Spam Filter ISP Support - SPF and redirect keyword

Print Page | Close Window

SPF and redirect keyword

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5676
Printed Date: 14 March 2025 at 3:53am

Topic: SPF and redirect keyword

Posted By: Guests
Subject: SPF and redirect keyword
Date Posted: 21 June 2006 at 8:19am

It seems that SPF checking with records that contain the redirect keyword doesn't work. Consistently when SF checks for gmail.com (by way of example) SPF records the following happens:

06-21-06 07:01:55:628 -- (63392) Connection from: 207.36.160.234 - Originating country : United States
06-21-06 07:01:58:222 -- (63392) found SPF record for gmail.com: v=spf1 redirect=_spf.google.com
06-21-06 07:01:58:222 -- (63392) SPF query result: unknown
06-21-06 07:01:58:222 -- (63392) - SPF analysis for gmail.com done: - unknown

And no SPF check is performed. Unfortunately there are quite a few spam messages getting through with forged gmail.com addresses that could have been blocked.

When I check the DNS server that our SF uses for the TXT record of _spf.google.com it works okay:
> set type=txt
> _spf.google.com
Server: xxx.yyy.zz
Address: 172.16.1.11

Non-authoritative answer:
_spf.google.com text =

"v=spf1 ip4:216.239.56.0/23 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ?all"

Then again, it also happens with other domains that use redirect in their SPF records:

06-21-06 13:14:10:753 -- (125396) Connection from: 212.204.245.91 - Originating country : Netherlands
06-21-06 13:14:10:800 -- (125396) found SPF record for your.hp.com: v=spf1 redirect=hp.m0.net
06-21-06 13:14:10:800 -- (125396) SPF query result: unknown
06-21-06 13:14:10:800 -- (125396) - SPF analysis for your.hp.com done: - unknown

So it seems that SF doesn't process the redirect keyword correctly. Are more people experiencing this or is it just me somehow?

Replies:

Posted By: mikek
Date Posted: 21 June 2006 at 8:36am

No, it's not just you - I'm seeing the same thing. Here an example for gmx.ch:

06.20.06 01:17:52:884 -- (17876) Connection from: 213.165.64.21 - Originating country : Germany
06.20.06 01:17:53:337 -- (17876) found SPF record for gmx.ch: v=spf1 redirect=gmx.net
06.20.06 01:17:53:337 -- (17876) SPF query result: unknown
06.20.06 01:17:53:337 -- (17876) - SPF analysis for gmx.ch done: - unknown

I'm seeing the google.com example as well. Didn't notice this before, because I wasn't looking for it, but I guess other users can confirm this quickly as well. Just do a search for 'redirect' in yesterday's log file for example.

Posted By: lyndonje
Date Posted: 21 June 2006 at 9:02am

Confirmed:

06/20/06 03:58:01:656 -- (30012) found SPF record for mp.opensrs.net: v=spf1 redirect=spf.webmaillogin.com
06/20/06 03:58:01:656 -- (30012) SPF query result: unknown
06/20/06 03:58:01:656 -- (30012) - SPF analysis for mp.opensrs.net done: - unknown

Posted By: Guests
Date Posted: 21 June 2006 at 9:58am

Okay, thanks for checking guys. It's officially a bug now I guess.

Roberto?..

Posted By: Marco
Date Posted: 21 June 2006 at 10:41am

06/13/06 14:21:51:913 -- (16203) found SPF record for thomson.com: v=spf1 redirect=_spf.thomson.com
06/13/06 14:21:51:944 -- (16203) SPF query result: unknown
06/13/06 14:21:51:960 -- (16203) - SPF analysis for thomson.com done: - unknown

yup.

-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

Posted By: LogSat
Date Posted: 21 June 2006 at 1:32pm

..wer'e still checking to see what's wrong. So far it does look like a bug, as soon as we find out more I'll post the details (and the ETA for a patch if confirmed bug)

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: LogSat
Date Posted: 21 June 2006 at 4:25pm

 _                                    __ _                         _ 
| |__  _   _  __ _    ___ ___  _ __  / _(_)_ __ _ __ ___   ___  __| |
| '_ \| | | |/ _` |  / __/ _ \| '_ \| |_| | '__| '_ ` _ \ / _ \/ _` |
| |_) | |_| | (_| | | (_| (_) | | | |  _| | |  | | | | | |  __/ (_| |
|_.__/ \__,_|\__, |  \___\___/|_| |_|_| |_|_|  |_| |_| |_|\___|\__,_|
             |___/

We're testing the patch now, it will be released within the next 6/24 hours.

Thanks to everyone for helping identifying and isolating this!

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: sgeorge
Date Posted: 21 June 2006 at 4:46pm

lol, you're too funny!

Posted By: mikek
Date Posted: 26 June 2006 at 3:03am

updated to .578:

06.26.06 08:31:51:259 -- (15064) found SPF record for gmail.com: v=spf1 redirect=_spf.google.com
06.26.06 08:31:51:291 -- (15064) found SPF record for _spf.google.com: v=spf1 ip4:216.239.56.0/23 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ?all
06.26.06 08:31:51:291 -- (15064) SPF query result: pass
06.26.06 08:31:51:291 -- (15064) - SPF analysis for _spf.google.com done: - pass
06.26.06 08:31:51:291 -- (15064) SPF query result: pass
06.26.06 08:31:51:291 -- (15064) - SPF analysis for gmail.com done: - pass

great job! keep up the good work!

Print Page | Close Window