SPF Filtering help

Geosoft_ironport · ‎12-08-2008

Hi All,

I'm setting SPF filtering for the first time, and I noticed that I'm not getting any hits with my filters even though when I read through the mail logs, I should be. Can someone point out the error of my ways? I'm currently setup for SIDF Compatible.

Here is the content filter I have setup, just for testing.

SPFSoftfailQuarantine: if (spf-status == "softfail") { duplicate-quarantine ("SPF Softfail"); }
SPFFailQuarantine: if (spf-status == "fail") { duplicate-quarantine ("SPF Fail"); }

Just very basic monitoring for now. And the mail logs shows me this:

Tue Dec 2 22:33:50 2008 Info: MID 1072697 SPF: helo identity postmaster@463FA4D1AD484B9 None
Tue Dec 2 22:33:51 2008 Info: MID 1072697 SPF: mailfrom identity xxx@us.army.mil SoftFail (v=spf1)
Tue Dec 2 22:33:52 2008 Info: MID 1072697 SPF: pra identity xxx@us.army.mil None headers from

Wed Dec 3 01:12:07 2008 Info: MID 1072902 SPF: helo identity postmaster@bigdog.icorporation.local None
Wed Dec 3 01:12:07 2008 Info: MID 1072902 SPF: mailfrom identity xxx@bol.com.br Fail (v=spf1)
Wed Dec 3 01:12:07 2008 Info: MID 1072902 SPF: pra identity xxx@bol.com.br None headers from

Wed Dec 3 02:27:46 2008 Info: MID 1073026 using engine: SPF Verdict Cache using cached verdict
Wed Dec 3 02:27:46 2008 Info: MID 1073026 SPF: helo identity postmaster@ctb-mesg-1-1.saix.net None
Wed Dec 3 02:27:47 2008 Info: MID 1073026 SPF: mailfrom identity xxx@aluvin.co.za Fail (v=spf1)
Wed Dec 3 02:27:48 2008 Info: MID 1073026 SPF: pra identity xxx@aluvin.co.za None headers from

Quarantines shows empty, even though the mail isn't being dropped. Suggestions?

kluu_ironport · ‎12-08-2008

It may be case sensitive so, add this to your IF condition(s),

(?i) ---> will ignore case

SPFSoftfailQuarantine: if (spf-status == "(?i)softfail") { duplicate-quarantine ("SPF Softfail"); }

SPFFailQuarantine: if (spf-status == "(?i)fail") { duplicate-quarantine ("SPF Fail"); }

Snippets taken from the User Guide,

Verification Results
If you use the spf-status filter rule, you can check against the SPF/SIDF verification results using the following syntax:if (spf-status == "Pass")

If you want a single condition to check against multiple status verdicts, you can use the following syntax:if (spf-status == "PermError, TempError")

You can also check the verification results against the HELO, MAIL FROM, and PRA identities using the following syntax:if (spf-status("pra") == "Fail")

Note — You can only use the spf-status message filter rule to check results against HELO, MAIL FROM, and PRA identities. You cannot use the spf-status content filter rule to check against identities.
You can receive any of the following verification results:• None - no verification can be performed due to the lack of information.
• Pass - the client is authorized to send mail with the given identity.
• Neutral - the domain owner does not assert whether the client is authorized to use the given identity.
• SoftFail - the domain owner believes the host is not authorized to use the given identity but is not willing to make a definitive statement.
• Fail - the client is not authorized to send mail with the given identity.
• TempError - a transient error occurred during verification.
• PermError - a permanent error occurred during verification.

Geosoft_ironport · ‎12-08-2008

Thanks for your help in this matter kluu,

The rule sets I have pasted here is actually coming from the Content Filters GUI. So, unless IronPort wrote the detection incorrectly, I do not think that's it.

I guess my question is, by looking that mail logs I pasted here, what should be the outcome result to "spf-status" if one of the tests (such as mailfrom) is a softfail or fail, and the rest of the tests results None. If the expected result is None, then I guess I'll have to make a message filter instead.

Was thinking something along the lines of:

quarantine-spf-failed-mail:
if ((not spf-passed) AND ((spf-status("pra") == "SoftFail, Fail") OR (spf-status("mailfrom") == "SoftFail, Fail")
OR (spf-status("helo") == "SoftFail, Fail")) {
insert-header("X-IronPort-Qauarantine", "Quarantine");
}

The reason why I'm doing "not spf-passed" is because I have some hosts you fail on "helo" but pass on "mailfrom" for some screwed up reason. Bad mail administration on their side I guess?

Douglas Hardison · ‎12-09-2008

For the sake of thoroughness, I would at least try the case insentive flag change kluu recommended.

The content filter is doing a regex comparison of the SPF value returned, and the capital letter would not match.

If it does happen that the content filter should be case-insensitive by default, it can be reported as a defect.

Geosoft_ironport · ‎12-09-2008

Hi Whardison,

I would love to do this, but you cannot put a case insensitive flag in the Content Filters GUI.

Geosoft_ironport · ‎12-09-2008

Also,

I tried moving to message filters resulted in the following:


An error occurred during processing: spf-status(): '(?i)softfail' is an invalid status list. Valid status values are PermError, None, TempError, Neutral, Pass, Fail, SoftFail.

So, (?i) is not the answer in both cases unfortunately. :(

Douglas Hardison · ‎12-10-2008

I'd put in a ticket to support@ironport.com ( if you have not already ).

Tech Support can verify the behavior on a test system, and coordinate a work-around if necessary.

If you include the log snippet you posted here, they'd be able to try to replicate it.

-whardison