[TAG] Re-enabled SPF-checking

Rick Moen rick at linuxmafia.com
Thu Dec 1 06:23:37 MSK 2005 

So far, so good.  Here's my MTA rejecting three obvious "joe-jobs"
(e-mails with forged envelope sender):

2005-11-30 19:05:04 H=c-24-14-59-24.hsd1.il.comcast.net (linuxmafia.com) [24.14.59.24]:3820 I=[198.144.195.186]:25 F=<MAILER-DAEMON at linuxmafia.com> rejected RCPT <conspire at linuxmafia.com>: Sender SPF verification failed for MAILER-DAEMON at linuxmafia.com:  linuxmafia.com: domain of MAILER-DAEMON at linuxmafia.com does not designate 24.14.59.24 as permitted sender: Not authorized by SPF

2005-11-30 19:05:06 H=c-24-14-59-24.hsd1.il.comcast.net (linuxmafia.com) [24.14.59.24]:3822 I=[198.144.195.186]:25 F=<MAILER-DAEMON at linuxmafia.com> rejected RCPT <conspire at linuxmafia.com>: Sender SPF verification failed for MAILER-DAEMON at linuxmafia.com:  linuxmafia.com: domain of MAILER-DAEMON at linuxmafia.com does not designate 24.14.59.24 as permitted sender: Not authorized by SPF

2005-11-30 19:05:09 H=c-24-14-59-24.hsd1.il.comcast.net (linuxmafia.com) [24.14.59.24]:3825 I=[198.144.195.186]:25 F=<MAILER-DAEMON at linuxmafia.com> rejected RCPT <conspire at linuxmafia.com>: Sender SPF verification failed for MAILER-DAEMON at linuxmafia.com:  linuxmafia.com: domain of MAILER-DAEMON at linuxmafia.com does not designate 24.14.59.24 as permitted sender: Not authorized by SPF



IP address 24.14.59.24 (which is c-24-14-59-24.hsd1.il.comcast.net,
according to the reverse DNS records) came waltzing in, claiming to _be_
"linuxmafia.com" and attempted to drop off three pieces of mail with
claimed envelope sender "From: MAILER-DAEMON at linuxmafia.com".

Because my DNS publishes an SPF record equating to "If mail is from a
mail exchanger machine that doesn't live at IP address 198.144.195.186,
then it's forged", my MTA immediately said "Nope, you're _not_ an
Aauthorised mail exchanger for linuxmafia.com.  So, bugger off."

I sure hope, this time, that it's checking IPs against the sender domain
shown in the _envelope_ sender (the "From " line), and not the internal
"From:" header's sender domain as before.

More information about the TAG mailing list