indsupport
asked on
Postini #550 SPF forgery
I am suddenly recieving bounce back emails from my exchange 2007 server saying that there is a Postini #550 SPF forgery
Postini by Google is my spam filtering product which used outbounds7.postini.com as it's SMTP server.
We use smart hosts and never had this problem before, but its becoming more and more of an issue.
Delivery has failed to these recipients or distribution lists:
'docs@x.com'
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.
The following organization rejected your message: Postini.
_____
Sent by Microsoft Exchange Server 2007
Diagnostic information for administrators:
Generating server: mail.x.tv
docs@x.com
Postini #550 SPF forgery: (Deleted for privacy)
Original message headers:
Received: from mail.x.tv ([192.168.22.13]) by mail.x.tv
([192.168.22.13]) with mapi; Fri, 11 Jun 2010 12:17:56 -0400
From: David x <david@x.tv>
To: "'docs@x.com'" <docs@x.com>
Importance: high
X-Priority: 1
Date: Fri, 11 Jun 2010 12:17:55 -0400
Subject: Order 9129406 - Documents
Thread-Topic: Order 9129406 - Documents
Thread-Index: AcsJgaZglxh/omjMRqOXiGskb4
Message-ID: <91FEC5A4A8289A4F8EA86A7D3
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/mixed;
boundary="_004_91FEC5A4A82
MIME-Version: 1.0
That is the EMAIL that bounces back, now this is the link that is included
Why did SPF cause my mail to be rejected?
What is SPF?
SPF is an extension to Internet e-mail. It prevents unauthorized people from forging your e-mail address (see the introduction). But for it to work, your own or your e-mail service provider's setup may need to be adjusted. Otherwise, the system may mistake you for an unauthorized sender.
Note that there is no central institution that enforces SPF. If a message of yours gets blocked due to SPF, this is because (1) your domain has declared an SPF policy that forbids you to send through the mail server through which you sent the message, and (2) the recipient's mail server detected this and blocked the message.
mcmail4.mcr.colo.comodo.ne
mcmail4.mcr.colo.comodo.ne
However, the domain indelible.tv has declared using SPF that it does not send mail through exprod7og111.obsmtp.com (64.18.2.175). That is why the message was rejected.
If you are david@x.tv:
x
x.tv should have given you a way to send mail through an authorized server.
If you are using a mail program as opposed to web-mail, you may need to update the "SMTP server" configuration setting according to your ISP's instructions. You may also need to turn on authentication, and enter your username and password in your mail program's options. Please contact your ISP for assistance.
If you run your own MTA, you may have to set a "smarthost" or "relayhost". If you are mailing from outside your ISP's network, you may also have to make your MTA use authenticated SMTP. Ideally your server should listen on port 587 as well as port 25.
If your mail was correctly sent, but was rejected because it passed through a forwarding service, as an interim solution you can mail the final destination address directly (it should be shown in the bounce message). See the forwarding best practices (or refer the recipient there) for the discussion of a proper solution.
If you need further help, see our support section for free support and professional consulting services.
If you are confident that your message did go through an authorized server:
The administrator of the domain indelible.tv may have incorrectly configured its SPF record. This is a common cause of mistakes.
Here's what you can do: Contact the indelible.tv postmaster and tell them that they need to change indelible.tv's SPF record so that it authorizes exprod7og111.obsmtp.com. For example, they could change the record to something like
v=spf1 mx include:spf.mailengine1.co
If you refer your postmaster to this web page, they should be able to solve the problem.
If you did not send the message:
SPF successfully blocked a forgery attempt; someone tried to send mail pretending to be from david@x.tv, but the message was rejected before anybody saw it. This means SPF is working as designed.
How can I reference this web page for explaining SPF results?
This web page is a public service of the SPF project. SPF implementations can (and do) use it to help explain the results of SPF checks by presenting to users a parameterized link to this page. See the "Why?" page documentation for details on how this works.
Help would be MOST appreciated
Postini by Google is my spam filtering product which used outbounds7.postini.com as it's SMTP server.
We use smart hosts and never had this problem before, but its becoming more and more of an issue.
Delivery has failed to these recipients or distribution lists:
'docs@x.com'
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.
The following organization rejected your message: Postini.
_____
Sent by Microsoft Exchange Server 2007
Diagnostic information for administrators:
Generating server: mail.x.tv
docs@x.com
Postini #550 SPF forgery: (Deleted for privacy)
Original message headers:
Received: from mail.x.tv ([192.168.22.13]) by mail.x.tv
([192.168.22.13]) with mapi; Fri, 11 Jun 2010 12:17:56 -0400
From: David x <david@x.tv>
To: "'docs@x.com'" <docs@x.com>
Importance: high
X-Priority: 1
Date: Fri, 11 Jun 2010 12:17:55 -0400
Subject: Order 9129406 - Documents
Thread-Topic: Order 9129406 - Documents
Thread-Index: AcsJgaZglxh/omjMRqOXiGskb4
Message-ID: <91FEC5A4A8289A4F8EA86A7D3
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/mixed;
boundary="_004_91FEC5A4A82
MIME-Version: 1.0
That is the EMAIL that bounces back, now this is the link that is included
Why did SPF cause my mail to be rejected?
What is SPF?
SPF is an extension to Internet e-mail. It prevents unauthorized people from forging your e-mail address (see the introduction). But for it to work, your own or your e-mail service provider's setup may need to be adjusted. Otherwise, the system may mistake you for an unauthorized sender.
Note that there is no central institution that enforces SPF. If a message of yours gets blocked due to SPF, this is because (1) your domain has declared an SPF policy that forbids you to send through the mail server through which you sent the message, and (2) the recipient's mail server detected this and blocked the message.
mcmail4.mcr.colo.comodo.ne
mcmail4.mcr.colo.comodo.ne
However, the domain indelible.tv has declared using SPF that it does not send mail through exprod7og111.obsmtp.com (64.18.2.175). That is why the message was rejected.
If you are david@x.tv:
x
x.tv should have given you a way to send mail through an authorized server.
If you are using a mail program as opposed to web-mail, you may need to update the "SMTP server" configuration setting according to your ISP's instructions. You may also need to turn on authentication, and enter your username and password in your mail program's options. Please contact your ISP for assistance.
If you run your own MTA, you may have to set a "smarthost" or "relayhost". If you are mailing from outside your ISP's network, you may also have to make your MTA use authenticated SMTP. Ideally your server should listen on port 587 as well as port 25.
If your mail was correctly sent, but was rejected because it passed through a forwarding service, as an interim solution you can mail the final destination address directly (it should be shown in the bounce message). See the forwarding best practices (or refer the recipient there) for the discussion of a proper solution.
If you need further help, see our support section for free support and professional consulting services.
If you are confident that your message did go through an authorized server:
The administrator of the domain indelible.tv may have incorrectly configured its SPF record. This is a common cause of mistakes.
Here's what you can do: Contact the indelible.tv postmaster and tell them that they need to change indelible.tv's SPF record so that it authorizes exprod7og111.obsmtp.com. For example, they could change the record to something like
v=spf1 mx include:spf.mailengine1.co
If you refer your postmaster to this web page, they should be able to solve the problem.
If you did not send the message:
SPF successfully blocked a forgery attempt; someone tried to send mail pretending to be from david@x.tv, but the message was rejected before anybody saw it. This means SPF is working as designed.
How can I reference this web page for explaining SPF results?
This web page is a public service of the SPF project. SPF implementations can (and do) use it to help explain the results of SPF checks by presenting to users a parameterized link to this page. See the "Why?" page documentation for details on how this works.
Help would be MOST appreciated
Well what does the SPF record look like for you domain?
ASKER
Where can I find that out?
Open a cmd window and type "nslookup -type=txt yourdomainname.com
It's possible this is just due to a DNS lookup failure, but it can depend on how your SPF record is setup (uses IPs or names that require further dns lookups)
ASKER
@jar
x.tv text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.x.tv include:spf.mailengine1.co
x.tv text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.x.tv include:spf.mailengine1.co
See your record depends on the receiving server being able to resolve mail.x.tv and spf.mailengine1.com. If it was unable to do that your mail probably would've failed SPF checking. Do you have this problem every time or just sometimes, or just once?
Who runs the DNS for your domain name? Do you do this in house?
Who runs the DNS for your domain name? Do you do this in house?
ASKER
@jar
Sometimes
I haven't recieved these bouncebacks for the 2 years I've had this Exchange 07 server up, just started recently and only maybe 5 emails in total to different people.
LogicWorks runs my DNS for my Domain
I host the Exchange inhouse
Sometimes
I haven't recieved these bouncebacks for the 2 years I've had this Exchange 07 server up, just started recently and only maybe 5 emails in total to different people.
LogicWorks runs my DNS for my Domain
I host the Exchange inhouse
ASKER
Anything?
That infrequently I would chock it up dns resolution problems...not much you can do since you don't host yourself. You could remove the spf or alter it a little...
ASKER
I have an internal DNS server, but the DNS for my domain comes from logicworks (outside company)
Why can't I fix this?
Why can't I fix this?
ASKER
Anyone else able to add to this? I need to get this resolved...
Hello there,
Is the sender domain in this case indelible.tv?
If it is, the server referenced in the error message is not part of the SPF record, although you quote it as being in the SPF for x.tv. I guess those two are the same domain with differing levels of obfuscation?
Chris
Someone in your organization (david@x.tv) sent mail through mailserver other than your mail server.
Your SPF records says that any mail coming from x.tv email address needs to come from x.tv. This mail did not, so it was rejected.
If david@x.tv did not send the original email, then it was spam or malicious and should have been blocked.
If david@x.tv did send the email, you have a couple of choices:
1. Correct his mail client to only send mail through your server.
2. Add his outbound mail server (likley his home ISP) as a valid sender on your SPF record.
3. Get rid of your SPF records.
Your SPF records says that any mail coming from x.tv email address needs to come from x.tv. This mail did not, so it was rejected.
If david@x.tv did not send the original email, then it was spam or malicious and should have been blocked.
If david@x.tv did send the email, you have a couple of choices:
1. Correct his mail client to only send mail through your server.
2. Add his outbound mail server (likley his home ISP) as a valid sender on your SPF record.
3. Get rid of your SPF records.
The outbound mail server he used was exprod7og111.obsmtp.com
what is your SPF record?
to serve the user you have to use VPN or auth smtp
to serve the user you have to use VPN or auth smtp
ASKER
@Chris-Dent
The domain is indelible.tv
I was trying to cover that with x.tv, but i obviously failed
The domain is indelible.tv
I was trying to cover that with x.tv, but i obviously failed
If it's particularly sensitive it can be edited out again.
However, it does show that the server sending the mail is not present in the SPF record, that will need correcting.
Chris
ASKER
@steveoskh
David sent through the right mail server as his client only has the exchange account set up on it.
These emails were sent through a FEW people to a FEW different domains and all had the same issue. It's random and thats the problem.
if I get rid of my SPF record, how does that effect my office.
David sent through the right mail server as his client only has the exchange account set up on it.
These emails were sent through a FEW people to a FEW different domains and all had the same issue. It's random and thats the problem.
if I get rid of my SPF record, how does that effect my office.
His mail was sent through
exprod7og111.obsmtp.com (64.18.2.175).
If the mail was not sent by him, then the SPF record was doing what it should do by rejecting the mail.
If the mail was sent by him, then he is going around your system and setup because the mail DID NOT come from your mail server.
exprod7og111.obsmtp.com (64.18.2.175).
If the mail was not sent by him, then the SPF record was doing what it should do by rejecting the mail.
If the mail was sent by him, then he is going around your system and setup because the mail DID NOT come from your mail server.
ASKER
The SPF record is:
indelible.tv text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.co
I replaced indelible with x throughout the whole post
indelible.tv text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.co
I replaced indelible with x throughout the whole post
You'd missed this bit in the original:
> Here's what you can do: Contact the indelible.tv postmaster and tell them that they need to change
> indelible.tv's SPF record so that it authorizes exprod7og111.obsmtp.com. For example, they could
>change the record to something like
Which is where I got it from.
If the server name is accurate as well, then the SPF record does not include a reference. exprod7og111.obsmtp.com resolves to 64.18.2.175 and is not included in the SPF as it stands.
Chris
ASKER
@ Chris-Dent
How can I fix this? The mail server is mail.indelible.tv
The SPF record is:
indelible.tv text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.co
How can I fix this? The mail server is mail.indelible.tv
The SPF record is:
indelible.tv text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.co
If the mail server should be allowed to send, you simply need to add it to the SPF:
indelible.tv text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.co
Chris
ASKER
@Chris-Dent
I went into my DNS server in the office and created a text record with:
indelible.tv text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.co
Is that all I need to do?
I went into my DNS server in the office and created a text record with:
indelible.tv text = "\"v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.co
Is that all I need to do?
just stop using SPF if you are unhappy with how it works....
or enter your policy here:
http://old.openspf.org/wizard.html?mydomain=example.com&submit=Go!
or enter your policy here:
http://old.openspf.org/wizard.html?mydomain=example.com&submit=Go!
It depends. The record you need to modify is public, so it only works there if your DNS server is public. However, since I get a different answer for the handling mechanism (~all) I suspect it's simply not the right one.
My answers come from ns1 and ns2.logicworks.com, who are, presumably, your host?
Chris
ASKER
I had done what I mentioned and the emails are still bouncing back..
From: Microsoft Exchange <MicrosoftExchange329e71ec
Date: June 15, 2010 11:20:40 AM EDT
To: David x <x@indelible.tv>
Subject: Undeliverable: test
Delivery has failed to these recipients or distribution lists:
Nicholas x
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.
The following organization rejected your message: Postini.
Sent by Microsoft Exchange Server 2007
Diagnostic information for administrators:
Generating server: mail.indelible.tv
nicholas@coblence.com
Postini #500 x@indelible.tv Address Error - on relay of: MAIL FROM:<x@indelible.tv> ##
Original message headers:
Received: from mail.indelible.tv ([192.168.22.13]) by mail.indelible.tv
([192.168.22.13]) with mapi; Tue, 15 Jun 2010 11:18:25 -0400
From: David x <x@indelible.tv>
To: Nicholas x <x@x.com>
Date: Tue, 15 Jun 2010 11:17:15 -0400
Subject: test
Thread-Topic: test
Thread-Index: AcsMnf9igj7NaPygQaezbbpe2m
Message-ID: <9B57D1AB-4B44-4D01-81E5-1
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding:
MIME-Version: 1.0
Reporting-MTA: dns; mail.indelible.tv
Final-recipient: RFC822; x@x.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; Postini
X-Supplementary-Info: <Postini #5.0.0 smtp;500 dbenattar@indelible.tv
Address Error - on relay of: MAIL FROM:<dbenattar@indelible.
X-Display-Name: Nicholas x
From: Microsoft Exchange <MicrosoftExchange329e71ec
Date: June 15, 2010 11:20:40 AM EDT
To: David x <x@indelible.tv>
Subject: Undeliverable: test
Delivery has failed to these recipients or distribution lists:
Nicholas x
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.
The following organization rejected your message: Postini.
Sent by Microsoft Exchange Server 2007
Diagnostic information for administrators:
Generating server: mail.indelible.tv
nicholas@coblence.com
Postini #500 x@indelible.tv Address Error - on relay of: MAIL FROM:<x@indelible.tv> ##
Original message headers:
Received: from mail.indelible.tv ([192.168.22.13]) by mail.indelible.tv
([192.168.22.13]) with mapi; Tue, 15 Jun 2010 11:18:25 -0400
From: David x <x@indelible.tv>
To: Nicholas x <x@x.com>
Date: Tue, 15 Jun 2010 11:17:15 -0400
Subject: test
Thread-Topic: test
Thread-Index: AcsMnf9igj7NaPygQaezbbpe2m
Message-ID: <9B57D1AB-4B44-4D01-81E5-1
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding:
MIME-Version: 1.0
Reporting-MTA: dns; mail.indelible.tv
Final-recipient: RFC822; x@x.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; Postini
X-Supplementary-Info: <Postini #5.0.0 smtp;500 dbenattar@indelible.tv
Address Error - on relay of: MAIL FROM:<dbenattar@indelible.
X-Display-Name: Nicholas x
ASKER
@ghiest
If i stop using them, does it cause any issues with security
@Chris
Logicworks is my host for the domain
I have an internal DNS server, but the domain is hosted by logicworks. Do I need to create an SPF record with logicworks
If i stop using them, does it cause any issues with security
@Chris
Logicworks is my host for the domain
I have an internal DNS server, but the domain is hosted by logicworks. Do I need to create an SPF record with logicworks
You already have an SPF with LogicWorks, that's the only one people outside your network can see. You may as well delete the internal version, it's just complicating things.
It's that one we need to be changing, internal versions won't have any effect.
If we can get that one updated you'll be fine in about an hour and a half (TTL on the record is 70 minutes, that's how long it will take to propagate in almost all cases).
Chris
ASKER
Alright, I have made the changes.
I have google postini. Do I need to add that to the SPF record?
"v=spf1 include:spf.postini.com -all" was the original SPF record on Logicworks
Can you edit the line for me so I can have that included as well?
I have google postini. Do I need to add that to the SPF record?
"v=spf1 include:spf.postini.com -all" was the original SPF record on Logicworks
Can you edit the line for me so I can have that included as well?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Chris,
How about now? I created a request and now should be done. Wasn't done correctly the first time.
How about now? I created a request and now should be done. Wasn't done correctly the first time.
I get this now:
v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.co
So the little bit at the end has changed, but you're still missing exprod8og111. Can you pop up a screen shot of your settings there at all?
Chris
You shouldn't be getting rejections because your default action is ~all, this suggests that someone's SPF handling is broken rather than your record.
A common cause of SPF failures is if an intermediate server fails to implement SRS properly, which is unfortunately common at large email providers.
The second email you posted did not fail because of SPF; it looks more like an unknown user, though as usual the pathetic Exchange error reporting gives it a useless 5.0.0 response code. Are you sure that x@indelible.tv exists?
A common cause of SPF failures is if an intermediate server fails to implement SRS properly, which is unfortunately common at large email providers.
The second email you posted did not fail because of SPF; it looks more like an unknown user, though as usual the pathetic Exchange error reporting gives it a useless 5.0.0 response code. Are you sure that x@indelible.tv exists?
It has only just become ~all, it was -all prior to that, and while the bounce reported was thrown.
Chris
ASKER
So I had my co-workers try the email again and there was no bounce back this time.
Chris, can you check one more time to make sure it looks correct?
Here is a SS
Screen-shot-2010-06-17-at-9.56.5.png
Chris, can you check one more time to make sure it looks correct?
Here is a SS
Screen-shot-2010-06-17-at-9.56.5.png
Okay, now I'm with you.
Two problems:
1. It should be set on indelible.tv, not spf.indelible.tv. The spf.mailengine1.com bit you've included is only prefixed with SPF for convenience, it shouldn't be used as an example.
2. The domain name should not be included in the string
This is a mock-up of what I'd expect to see in the screen-shot:
indelible.tv (Text) v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.co
Your record seems to have a lot of line-breaks in it as well, those need to go. Not quite sure what went on there.
Chris
Two problems:
1. It should be set on indelible.tv, not spf.indelible.tv. The spf.mailengine1.com bit you've included is only prefixed with SPF for convenience, it shouldn't be used as an example.
2. The domain name should not be included in the string
This is a mock-up of what I'd expect to see in the screen-shot:
indelible.tv (Text) v=spf1 ip4:66.59.3.188 mx a:mail.indelible.tv include:spf.mailengine1.co
Your record seems to have a lot of line-breaks in it as well, those need to go. Not quite sure what went on there.
Chris
ASKER
Chris,
it seems to be working because those clients are receiving the emails
I only done the last change you suggested and it seemed to have worked
thank you very much
it seems to be working because those clients are receiving the emails
I only done the last change you suggested and it seemed to have worked
thank you very much
ASKER
The solution worked great and the clients were able to get the emails we were trying to send. I'll update this ticket if I have any problems additional
That's great news :) I'm glad it's working and hope it continues to :)
Chris