Ticket #490 (new defect)

Opened 8 years ago

Last modified 8 years ago

receiving bounced spam emails that seem to come from voxforge.org

Reported by: kmaclean Owned by: kmaclean
Priority: major Milestone:
Component: Web Site Version: 0.1-alpha
Keywords: Cc:

Description


Change History

comment:1 Changed 8 years ago by kmaclean

need to create an spf record:

Sender Policy Framework (SPF) Records are used for email validation to mitigate spam. SPF records allow domain administrators to define all hosts allowed to send mail for a domain by creating a specific TXT record that is then used by mail exchangers to validate a senders identity. The data of an SPF record must be enclosed in quotations.

The original specifications for SPF required storage of SPF information for domains within TXT type records. Later specifications created the SPF type record. Currently, there are no SPF implementation that will not use TXT type records if they are present, so SPF type records are not required. There are, however, many SPF implementations that will not use SPF type records, so TXT records remain required. It is a good idea to have identical SPF information within a domain under both a TXT type record and an SPF type record.

comment:2 Changed 8 years ago by kmaclean

comment:3 Changed 8 years ago by kmaclean

from wikipedia page

Thus, the key issue in SPF is the specification for the new DNS information that domains set and receivers use. The records laid out below are in typical DNS syntax. Note that RFC 4408 recommended that both SPF and TXT records be used (during the transitional period), although either by itself was acceptable:

example.com. IN TXT "v=spf1 a mx -all" example.com. IN SPF "v=spf1 a mx -all"

"v=" defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected. Mechanisms

Eight mechanisms are defined:

ALL 	Matches always; used for a default result like -all for all IPs not matched by prior mechanisms.
A 	If the domain name has an address record (A or AAAA) that can be resolved to the sender's address, it will match.
IP4 	If the sender is in a given IPv4 address range, match.
IP6 	If the sender is in a given IPv6 address range, match.
MX 	If the domain name has an MX record resolving to the sender's address, it will match (i.e. the mail comes from one of the domain's incoming mail servers).
PTR 	If the domain name (PTR record) for the client's address is in the given domain and that domain name resolves to the client's address (forward-confirmed reverse DNS), match.
EXISTS 	If the given domain name resolves to any address, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like DNSBL-queries.
INCLUDE 	If the included (a misnomer) policy passes the test this mechanism matches. This is typically used to include policies of more than one ISP.
Qualifiers

Each mechanism can be combined with one of four qualifiers:

    + for a PASS result. This can be omitted; e.g., +mx is the same as mx.
    ? for a NEUTRAL result interpreted like NONE (no policy).
    ~ (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged.
    - (minus) for FAIL, the mail should be rejected (see below).

Modifiers

The modifiers allow for future extensions to the framework. To date only the two modifiers defined in the RFC 4408 have been widely deployed:

    exp=some.example.com gives the name of a domain with a DNS TXT record (interpreted using SPF's macro language) to get an explanation for FAIL results—typically a URL which is added to the SMTP error code. This feature is rarely used.
    redirect=some.example.com can be used instead of the ALL-mechanism to link to the policy record of another domain. This modifier is easier to understand than the somewhat similar INCLUDE-mechanism.

comment:4 Changed 8 years ago by kmaclean

added :"v=spf1 a mx -all" to spf record

comment:5 Changed 8 years ago by kmaclean

need to wait for propagation of spf record to test change

spf record from a test email shows:

Received-SPF: neutral (google.com: 209.85.223.175 is neither permitted nor denied by best guess record for domain of contact@…)

                                                                                                                                                                                                                                                               
Delivered-To: kmaclean@voxforge.org
Received: by 10.217.42.134 with SMTP id u6csp79632wev;
        Mon, 10 Dec 2012 08:03:30 -0800 (PST)
Received: by 10.42.177.67 with SMTP id bh3mr11348099icb.51.1355155409094;
        Mon, 10 Dec 2012 08:03:29 -0800 (PST)
Return-Path: <contact@voxforge.org>
Received: from mail-ie0-f175.google.com (mail-ie0-f175.google.com [209.85.223.175])
        by mx.google.com with ESMTPS id z7si7735215igj.65.2012.12.10.08.03.28
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 10 Dec 2012 08:03:29 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.223.175 is neither permitted nor denied by best guess record for domain of contact@voxforge.org) client-ip=209.85.223.175;
Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.223.175 is neither permitted nor denied by best guess record for domain of contact@voxforge.org) smtp.mail=contact@voxforge.org
Received: by mail-ie0-f175.google.com with SMTP id qd14so8403217ieb.20
        for <kmaclean@voxforge.org>; Mon, 10 Dec 2012 08:03:28 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=content-type:content-transfer-encoding:mime-version:from:reply-to
         :subject:message-id:date:x-mailer:x-return-path:list-id:list-help
         :list-unsubscribe:list-subscribe:list-owner:list-post:list-archive
         :x-unsubscribe-web:x-subscribe-web:x-archives:cc:to
         :x-gm-message-state;
        bh=/S/D5kvGiGvDG/TvhggZcZGEPnD9AcGSVFFPZEnGNwI=;
        b=NfUhDiFRgChGStM7dXsFo/pNGU5N9d0POiDV3dhdlbh+3L05xYzXXHMMQsrgKvNR6B
         4gnXBxIrX7AXYldJIFtcmJjzLlWzevIJGKMGmF01uFFqrMtDs0Q4Qay4MPoinaXgpFdu
         UIe8xnoUOCnObmNGHHLSR4t0pDCgtqRZK263OSnK68Qi37Orgtab8WIF64sdmudHEHs/
         /9njThKAJHlRCsGsaOZvsHGF8U4PlDg19iK13hGjKCcEIc/g217NoU37jU8aN/9Qi5uG
         GNi08C9ANBFt6dgMyHNAjVL1Qd6Of8gp/0eZ1ENjtsBKkpPKmwkAxtDfAiiqBL42c/4P
         aTlQ==
Received: by 10.50.182.163 with SMTP id ef3mr7009004igc.32.1355155407939;
        Mon, 10 Dec 2012 08:03:27 -0800 (PST)
Return-Path: <contact@voxforge.org>
Received: from ruby.localdomain (CPE0080c813a40b-CM18593347de8f.cpe.net.cable.rogers.com. [99.255.66.222])
        by mx.google.com with ESMTPS id l8sm6803276igo.13.2012.12.10.08.03.17
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 10 Dec 2012 08:03:26 -0800 (PST)
Received: from localhost.localdomain (ruby.localdomain [127.0.0.1])
	by ruby.localdomain (8.14.4/8.14.4) with ESMTP id qBAGekAj007852
	for <kmaclean@voxforge.org>; Mon, 10 Dec 2012 11:40:46 -0500
Content-Type: multipart/mixed; boundary="----------=_1355157562-7631-0"
Content-Transfer-Encoding: binary

comment:6 Changed 8 years ago by kmaclean

spftools

E-mail based record testers

We provide an e-mail based record tester. Send an e-mail to spf-test@…. Your message will be rejected (this is by design) and you will get the SPF result either in your MTA mail logs or via however your MTA reports errors to message senders (e.g. a bounce message). This is done to avoid the risk of backscatter from the tester. This test tests both MAIL FROM and HELO and provides results for both.

comment:7 Changed 8 years ago by kmaclean

test email sent to spf-test@… from voxforge.org on gmail

Received-SPF: pass (google.com: best guess record for domain of mail-fa0-f71.google.com designates 209.85.161.71 as permitted sender) client-ip=209.85.161.71;

Delivered-To: kmaclean@voxforge.org
Received: by 10.216.95.137 with SMTP id p9csp103918wef;
        Mon, 17 Dec 2012 10:05:57 -0800 (PST)
Received: by 10.14.0.3 with SMTP id 3mr42859311eea.16.1355767556976;
        Mon, 17 Dec 2012 10:05:56 -0800 (PST)
Return-Path: <>
Received: from mail-fa0-f71.google.com (mail-fa0-f71.google.com [209.85.161.71])
        by mx.google.com with ESMTPS id k48si36945303een.134.2012.12.17.10.05.56
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 17 Dec 2012 10:05:56 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of mail-fa0-f71.google.com designates 209.85.161.71 as permitted sender) client-ip=209.85.161.71;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of mail-fa0-f71.google.com designates 209.85.161.71 as permitted sender) smtp.mail=; dkim=pass header.i=@gmail.com
Received: by mail-fa0-f71.google.com with SMTP id m1so4957864fam.10
        for <kmaclean@voxforge.org>; Mon, 17 Dec 2012 10:05:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:from:to:x-failed-recipients:subject
         :message-id:date:content-type:content-transfer-encoding;
        bh=Lf2j6WEaD4Ia30wAbIA3cfCMuohDTMb3qINyemCzN+g=;
        b=BOL2dzA680WXeiGKpkWmTmdnRRlIm4zU6nYszsbHW23sHuRzCFi7yjXrpRSLQ/LghC
         f96SJlORIGxwCjY4iZP2Yc8Ec/BOaQP44H9f7Qn4DlwqDaw7tdtJqnHMKgD6SgM4crNi
         0p3iEOUEEgPLIEEskTiJ49P69Zx5gp2j8C+JWKz9tASddECK6AG7Nq5k63pLQPU49JU/
         Qy9FvO8oNeD9niAKuobkn7bBOd28y58j9IyLOyKZrvSinYQNWo8ai8G28vqUem3MDn7w
         U82smD3n0jJNEp5iSA2wBH8IogMcvVaVcjxkM6BtHnBVhAkD+TStwFS6IT8D7MGm+AwT
         weKQ==
X-Received: by 10.180.20.109 with SMTP id m13mr17319858wie.16.1355767556685;
        Mon, 17 Dec 2012 10:05:56 -0800 (PST)
MIME-Version: 1.0
Return-Path: <>
Received: by 10.180.20.109 with SMTP id m13mr21693024wie.16; Mon, 17 Dec 2012
 10:05:56 -0800 (PST)
From: Mail Delivery Subsystem <mailer-daemon@googlemail.com>
To: kmaclean@voxforge.org
X-Failed-Recipients: spf-test@openspf.net
Subject: Delivery Status Notification (Failure)
Message-ID: <bcaec53f343b9d3ec104d1103bc2@google.com>
Date: Mon, 17 Dec 2012 18:05:56 +0000
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

comment:8 Changed 8 years ago by kmaclean

  • Component changed from Acoustic Model to Web Site

comment:9 Changed 8 years ago by kmaclean

still need to test with email generated from voxforge.org instance of webgui cms

Note: See TracTickets for help on using tickets.