Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - SPF and subdomains
  FAQ FAQ  Forum Search   Register Register  Login Login

SPF and subdomains
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
nippe View Drop Down
Newbie
Newbie


Joined: 03 February 2005
Status: Offline
Points: 12 		Post Options Post Options   Thanks (0) Thanks(0)   Quote nippe Quote  Post ReplyReply Direct Link To This Post Topic: SPF and subdomains
    Posted: 21 October 2004 at 3:33pm

Looks like SPF-filter is not looking at subdomain. When sender is burkskinka@skutan.smf.se i want to check spf-record for skutan.smf.se NOT smf.se. I want to have a "harder" spf-setting for smf.se and a softer for most of my subdomains - at least in the begining.

SPF-setting for smf.se is:   v=spf1 ip4:193.15.18.0/24 -all
SPF-setting for skutan.smf.se is:   v=spf1 ip4:193.15.18.0/24 ~all

Program bug? ... or my missunderstanding?

I have chage the adress in the log to burkskinka@skutan.smf.se. It is one of my spamtraps - do not use it.   :)

10-21-04 13:57:57:616 -- (1380) Connection from: 212.247.198.186  -  Originating country : Sweden
10-21-04 13:57:58:076 -- (1380) Resolving 212.247.198.186 - s24.loopia.se
10-21-04 13:57:58:086 -- smf.se is a domain, searching for SPF record
10-21-04 13:57:58:086 -- (1380) - SPF record for smf.se found. analyzing: - v=spf1 ip4:193.15.18.0/24 -all
10-21-04 13:57:58:086 -- (1380) - SPF analysis for smf.se done: - fail
10-21-04 13:57:58:086 -- (1380) failed SPF test (fail) - Disconnecting 212.247.198.186
10-21-04 13:57:58:086 -- (1380) 212.247.198.186 - Mail from: burkskinka@skutan.smf.se To: burkskinka@skutan.smf.se will be rejected
10-21-04 13:57:59:058 -- (1380) EMail from burkskinka@skutan.smf.se to burkskinka@skutan.smf.se was received and quarantined. Size: 1 KB, 1024 bytes
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 21 October 2004 at 11:19pm
Nippe,

SPF records are created for domains (and sub-domains). Unless I'm mistaken and I'm reading your DNS wrong, skutan.smf.se is not a "subdomain" or a zone, but it looks like a simple A record in the smf.se domain. As such, the SPF query is performed on the domain to which it belongs, which is smf.se.

SpamFilter will perform SPF queries for subdomains, but they need to be actual domains, not A or CNAME records.

Roberto F. LogSat Software
Back to Top
nippe View Drop Down
Newbie
Newbie


Joined: 03 February 2005
Status: Offline
Points: 12 		Post Options Post Options   Thanks (0) Thanks(0)   Quote nippe Quote  Post ReplyReply Direct Link To This Post Posted: 22 October 2004 at 2:17am

It is a subdomain AND has an A-record. Is that not ok in DNS?

I think you have done the same with logsat.com and test.logsat.com. A-record and TXT=v=spf1....

Header:
   ID=40433, QR=Response, Opcode=QUERY, RCODE=NO ERROR
   Authoritative Answer=Yes, Truncation=No
   Recursion Desired=Yes, Recursion Available=Yes
   QDCOUNT=1, ANCOUNT=3, NSCOUNT=0, ARCOUNT=3
Question:
   Name=skutan.smf.se, QTYPE=ALL, QCLASS=1
Answer Section:
   Name=skutan.smf.se
   Type=A, Class=1, TTL=86400, RDLENGTH=4
   IP Address=193.15.18.1
   Name=skutan.smf.se
   Type=MX, Class=1, TTL=60, RDLENGTH=9
    Preference=10, Mail Exchange=mail.smf.se
   Name=skutan.smf.se
   Type=TXT, Class=1, TTL=3600, RDLENGTH=31
   TXT=v=spf1 ip4:193.15.18.0/24 ~all
---
End of output
Back to Top
nippe View Drop Down
Newbie
Newbie


Joined: 03 February 2005
Status: Offline
Points: 12 		Post Options Post Options   Thanks (0) Thanks(0)   Quote nippe Quote  Post ReplyReply Direct Link To This Post Posted: 22 October 2004 at 5:29am

The test at spf.pobox.com say this:
http://spf.pobox.com/why.html?sender=burkskinka@skutan.smf.se&ip=212.247.198.186&formwasused=1&debug=0

Looks ok to me.

But i have not done this before.  :)
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 23 October 2004 at 12:15am

Nippe,

When I checked your DNS yesterday skutan.smf.se did not seem to be a domain. I checked again with an nslookup and got:

> skutan.smf.se
Server:  ns1.smf.se
Address:  193.15.18.2

smf.se
        primary name server = ns1.smf.se
        responsible mail addr = administrator.smf.se
        serial  = 2004102203
        refresh = 1200 (20 mins)
        retry   = 120 (2 mins)
        expire  = 1209600 (14 days)
        default TTL = 3600 (1 hour)

> server ns1.smf.se
Default Server:  ns1.smf.se
Address:  193.15.18.2

> ls -d skutan.smf.se
[ns1.smf.se]
*** Can't list domain skutan.smf.se: Non-existent domain


To double-check, I tried the following. As you correctly stated, we have a test.logsat.com subdomain here at logsat. Here's a query for it NS records:

> set type=ns
> test.logsat.com
Server:  ns1.smf.se
Address:  193.15.18.2

Non-authoritative answer:
test.logsat.com nameserver = ns1.netwide.net
test.logsat.com nameserver = ns2.netwide.net


If I ask for an NS query on a A record that is not a domain, ex. http://www.logsat.com, I get:

> http://www.logsat.com
Server:  ns1.smf.se
Address:  193.15.18.2

logsat.com
        primary name server = naples.netwide.net
        responsible mail addr = pemiller.netwide.net
        serial  = 4102001
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 43200 (12 hours)


If I now run a NS query on skutan.smf.se I get something very similar to our http://www.logsat.com A record (not domain):

> skutan.smf.se
Server:  ns1.smf.se
Address:  193.15.18.2

smf.se
        primary name server = ns1.smf.se
        responsible mail addr = administrator.smf.se
        serial  = 2004102203
        refresh = 1200 (20 mins)
        retry   = 120 (2 mins)
        expire  = 1209600 (14 days)
        default TTL = 3600 (1 hour)


All seems to indicate a DNS config problem. But it *is* late night here as I type, and I may not be completely lucid... Without mentioning that DNS is one of the trickiest things to configure on the internet, and that I could very possibly be wrong on my assumptions.

It may help if you post your DNS zone files for the smf.se and the skutan.smf.se domains, along with the startup files, so we can try to see if there's anything wrong there.

I saw the SPF page with the results for your domain, but please note that during our development we saw that the SPF standards are not very clear, and many developers do not follow them precisely (including the original SPF developers themselves...). For example, one of our earlier versions of SpamFilter tried to find an SPF record even for an "email domain", ex roberto@http://www.logsat.com. This probably would have found the SPF record in your case. But that was wrong, since http://www.logsat.com is yes an email domain, but is not a domain as far as DNS it is concerned. We issued a patch that "fixed" that.

Roberto F.
LogSat Software
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 23 October 2004 at 3:29pm

When I look for the SPF record using a tool I wrote I get the following:

Query Type:  TXT Record(s)
Query Value: skutan.smf.se

TXT Record 1:   v=spf1 ip4:193.15.18.0/24 ~all

NOTE:  The ls -d will not work if the DNS server is secured against "Domain Record Dumps" as seems to be the case with this domain.  Actually, that is a good thing.

Regards,

Dan S.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 25 October 2004 at 1:00am
Yeap, I saw the same thing. But the issue is not the presence of the TXT record on skutan.smf.se (it's indeed present). The problem is that the SPF filter will only look at a TXT record if the entry at the right of the @ sign in the email address (skutan.smf.se in this case) is an actual "domain". If it's simply an entry in the DNS with an A or CNAME record, that's not good enough. It needs to be an actual domain for the SPF filter to work. And as you said, the domain is secured so I can't check without having more info.

Roberto F. LogSat Software
Back to Top
nippe View Drop Down
Newbie
Newbie


Joined: 03 February 2005
Status: Offline
Points: 12 		Post Options Post Options   Thanks (0) Thanks(0)   Quote nippe Quote  Post ReplyReply Direct Link To This Post Posted: 25 October 2004 at 6:15am

I am using MS Windows 2000 DNS - is that the problem.  :)

Everything else in the domain skutan.smf.se is working:
Name Type Data
(same as parent folder)TXT v=spf1 ip4:193.15.18.0/24 ?all
(same as parent folder) MX [10]  mail.smf.se.
www CNAME fcis.smf.se.
(same as parent folder) A 193.15.18.1

I have tried with ?all instead of ~all - some tools for testing likes that better and give answer NEUTRAL instead of ERROR and UNKNOWN. Just for testing - not a fix for the problem. But I think i proves that standard in this case is not the same word as i the dictionary. :)

Spamfilter will not find the SPF-record in skutan.smf.se in a domin created the "Microsoft way". Thy recomend building a strukture of domains like this. (Trying to imitate the GUI.)

-Forward Lookup Zones
 -smf.se
  -skutan

But if I, in smf.se, delegate the subdomain spftest to "myself" and put that domain on the same level as smf.se it works. A lot more work to administrate the DNS-server this way - but if this is the right way (or the only way) to get it working I have to do it.This is far from the only domain in the DNS and i do not want to change everything if I do not have to.

-Forward Lookup Zones
 -smf.se
 -spftest.smf.se

 
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 27 October 2004 at 9:57pm
Nippe,

I've just posted the follwoing in the parallel SPF thread:

=================================== Even though it apparently is against the SPF guidelines, we are noticing several domains being "misconfigured" that are reported as having valid SPF records by various SPF implementations.

At this point we decided to "go with the flow", and relax our implementation of SPF a little, marking as valid SPF records for hostnames that are not proper domains. We made available for download in the registered user area pre-release build 2.1.1.386 that has these changes.

Roberto F. LogSat Software ===================================
Back to Top
nippe View Drop Down
Newbie
Newbie


Joined: 03 February 2005
Status: Offline
Points: 12 		Post Options Post Options   Thanks (0) Thanks(0)   Quote nippe Quote  Post ReplyReply Direct Link To This Post Posted: 28 October 2004 at 9:28am

Thank you!

Standard is good - but spamfighting is our mission!  :)

I have now made some changes in my dns and installed the pre-release and it is working fine - no "false" positives in the first 10 minutes.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.211 seconds.

Copyright (c)2002-2021 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us