SPF fail with spamexperts

[mreinder]

Good morning, I'm using efa now for a few month with great pleasure.
However I've added spamexperts spam check for our 2 most used domains.

Now efa says the spf fails because it comes from the wrong server.
IP Address Hostname Country RBL Spam Virus All
159.253.1.250 s02.spamexperts.axc.nl Netherlands [ ] [ ] [ ] [ ]
66.220.155.143 66-220-155-143.outmail.facebook.com United States [ ] [ ] [ ] [ ]

Code: Select all

-1.90	BAYES_00	Bayes spam probability is 0 to 1%
0.10	DKIM_SIGNED	Message has a DKIM or DK signature, not necessarily valid
-0.10	DKIM_VALID	Message has at least one valid DKIM or DK signature
-0.10	DKIM_VALID_AU	Message has a valid DKIM or DK signature from author's domain
0.00	HTML_FONT_LOW_CONTRAST	HTML font color similar or identical to background
0.00	HTML_MESSAGE	HTML included in message
8.00	KAM_FACEBOOKMAIL	Fake or Abused Facebook Mail
-0.00	RCVD_IN_DNSWL_NONE	Sender listed at http://www.dnswl.org/, no trust
0.00	SPF_FAIL	SPF: sender does not match SPF record (fail)
0.00	UNPARSEABLE_RELAY	Informational: message has unparseable relay lines

Is this the fault of spamassasin or is this the fault of spamexperts?

[pdwalker]

or is it because your spf record is not set up correctly?

perhaps if you share your domain with me, I can help you check your spf record to determine where the problem is.

[mreinder]

No this is a email from facebook:
From: "Facebook" <notification+kr4nas42bmma@facebookmail.com>
Reply-to: noreply <noreply@facebookmail.com>

The problem is that the spf check sees s02.spamexperts.axc.nl as the last server and then the spf fails I think.
Shouldn't it be checking the first server?

[pdwalker]

Oh, I think I understand.

You have mail from facebook being sent to your server. However, you have a service that filters your mail (spamexperts.axc.nl) before sending it to your mailserver.

Can you confirm if that is correct?

[mreinder]

Yes that is correct.
And I don't know if that is because they transfer the mail the wrong way or there is no other option and spf should check al servers it is relayed by.

[pdwalker]

Ok, so you have the same problem I have.

Mail goes through a provider before being delivered to your the efa server.

So imagine I set my spf record to mx:mail.example.com ~all (accept mail from mail.example.com, and it's possible that I might send mail from other servers) and I send you a message.

If you don't have this service, you receive a message from mail.example.com, check the SPF record and you'll find a match.

In the case of this filter service - call it filter.service.com, then mail.example.com sends it to filter.service.com. filter.service.com then sends it to your server. Your server checks the spf record against the incoming server (filter.service.com) and find that it does not match the spf record, but accepts it because of the ~all parameter. It's not a match, but acceptable.

Because of this, you cannot use spf checks directly.

Now, my provider does an SPF check, and they include the results of their SPF check into the headers for me. So while my SPF check fails (because the incoming mail comes from service.com instead of the original example.com), the service.com provider adds a header saying service provider SPF check passes. Since that happens for me, I can write a second check to look for this and rescore the service.com passed spf check.

Here is an example:

X-Greylist: whitelisted by SQLgrey-1.8.0
Authentication-Results: myefa.example.com;
dkim=pass (1024-bit key) header.d=facebookmail.com header.i=@facebookmail.com header.b=RCvviigu
Received: from mail6.bemta17.messagelabs.com (mail6.bemta17.messagelabs.com [117.120.20.71])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by my.example.com (Postfix) with ESMTPS id 438FB180060
for <user@example.com>; Fri, 21 Oct 2016 00:05:22 +0800 (HKT)
Received: from [117.120.20.147] by server-1.bemta-17.messagelabs.com id 35/0F-06899-24BE8085; Thu, 20 Oct 2016 16:05:22 +0000
Authentication-Results: mx.messagelabs.com; spf=pass
(server-15.tower-81.messagelabs.com: domain of facebookmail.com
designates 66.220.155.146 as permitted
sender)smtp.mailfrom=facebookmail.com; dkim=pass
(pass)header.i=@facebookmail.com
X-Env-Sender: notification+mj-jw-3_@facebookmail.com
X-Msg-Ref: server-15.tower-81.messagelabs.com!1476979515!25479133!1
X-Originating-IP: [66.220.155.146]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
VHJ1c3RlZCBJUDogNjYuMjIwLjE1NS4xNDYgPT4gNTQ2MTQ0\n
X-StarScan-Received:
X-StarScan-Version: 8.84; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 28180 invoked from network); 20 Oct 2016 16:05:19 -0000
Received: from 66-220-155-146.outmail.facebook.com (HELO mx-out.facebook.com) (66.220.155.146)
by server-15.tower-81.messagelabs.com with DHE-RSA-AES128-SHA encrypted SMTP; 20 Oct 2016 16:05:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com;
s=s1024-2013-q3; t=1476979514;
bh=6wTabdNdqBQzNh+4lZXIo203cHCMmR2mL3K1iFm6Upc=;
h=Date:To:Subject:From:MIME-Version:Content-Type;
b=RCvviiguQ7i/Gr6mw6KaVwl6jUN6XVCykLWgYmIKu4fHNqJgts/ahvR3KoClMkky+
hB7loT69x50trt9cdejiPYchOA99ab/gd/r6Zv8SgYiWUQYKA31x2Fujn+6uA2D/Bx
dLbbzmg1oh/vL7ij6kUINU86Ui/C/VXwGjHW5pU0=
Received: from facebook.com (VCZmHoBfuMGRUYX5OMXc2cUxXkHCBTatMA8Gf87o9uafveOr7q4/iqmf4XO+aqEd 10.103.99.69)
by facebook.com with Thrift id fc98254c96de11e6a5680002c9929ade-257fca50;
Thu, 20 Oct 2016 09:05:14 -0700
X-Facebook: from 2401:db00:20:50ed:face:0:1f:0 ([MTI3LjAuMC4x])
by async.facebook.com with HTTP (ZuckMail);
Date: Thu, 20 Oct 2016 09:05:14 -0700
To: User <user@example.com>
Subject: someone commented on some subject
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
From: "Facebook" <notification+mj-jw-3_@facebookmail.com>
Reply-to: noreply <noreply@facebookmail.com>
Errors-To: notification+mj-jw-3_@facebookmail.com
X-Facebook-Notify: nf_comment_story; mailid=53f4dcda9a20aG21419543G53f4e173fa4dcG50dG197f
List-Unsubscribe: <https://www.facebook.com/o.php=AS3SRE8w ... cG50dG197f>
X-FACEBOOK-PRIORITY: 1
X-Auto-Response-Suppress: All
Require-Recipient-Valid-Since: user@example.com; Monday, 11 Jun 2007 01:25:01 +0000
Message-ID: <6ccca2f528236fd4bd2921c0a810c60d@async.facebook.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_6ccca2f528236fd4bd2921c0a810c60d"

now look at my SPF score for this message:

-1.90 BAYES_00 Bayes spam probability is 0 to 1%
0.10 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.10 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.10 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
0.00 HTML_FONT_LOW_CONTRAST HTML font color similar or identical to background
0.00 HTML_MESSAGE HTML included in message
-0.68 ML_SPF_PASS Messagelabs verified the SPF header
0.00 MXPF_TEST
-0.01 OW_PASS Test only - DKIM Valid, or SPF Pass or MXPF pass
-1.40 OW_SENT_EMAIL_D Message with Verified Domain (not freemail) we sent to in the past
-0.01 OW_T_SENT_EMAIL_D Test only - domain matches email address we've sent to in the past
0.01 R_SB_FR Ip sender with SenderBase Reputation of
-0.20 R_SB_FR_P03 SenderBase Reputation 3
0.00 SPF_FAIL SPF: sender does not match SPF record (fail)
-0.00 SPF_HELO_PASS SPF: HELO matches SPF record
0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay lines

maybe this is not a good example, but it's the first one I could find.

my spf check fails, but my additional rule to check the spf check from Message Lab passes, thus I reduce the spam score slightly.

Does that make sense to you now?

Check your headers. Does your mail service provider do an SPF check for you? You can share the headers or three from some of your messages with me and I could look for you, or I could send you a message directly since I know my spf checks will pass. If you want to try this, pm me your email address.

[mreinder]

You're right.
My provider also checks spf and put it in the header.
Can you share your script for the check?

Message 1:
Received-SPF: pass (s01.spamexperts.axc.nl: domain of marktplaats.nl designates 5.255.156.8 as permitted sender) client-ip=5.255.156.8; envelope-from=automatisch@marktplaats.nl; helo=marktplaats.nl;
X-SPF-Result: s01.spamexperts.axc.nl: domain of marktplaats.nl designates 5.255.156.8 as permitted sender
Authentication-Results: s01.spamexperts.axc.nl; dmarc=pass header.from=marktplaats.nl

Complete header message2:
Received: from s02.spamexperts.axc.nl (s02.spamexperts.axc.nl [159.253.1.250])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by xxxxxxxxxx(Postfix) with ESMTPS id 37608100B35
for xxxxxxxxxxxx; Fri, 21 Oct 2016 07:59:47 +0200 (CEST)
Received: from mta10d9.r.grouponmail.nl ([50.115.219.10])
by s02.spamexperts.axc.nl with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.86)
(envelope-from <5cf67db1b491e9c181be19c20a17aa62e388e3ba10369e8c763f144d62dfc1c4@bounce.r.grouponmail.nl>)
id 1bxSrp-0004QX-QF
for xxxxxxxx; Fri, 21 Oct 2016 07:59:47 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=r.grouponmail.nl;
s=s1024d20130206; t=1477029525;
bh=5FakkmE9fXfMCRusdwqmAiQLsCHhSKgvsBGkLeIihKs=;
h=Date:From:To:Message-ID:Subject:Content-Type;
b=oLORTgtV8H1wbLXMeA9ctPZn/1/bnc2ngVMnsmpIVSfOtAWPfP0JLpRevOaajF6lc
ywW3bdAr+rA1O0DOke50+YTgSbJcNAy8K4SBaOVX4SJv/1xsrZmvMG1K7JhxXLiB1b
aDaHBicoBq5DfF0jg21ktJP8bhbKgIahpdPN8dYw=
Date: Fri, 21 Oct 2016 05:58:45 +0000
From: Groupon Producten <noreply@r.grouponmail.nl>
To: xxxxxxxxx
Message-ID: <1587218693.1102875.1477029525209.JavaMail.rocketman@push-dispatcher2>
Subject: Refurbished iPhone 5c/5/5S/6, iPhone 6 refurbished, Slimming Sauna
tailleband, Connected Smartwatch compatibel met Android en iPhone & meer
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-RM-UserHash: 5cf67db1b491e9c181be19c20a17aa62e388e3ba10369e8c763f144d62dfc1c4
X-RM-SendId: c7abea3c-c74b-4138-826c-9509dea3568e_0_20161021
X-RM-SenderScore: 90
X-RM-EmailName: channel-goods_auto_nl_im_channel-goods_landelijke-deal_nl_im_goods_SD_PMP
X-MSFBL: bWFyamFuLnBpZXRlcm1hbkBwYXN3ZXJrLm5sOmJhdGNoOmM3YWJlYTNjLWM3NGItNDEzOC04MjZjLTk1MDlkZWEzNTY4ZV8wXzIwMTYxMDIxOjg4NTUwMjg4Ok5M
List-Unsubscribe: <mailto:5cf67db1b491e9c181be19c20a17aa62e388e3ba10369e8c763f144d62dfc1c4@unsub.r.grouponmail.nl?subject=bWFyamFuLnBpZXRlcm1hbkBwYXN3ZXJrLm5sOmJhdGNoOmM3YWJlYTNjLWM3NGItNDEzOC04MjZjLTk1MDlkZWEzNTY4ZV8wXzIwMTYxMDIxOjg4NTUwMjg4Ok5M>
X-RPCampaign: GrouponchannelgoodsautonlimchannelgoodslandelijkedealnlimgoodsSDPMP20161021
X-RPTags: channel-goods_auto_nl_im_channel-goods_landelijke-deal_nl_im_goods_SD_PMP
X-Recruiting: Interested in headers? Join us: www.groupon.com/techjobs/
List-Id: <channel-goods_auto_nl_im_channel-goods_landelijke-deal_nl_im_goods_SD_PMP_20161021.groupon>
X-Feedback-ID: r.grouponmail.nl:channel-goods_auto_nl_im_channel-goods_landelijke-deal_nl_im_goods_SD_PMP:c7abea3c-c74b-4138-826c-9509dea3568e_0_20161021:groupon
Received-SPF: pass (s02.spamexperts.axc.nl: domain of bounce.r.grouponmail.nl designates 50.115.219.10 as permitted sender) client-ip=50.115.219.10; envelope-from=5cf67db1b491e9c181be19c20a17aa62e388e3ba10369e8c763f144d62dfc1c4@bounce.r.grouponmail.nl; helo=mta10d9.r.grouponmail.nl;
X-SPF-Result: s02.spamexperts.axc.nl: domain of bounce.r.grouponmail.nl designates 50.115.219.10 as permitted sender
Authentication-Results: s02.spamexperts.axc.nl; dmarc=pass header.from=r.grouponmail.nl
X-Filter-ID: s0sct1PQhAABKnZB5plbIXbvVvfo0PIvAcbsTOKi5vApA/3P63BXZK0InpHZdJ8dSLobrTqf3Lrx
Gpnzah0qdaZSKIZ97UxKgsaktkDJND4nzoduOs+O63vgSQMF2XoQ83mXiYPkQwZ7twwjILjl1nF9
Q7Csa36kseD2MRENRBoTiLpMAlqkbTZVzn9dr+kXg1IuV8rTh3xoEFxB8JZlp0xgrB5DAFKeAfk/
k5oBMgBrnmzOz1Q/JhgM4VSHPfty97n4n8t1fwXDHJ6bxPFQEU2lxSMkPwz4aCrDnbcXrp/09mVT
v4ED3fe4cLUAa6OMuRzc7ILb/NdibT048mMRsaz8uRHVDm4oL3YFI3MCMlUhu1/rdU1t/SWu+yxj
6TsAcIIuBvXuufB2oYN7GM2Kri1TuO7JmFijQ8sPS8/019HZCr33UOmLBUGvzrsM+6rYj7kxzD2Y
SQadThILqbNNMhnis/L5RJfxkhIgp8XOgK0D/KWp4AnHMHjTUaG+xEMBeH9lQ9qpNa3eXZMS8sKW
BGYzx2Zgyhf3OXiddZgacWeUj9K5LHqghaawncs+AEpJoX8xI8inIGOdjCDQz8eCjtaMKj+lYJrN
bK2NLL7wZuXzqJS3lGmjIyiogf39oXs+SF2fA+4+A4ApWBtH6Wl/W67U25OUkChc89La5MsdjsRO
h/6XX0s2Z4LriFwHSpKjMS+4ayUpOtEhdxekWDmK9g==
X-Report-Abuse-To: spam@s01.spamexperts.axc.nl
Authentication-Results: spamexperts.axc.nl; spf=pass smtp.mailfrom=5cf67db1b491e9c181be19c20a17aa62e388e3ba10369e8c763f144d62dfc1c4@bounce.r.grouponmail.nl
Authentication-Results: spamexperts.axc.nl; dkim=pass header.i=r.grouponmail.nl
X-SpamExperts-Class: ham
X-SpamExperts-Evidence: dnswl/ip-09.rbl.spamrl.com
X-Recommended-Action: accept

[pdwalker]

It's not a script, it's a spamassassin setting.

In your case, it looks like the header your provider adds is
X-SPF-Result: s01.spamexperts.axc.nl: domain of marktplaats.nl designates 5.255.156.8 as permitted sender

Can you gather some other X-SPF-Result headers from your other messages so we can see what the pattern is?

My pattern is simple. I just have to search for the string: "mx.messagelabs.com; spf=pass" for a successful check.

Code: Select all

# spf tests fail when they pass through messagelabs.  Check
# for the messagelabs test and then correct the scores appropriately.
describe ML_SPF_PASS Messagelabs verified the SPF header
header ML_SPF_PASS Authentication-Results =~ /mx.messagelabs.com; spf=pass/i
score ML_SPF_PASS -0.68

Give me a few examples of your X-SPF-Result header and we can make a spamassassin rule for you. And include negative results if you can find them.

[mreinder]

Sorry for the delay.

Received-SPF: pass (s01.spamexperts.axc.nl: domain of mailing2.ternair.com designates 195.137.215.204 as permitted sender) client-ip=195.137.215.204; envelope-from=bounce-TIDP20567X6231B9BB9D96477595042132A014E7C3YI3@mailing2.ternair.com; helo=mailsend.mm1.nl;
X-SPF-Result: s01.spamexperts.axc.nl: domain of mailing2.ternair.com designates 195.137.215.204 as permitted sender

Received-SPF: pass (s01.spamexperts.axc.nl: domain of itmobile.nl designates 79.99.129.220 as permitted sender) client-ip=79.99.129.220; envelope-from=xxxxxx@itmobile.nl; helo=postfix.itmobile.nl;
X-SPF-Result: s01.spamexperts.axc.nl: domain of itmobile.nl designates 79.99.129.220 as permitted sender

Received-SPF: pass (s02.spamexperts.axc.nl: domain of e.linkedin.com designates 199.7.202.92 as permitted sender) client-ip=199.7.202.92; envelope-from=xxxxx@e.linkedin.com; helo=omp.e.linkedin.com;
X-SPF-Result: s02.spamexperts.axc.nl: domain of e.linkedin.com designates 199.7.202.92 as permitted sender

Received-SPF: pass (s02.spamexperts.axc.nl: domain of j-dehaan.de designates 198.20.115.157 as permitted sender) client-ip=198.20.115.157; envelope-from=xxxxx@j-dehaan.de; helo=mailout4.config-net.de;
X-SPF-Result: s02.spamexperts.axc.nl: domain of j-dehaan.de designates 198.20.115.157 as permitted sender

Received-SPF: Pass (protection.outlook.com: domain of dsgdiensten.nl
designates 193.173.54.210 as permitted sender)