SPF Filtering help

Unanswered Question
Dec 8th, 2008

Hi All,

I'm setting SPF filtering for the first time, and I noticed that I'm not getting any hits with my filters even though when I read through the mail logs, I should be. Can someone point out the error of my ways? I'm currently setup for SIDF Compatible.

Here is the content filter I have setup, just for testing.

SPFSoftfailQuarantine: if (spf-status == "softfail") { duplicate-quarantine ("SPF Softfail"); }
SPFFailQuarantine: if (spf-status == "fail") { duplicate-quarantine ("SPF Fail"); }

Just very basic monitoring for now. And the mail logs shows me this:

Tue Dec 2 22:33:50 2008 Info: MID 1072697 SPF: helo identity [email protected] None
Tue Dec 2 22:33:51 2008 Info: MID 1072697 SPF: mailfrom identity [email protected] SoftFail (v=spf1)
Tue Dec 2 22:33:52 2008 Info: MID 1072697 SPF: pra identity [email protected] None headers from

Wed Dec 3 01:12:07 2008 Info: MID 1072902 SPF: helo identity [email protected] None
Wed Dec 3 01:12:07 2008 Info: MID 1072902 SPF: mailfrom identity [email protected] Fail (v=spf1)
Wed Dec 3 01:12:07 2008 Info: MID 1072902 SPF: pra identity [email protected] None headers from

Wed Dec 3 02:27:46 2008 Info: MID 1073026 using engine: SPF Verdict Cache using cached verdict
Wed Dec 3 02:27:46 2008 Info: MID 1073026 SPF: helo identity [email protected] None
Wed Dec 3 02:27:47 2008 Info: MID 1073026 SPF: mailfrom identity [email protected] Fail (v=spf1)
Wed Dec 3 02:27:48 2008 Info: MID 1073026 SPF: pra identity [email protected] None headers from


Quarantines shows empty, even though the mail isn't being dropped. Suggestions?

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kluu_ironport Mon, 12/08/2008 - 18:26

It may be case sensitive so, add this to your IF condition(s),

(?i) ---> will ignore case

SPFSoftfailQuarantine: if (spf-status == "(?i)softfail") { duplicate-quarantine ("SPF Softfail"); }

SPFFailQuarantine: if (spf-status == "(?i)fail") { duplicate-quarantine ("SPF Fail"); }





Snippets taken from the User Guide,

Verification Results
If you use the spf-status filter rule, you can check against the SPF/SIDF verification results using the following syntax:if (spf-status == "Pass")

If you want a single condition to check against multiple status verdicts, you can use the following syntax:if (spf-status == "PermError, TempError")

You can also check the verification results against the HELO, MAIL FROM, and PRA identities using the following syntax:if (spf-status("pra") == "Fail")

Note — You can only use the spf-status message filter rule to check results against HELO, MAIL FROM, and PRA identities. You cannot use the spf-status content filter rule to check against identities.
You can receive any of the following verification results:• None - no verification can be performed due to the lack of information.
• Pass - the client is authorized to send mail with the given identity.
• Neutral - the domain owner does not assert whether the client is authorized to use the given identity.
• SoftFail - the domain owner believes the host is not authorized to use the given identity but is not willing to make a definitive statement.
• Fail - the client is not authorized to send mail with the given identity.
• TempError - a transient error occurred during verification.
• PermError - a permanent error occurred during verification.

Geosoft_ironport Mon, 12/08/2008 - 18:58

Thanks for your help in this matter kluu,

The rule sets I have pasted here is actually coming from the Content Filters GUI. So, unless IronPort wrote the detection incorrectly, I do not think that's it.

I guess my question is, by looking that mail logs I pasted here, what should be the outcome result to "spf-status" if one of the tests (such as mailfrom) is a softfail or fail, and the rest of the tests results None. If the expected result is None, then I guess I'll have to make a message filter instead.

Was thinking something along the lines of:

quarantine-spf-failed-mail:
if ((not spf-passed) AND ((spf-status("pra") == "SoftFail, Fail") OR (spf-status("mailfrom") == "SoftFail, Fail")
OR (spf-status("helo") == "SoftFail, Fail")) {
insert-header("X-IronPort-Qauarantine", "Quarantine");
}


The reason why I'm doing "not spf-passed" is because I have some hosts you fail on "helo" but pass on "mailfrom" for some screwed up reason. Bad mail administration on their side I guess?

whardiso Tue, 12/09/2008 - 13:36

For the sake of thoroughness, I would at least try the case insentive flag change kluu recommended.

The content filter is doing a regex comparison of the SPF value returned, and the capital letter would not match.

If it does happen that the content filter should be case-insensitive by default, it can be reported as a defect.

Geosoft_ironport Tue, 12/09/2008 - 13:47

Hi Whardison,

I would love to do this, but you cannot put a case insensitive flag in the Content Filters GUI.

Geosoft_ironport Tue, 12/09/2008 - 14:17

Also,

I tried moving to message filters resulted in the following:


An error occurred during processing: spf-status(): '(?i)softfail' is an invalid status list. Valid status values are PermError, None, TempError, Neutral, Pass, Fail, SoftFail.


So, (?i) is not the answer in both cases unfortunately. :(

Actions

This Discussion