Spam Filter ISP Support - SPF return unknown

Print Page | Close Window

SPF return unknown

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6879
Printed Date: 27 December 2024 at 11:01am

Topic: SPF return unknown

Posted By: vbourbeau
Subject: SPF return unknown
Date Posted: 05 October 2010 at 2:23pm

Lot of spam pass spamfilter and when I look in log the SPF result return "unknown". What mean this result?

The spam is clearly not the domain owners. Example: mailto:e-cards@hallmark.com - e-cards@hallmark.com with 65.166.169.23

Replies:

Posted By: LogSat
Date Posted: 05 October 2010 at 10:42pm

SpamFilter will return an "unknown" if the SPF record is malformed, and will skip the SPF filter check to avoid blocking valid emails.

As a side-note, in your specific example, hallmark.com does indeed have what appears as an improperly formatted SPF record, since it contains two v=spf1 mechanisms:

hallmark.com. 1 IN TXT "v=spf1 ip4:208.1.139.0/24 ip4:129.33.92.0/24 ip4:65.116.50.141 ip4:65.116.50.144 ip4:65.116.50.142 ip4:65.116.50.143 ip4:162.94.28.0/24 v=spf1 ip4:209.176.191.124 ip4:209.176.191.121 ip4:209.176.191.123 ip4:209.176.191.122 ip4:193.132.80.20 mx ~all"

while this does appear to violate the SPF RFC, we do see that the online verifier for openspf.org themselves marks that SPF record as legitimate. Due to this, we've just uploaded int he registered user area an updated build of SpamFilter (4.2.4.836) that ignores the duplicate v=spf1 mechanisms and continues to validate the remaining of the SPF record for further analysis.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: vbourbeau
Date Posted: 06 October 2010 at 8:06am

ok ...

If I understand well, wise spamer can use domain name who don't respect the SPF RFC and bypass most of the SPF rules.

Posted By: yapadu
Date Posted: 06 October 2010 at 7:13pm

Yes a smart spammer will not pick a domain with valid SPF rules, a much higher % of spam will be stopped when a domain publishes SPF.

By publishing SPF records the domain owner is protecting themselves from spammers trying to forge email from their domain.

It is almost like a lock on a bike or house. Just because you have a lock does not mean you can't get broken into but a thief is probably just going to hit the house next door that does not have an alarm.

Thanks for the new release Roberto, a couple of nice new additions in there!

-------------
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.

Print Page | Close Window