We help IT Professionals succeed at work.

Postini #550 SPF forgery

I am suddenly recieving bounce back emails from my exchange 2007 server saying that there is a Postini #550 SPF forgery

Postini by Google is my spam filtering product which used outbounds7.postini.com as it's SMTP server.

We use smart hosts and never had this problem before, but its becoming more and more of an issue.

Delivery has failed to these recipients or distribution lists:
 
'docs@x.com'
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.
 
The following organization rejected your message: Postini.
 
  _____  
Sent by Microsoft Exchange Server 2007





 
Diagnostic information for administrators:
 
Generating server: mail.x.tv
 
docs@x.com
Postini #550 SPF forgery: (Deleted for privacy)
 
Original message headers:
 
Received: from mail.x.tv ([192.168.22.13]) by mail.x.tv
 ([192.168.22.13]) with mapi; Fri, 11 Jun 2010 12:17:56 -0400
From: David x <david@x.tv>
To: "'docs@x.com'" <docs@x.com>
Importance: high
X-Priority: 1
Date: Fri, 11 Jun 2010 12:17:55 -0400
Subject: Order 9129406 - Documents
Thread-Topic: Order 9129406 - Documents
Thread-Index: AcsJgaZglxh/omjMRqOXiGskb41weA==
Message-ID: <91FEC5A4A8289A4F8EA86A7D3D7E99DD0639DADAFD@mail.x.tv>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/mixed;
        boundary="_004_91FEC5A4A8289A4F8EA86A7D3D7E99DD0639DADAFDmailindelible_"
MIME-Version: 1.0



That is the EMAIL that bounces back, now this is the link that is included







Why did SPF cause my mail to be rejected?
What is SPF?

SPF is an extension to Internet e-mail. It prevents unauthorized people from forging your e-mail address (see the introduction). But for it to work, your own or your e-mail service provider's setup may need to be adjusted. Otherwise, the system may mistake you for an unauthorized sender.

Note that there is no central institution that enforces SPF. If a message of yours gets blocked due to SPF, this is because (1) your domain has declared an SPF policy that forbids you to send through the mail server through which you sent the message, and (2) the recipient's mail server detected this and blocked the message.
mcmail4.mcr.colo.comodo.net rejected a message that claimed an envelope sender address of david@x.tv.

mcmail4.mcr.colo.comodo.net received a message from exprod7og111.obsmtp.com (64.18.2.175) that claimed an envelope sender address of david@x.tv.

However, the domain indelible.tv has declared using SPF that it does not send mail through exprod7og111.obsmtp.com (64.18.2.175). That is why the message was rejected.
If you are david@x.tv:
x
x.tv should have given you a way to send mail through an authorized server.

If you are using a mail program as opposed to web-mail, you may need to update the "SMTP server" configuration setting according to your ISP's instructions. You may also need to turn on authentication, and enter your username and password in your mail program's options. Please contact your ISP for assistance.

If you run your own MTA, you may have to set a "smarthost" or "relayhost". If you are mailing from outside your ISP's network, you may also have to make your MTA use authenticated SMTP. Ideally your server should listen on port 587 as well as port 25.

If your mail was correctly sent, but was rejected because it passed through a forwarding service, as an interim solution you can mail the final destination address directly (it should be shown in the bounce message). See the forwarding best practices (or refer the recipient there) for the discussion of a proper solution.

If you need further help, see our support section for free support and professional consulting services.
If you are confident that your message did go through an authorized server:

The administrator of the domain indelible.tv may have incorrectly configured its SPF record. This is a common cause of mistakes.

Here's what you can do: Contact the indelible.tv postmaster and tell them that they need to change indelible.tv's SPF record so that it authorizes exprod7og111.obsmtp.com. For example, they could change the record to something like

    v=spf1 mx include:spf.mailengine1.com ip4:66.59.3.188 a:exprod7og111.obsmtp.com -all

If you refer your postmaster to this web page, they should be able to solve the problem.
If you did not send the message:

SPF successfully blocked a forgery attempt; someone tried to send mail pretending to be from david@x.tv, but the message was rejected before anybody saw it. This means SPF is working as designed.
How can I reference this web page for explaining SPF results?

This web page is a public service of the SPF project. SPF implementations can (and do) use it to help explain the results of SPF checks by presenting to users a parameterized link to this page. See the "Why?" page documentation for details on how this works.


Help would be MOST appreciated
Comment
Watch Question

Commented:
Well what does the SPF record look like for you domain?

Author

Commented:
Where can I find that out?

Commented:
Open a cmd window and type "nslookup -type=txt yourdomainname.com

Commented:
It's possible this is just due to a DNS lookup failure, but it can depend on how your SPF record is setup (uses IPs or names that require further dns lookups)

Author

Commented:
@jar

x.tv      text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.x.tv include:spf.mailengine1.com ~all\""

Commented:
See your record depends on the receiving server being able to resolve mail.x.tv and spf.mailengine1.com. If it was unable to do that your mail probably would've failed SPF checking. Do you have this problem every time or just sometimes, or just once?

Who runs the DNS for your domain name? Do you do this in house?

Author

Commented:
@jar

Sometimes

I haven't recieved these bouncebacks for the 2 years I've had this Exchange 07 server up, just started recently and only maybe 5 emails in total to different people.

LogicWorks runs my DNS for my Domain

I host the Exchange inhouse

Author

Commented:
Anything?

Commented:
That infrequently I would chock it up dns resolution problems...not much you can do since you don't host yourself. You could remove the spf or alter it a little...

Author

Commented:
I have an internal DNS server, but the DNS for my domain comes from logicworks (outside company)
Why can't I fix this?

Author

Commented:
Anyone else able to add to this? I need to get this resolved...
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Hello there,

Is the sender domain in this case indelible.tv?

If it is, the server referenced in the error message is not part of the SPF record, although you quote it as being in the SPF for x.tv. I guess those two are the same domain with differing levels of obfuscation?

Chris
Someone in your organization (david@x.tv) sent mail through mailserver other than your mail server.
Your SPF records says that any mail coming from x.tv email address needs to come from x.tv.  This mail did not, so it was rejected.

If david@x.tv did not send the original email, then it was spam or malicious and should have been blocked.
If david@x.tv did send the email, you have a couple of choices:
1.  Correct his mail client to only send mail through your server.
2.  Add his outbound mail server (likley his home ISP) as a valid sender on your SPF record.
3.  Get rid of your SPF records.

The outbound mail server he used was exprod7og111.obsmtp.com
Top Expert 2015

Commented:
what is your SPF record?
to serve the user you have to use VPN or auth smtp

Author

Commented:
@Chris-Dent

The domain is indelible.tv

I was trying to cover that with x.tv, but i obviously failed
Chris DentPowerShell Developer
Top Expert 2010

Commented:

If it's particularly sensitive it can be edited out again.

However, it does show that the server sending the mail is not present in the SPF record, that will need correcting.

Chris

Author

Commented:
@steveoskh

David sent through the right mail server as his client only has the exchange account set up on it.
These emails were sent through a FEW people to a FEW different domains and all had the same issue. It's random and thats the problem.

if I get rid of my SPF record, how does that effect my office.

His mail was sent through
exprod7og111.obsmtp.com (64.18.2.175).
If the mail was not sent by him, then the SPF record was doing what it should do by rejecting the mail.
If the mail was sent by him, then he is going around your system and setup because the mail DID NOT come from your mail server.

Author

Commented:
The SPF record is:


indelible.tv      text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.com ~all\""



I replaced indelible with x throughout the whole post
Chris DentPowerShell Developer
Top Expert 2010

Commented:

You'd missed this bit in the original:

> Here's what you can do: Contact the indelible.tv postmaster and tell them that they need to change
> indelible.tv's SPF record so that it authorizes exprod7og111.obsmtp.com. For example, they could
 >change the record to something like

Which is where I got it from.

If the server name is accurate as well, then the SPF record does not include a reference. exprod7og111.obsmtp.com resolves to 64.18.2.175 and is not included in the SPF as it stands.

Chris

Author

Commented:
@ Chris-Dent


How can I fix this? The mail server is mail.indelible.tv

The SPF record is:

indelible.tv      text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.com ~all\""
Chris DentPowerShell Developer
Top Expert 2010

Commented:

If the mail server should be allowed to send, you simply need to add it to the SPF:


indelible.tv      text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.com a:exprod7og111.obsmtp.com ~all\""


Chris

Author

Commented:
@Chris-Dent

I went into my DNS server in the office and created a text record with:

indelible.tv      text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.com a:exprod7og111.obsmtp.com ~all\""

Is that all I need to do?
Top Expert 2015

Commented:
just stop using SPF if you are unhappy with how it works....

or enter your policy here:
http://old.openspf.org/wizard.html?mydomain=example.com&submit=Go!

Chris DentPowerShell Developer
Top Expert 2010

Commented:

It depends. The record you need to modify is public, so it only works there if your DNS server is public. However, since I get a different answer for the handling mechanism (~all) I suspect it's simply not the right one.

My answers come from ns1 and ns2.logicworks.com, who are, presumably, your host?

Chris

Author

Commented:
I had done what I mentioned and the emails are still bouncing back..



From: Microsoft Exchange <MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@indelible.tv>
Date: June 15, 2010 11:20:40 AM EDT
To: David x <x@indelible.tv>
Subject: Undeliverable: test

Delivery has failed to these recipients or distribution lists:

Nicholas x
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: Postini.

Sent by Microsoft Exchange Server 2007





Diagnostic information for administrators:

Generating server: mail.indelible.tv

nicholas@coblence.com
Postini #500 x@indelible.tv Address Error - on relay of: MAIL FROM:<x@indelible.tv> ##

Original message headers:

Received: from mail.indelible.tv ([192.168.22.13]) by mail.indelible.tv
 ([192.168.22.13]) with mapi; Tue, 15 Jun 2010 11:18:25 -0400
From: David x <x@indelible.tv>
To: Nicholas x <x@x.com>
Date: Tue, 15 Jun 2010 11:17:15 -0400
Subject: test
Thread-Topic: test
Thread-Index: AcsMnf9igj7NaPygQaezbbpe2mg+MA==
Message-ID: <9B57D1AB-4B44-4D01-81E5-129043C3CC3A@indelible.tv>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Reporting-MTA: dns; mail.indelible.tv

Final-recipient: RFC822; x@x.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; Postini
X-Supplementary-Info: <Postini #5.0.0 smtp;500 dbenattar@indelible.tv
Address Error - on relay of: MAIL FROM:<dbenattar@indelible.tv>>
X-Display-Name: Nicholas x

Author

Commented:
@ghiest

If i stop using them, does it cause any issues with security

@Chris

Logicworks is my host for the domain

I have an internal DNS server, but the domain is hosted by logicworks. Do I need to create an SPF record with logicworks
Chris DentPowerShell Developer
Top Expert 2010

Commented:

You already have an SPF with LogicWorks, that's the only one people outside your network can see. You may as well delete the internal version, it's just complicating things.

It's that one we need to be changing, internal versions won't have any effect.

If we can get that one updated you'll be fine in about an hour and a half (TTL on the record is 70 minutes, that's how long it will take to propagate in almost all cases).

Chris

Author

Commented:
Alright, I have made the changes.

I have google postini. Do I need to add that to the SPF record?

"v=spf1 include:spf.postini.com -all" was the original SPF record on Logicworks

Can you edit the line for me so I can have that included as well?
PowerShell Developer
Top Expert 2010
Commented:

Sure, it goes like this:

v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.com a:exprod7og111.obsmtp.com include:spf.postini.com -all

But to confirm, exactly where do you see that? Because it's not the SPF record I get back when I lookup yours, I get this:

v=spf1 mx include:spf.mailengine1.com ip4:66.59.3.188 -all

Chris

Author

Commented:
Chris,

How about now? I created a request and now should be done. Wasn't done correctly the first time.
Chris DentPowerShell Developer
Top Expert 2010

Commented:

I get this now:

 v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.com ~all

So the little bit at the end has changed, but you're still missing exprod8og111. Can you pop up a screen shot of your settings there at all?

Chris
You shouldn't be getting rejections because your default action is ~all, this suggests that someone's SPF handling is broken rather than your record.
A common cause of SPF failures is if an intermediate server fails to implement SRS properly, which is unfortunately common at large email providers.
The second email you posted did not fail because of SPF; it looks more like an unknown user, though as usual the pathetic Exchange error reporting gives it a useless 5.0.0 response code. Are you sure that x@indelible.tv exists?
Chris DentPowerShell Developer
Top Expert 2010

Commented:

It has only just become ~all, it was -all prior to that, and while the bounce reported was thrown.

Chris

Author

Commented:
So I had my co-workers try the email again and there was no bounce back this time.

Chris, can you check one more time to make sure it looks correct?

Here is a SS
Screen-shot-2010-06-17-at-9.56.5.png
Chris DentPowerShell Developer
Top Expert 2010

Commented:
Okay, now I'm with you.

Two problems:

1. It should be set on indelible.tv, not spf.indelible.tv. The spf.mailengine1.com bit you've included is only prefixed with SPF for convenience, it shouldn't be used as an example.
2. The domain name should not be included in the string

This is a mock-up of what I'd expect to see in the screen-shot:

indelible.tv (Text)      v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.com a:exprod7og111.obsmtp.com ~all

Your record seems to have a lot of line-breaks in it as well, those need to go. Not quite sure what went on there.

Chris

Author

Commented:
Chris,

it seems to be working because those clients are receiving the emails

I only done the last change you suggested and it seemed to have worked

thank you very much

Author

Commented:
The solution worked great and the clients were able to get the emails we were trying to send. I'll update this ticket if I have any problems additional
Chris DentPowerShell Developer
Top Expert 2010

Commented:

That's great news :) I'm glad it's working and hope it continues to :)

Chris