Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SPF issue - strange false positive
  •  
bandicootltd

Messages: 33
Karma: 3
Send a private message to this user
Hi

Just received a report of an email that wasn't delivered to our kerio server. The mail server blocks emails with a failed SPF. All makes sense. Apart from the fact that the link in the undeliverable email sent back includes a link to OpenSPF.Net which shows a different sending IP address than the one in the headers.

The domain xxx.com has authorized exch-smtp-out.livemail.co.uk (213.171.216.29) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.

However the last IP in the header is...

Received: from WINHEXFEEU1.win.mail (unknown [217.160.154.162]) by exch-2010-smtp-out-03.livemail.co.uk (Postfix) with ESMTP id 687851CF8E3; Thu, 3 Mar 2016 09:39:50 +0000 (GMT)

The email as far as I can see should have been blocked, but explaining this to the client with the statement in the link saying it should have been accepted isn't great.

Has anyone else seen this?

  •  
Maerad

Messages: 147
Karma: 29
Send a private message to this user
Looks like the last hop (or first?!) isn't in the spf. But honestly, with that information it's more of a fortune telling then help. If you give us the sending domain and the whole header, maybe we can figure something out together. With those infos right now, I wouldn't even know where to look.

Btw. I would suggest to change the SPF stuff from a total block to a spam score. We receive a lot legit mail with bad / wrong spf records and it would be bad, if those mails were lost - many of them actual orders. Not to mention that the mail with the wrong SPF Warning goes to a normal user. Experience tells us, those can't do anything with it and most likely will delete the mail.

Had some bad experiences with that. If you set the spam score like one or two points below the block limit, I guess no spam will come trough.

Not to mention, a lot of spam we get to our end users comes of compromised systems that send out in the users name (like infected outlook) and those are with a correct spf record.

[Updated on: Fri, 04 March 2016 16:13]

  •  
bandicootltd

Messages: 33
Karma: 3
Send a private message to this user
the hops in order as shown in the headers are

Received: from WINHEXFEEU1.win.mail (unknown [217.160.154.162])
by exch-2010-smtp-out-03.livemail.co.uk (Postfix) with ESMTP id 687851CF8E3;
Thu, 3 Mar 2016 09:39:50 +0000 (GMT)
Received: from winhexbeeu43.win.mail (10.76.18.52) by winhexbeeu47.win.mail
(10.76.18.54) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Thu, 3 Mar
2016 10:39:49 +0100
Received: from winhexbeeu43.win.mail ([fe80::e077:6b30:5ffd:b2c9]) by
winhexbeeu43.win.mail ([fe80::e077:6b30:5ffd:b2c9%15]) with mapi id
15.00.1130.005; Thu, 3 Mar 2016 10:39:49 +0100



the spf for the domain is

v=spf1 a ip4:213.171.216.0/24 mx -all


The rejection makes sense since the sending servers IP address is not on the SPF. The bit I dont understand is the undeliverable sent back contains the SPF link


Remote Server returned '<mail.bandicoot.co.uk #5.7.0 smtp; 550 5.7.0 Please see http://www.openspf.net/why.html?sender=email%40address.com&a mp;ip=213.171.216.29&receiver=mail.bandicoot.co.uk>'

This link will not work for you since I have altered the senders domain, but the IP address in the link doesn't feature on the hops list in the original email so where does it come from. Because the IP is on the SPF record and you click on the link it states:


The domain xxx.com has authorized exch-smtp-out.livemail.co.uk (213.171.216.29) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.


  •  
freakinvibe

Messages: 1480
Karma: 55
Send a private message to this user
The mail should have been accepted as your last hop is:

WINHEXFEEU1.win.mail [217.160.154.162] ===> exch-2010-smtp-out-03.livemail.co.uk [213.171.216.26]

So the question is rather why it was not accepted. You have to look through your Kerio logs why the mail has been rejected (Security and Debug log).

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
Previous Topic: Disable "marked as spam" button - Koff
Next Topic: 550 Requested action not taken: mailbox unavailable
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Jan 24 03:54:45 CET 2017

Total time taken to generate the page: 0.00812 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.