listinfo/LIST1>,
<mailto:LIST1-request(_at_)lists(_dot_)example(_dot_)com?subject=unsubscribe>
List-Archive: <http://lists.example.com/pipermail/LIST1/>
Date: Thu Jun 23 13:17:25 2005
X-Original-Date: Thu, 23 Jun 2005 10:31:34 -0400
`----
On the wire the outgoing envelope sender was
<list1-admin(_at_)lists(_dot_)example(_dot_)com> and the first (top) two lines
in the
header would have been replaced by something like the following.
,----
Received: from foo.example.com (localhost.localdomain [127.0.0.1])
by lists.example.com (Postfix) with ESMTP
id 7780129B60; Thu, Jun 23 10:31:44 2005 -0400 (EDT)
`----
This is a comedy, right?
jam