• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 974
  • Last Modified:

ASSP antiSpam and SPF

You'd know tell me how I could block emails sent through the gmail is using the ASSP antispam?

Is there some setting that I can report that the SPF for certain domains not pass, block e-mail?

Oct-03-11 15:48:25 m-31766-00067 <clara.beth.cosme@gmail.com> to: marketing@aiec.br [scoring] spf_result:neutral;
Oct-03-11 15:48:25 m-31766-00067 <clara.beth.cosme@gmail.com> to: marketing@aiec.br identity:clara.beth.cosme@gmail.com;
Oct-03-11 15:48:25 m-31766-00067 <clara.beth.cosme@gmail.com> to: marketing@aiec.br scope:mfrom;
Oct-03-11 15:48:25 m-31766-00067 <clara.beth.cosme@gmail.com> to: marketing@aiec.br spf_record:v=spf1 redirect=_spf.google.com;
Oct-03-11 15:48:25 m-31766-00067 <clara.beth.cosme@gmail.com> to: marketing@domain.com local_exp:gmail.com ... _spf.google.com: Domain does not state whether sender is authorized to use 'clara.beth.cosme@gmail.com' in 'mfrom' identity (mechanism '?all' matched);
  • 3
  • 2
1 Solution
The problem there is that Google is using the ? mechanism, which gives a Neutral result to SPF checks.  If you are verifying DKIM as well, then that will suffice for keeping out spoofed @gmail.com mails.
eduardortAuthor Commented:
Hummm good ...

Dkim this really cool. The problem is that version 1.9 of the ASSP, does not support DKIM. Would be able to block it for the same SPF?
You might be able to code some plugin script for ASSP (if they even allow it) to do what you want, but you should NOT do that as you would not be honoring the SPF record as it is published.  Don't do it!!!

On the ASSP page at sourceforge it says it does DKIM, maybe it's just available in 2.x:
Community based grey IP list, Senderbase, SPF, DKIM support even if your MTA does not support it.

An anti-spam solution that doesn't verify DKIM is not worth using, period.
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Sudeep SharmaTechnical DesignerCommented:

You would need to modify the ASSP configuration and add the domain to "strictSPFRe" section.

As per the configuration file:

"['strictSPFRe','Strict SPF Processing Regex*',80,\&textinput,'@aol.com|@gmail.com|@msn.com|@live.com|@ebay.com|@ebay.nl|@bbt.com|@paypal.com|@einsundeins.de|@microsoft.com','(.*)','ConfigCompileRe',
 'Softfail/Neutral/None will be failed for these sending addresses. Put anything here to identify the addresses. For example: \'@aol.com|@gmail.com|@msn.com|@live.com|@ebay.com|@ebay.nl|@bbt.com|@paypal.com|@einsundeins.de|@microsoft.com\''],'

Your configuration may differ from what is posted above. Just make sure to take the backup before you could modify anything.

section 2.5.1, 2.5.2, and 2.5.5 of http://www.ietf.org/rfc/rfc4408.txt

2.5.1.  None

   A result of "None" means that no records were published by the domain
   or that no checkable sender domain could be determined from the given
   identity.  The checking software cannot ascertain whether or not the
   client host is authorized.

2.5.2.  Neutral

   The domain owner has explicitly stated that he cannot or does not
   want to assert whether or not the IP address is authorized.  A
   "Neutral" result MUST be treated exactly like the "None" result; the
   distinction exists only for informational purposes.  Treating
   "Neutral" more harshly than "None" would discourage domain owners
   from testing the use of SPF records (see Section 9.1).

2.5.5.  SoftFail

   A "SoftFail" result should be treated as somewhere between a "Fail"
   and a "Neutral".  The domain believes the host is not authorized but
   is not willing to make that strong of a statement.  Receiving
   software SHOULD NOT reject the message based solely on this result,
   but MAY subject the message to closer scrutiny than normal.

As I said it might be possible to do, and SSharma explains how, but you will not be RFC compliant if you do.  The correct approach to resolving this is to leave the SPF checks as they are and implement DKIM verification.
eduardortAuthor Commented:
Thx Papertrip, good words :)

And SSharma, I saw this configuration on ASSP, however I could not understand exactly what it does. Could you help me understand?

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now