Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SPF Filtering help

Hi All,

I'm setting SPF filtering for the first time, and I noticed that I'm not getting any hits with my filters even though when I read through the mail logs, I should be. Can someone point out the error of my ways? I'm currently setup for SIDF Compatible.

Here is the content filter I have setup, just for testing.

SPFSoftfailQuarantine: if (spf-status == "softfail") { duplicate-quarantine ("SPF Softfail"); }
SPFFailQuarantine: if (spf-status == "fail") { duplicate-quarantine ("SPF Fail"); }

Just very basic monitoring for now. And the mail logs shows me this:

Tue Dec 2 22:33:50 2008 Info: MID 1072697 SPF: helo identity postmaster@463FA4D1AD484B9 None
Tue Dec 2 22:33:51 2008 Info: MID 1072697 SPF: mailfrom identity xxx@us.army.mil SoftFail (v=spf1)
Tue Dec 2 22:33:52 2008 Info: MID 1072697 SPF: pra identity xxx@us.army.mil None headers from

Wed Dec 3 01:12:07 2008 Info: MID 1072902 SPF: helo identity postmaster@bigdog.icorporation.local None
Wed Dec 3 01:12:07 2008 Info: MID 1072902 SPF: mailfrom identity xxx@bol.com.br Fail (v=spf1)
Wed Dec 3 01:12:07 2008 Info: MID 1072902 SPF: pra identity xxx@bol.com.br None headers from

Wed Dec 3 02:27:46 2008 Info: MID 1073026 using engine: SPF Verdict Cache using cached verdict
Wed Dec 3 02:27:46 2008 Info: MID 1073026 SPF: helo identity postmaster@ctb-mesg-1-1.saix.net None
Wed Dec 3 02:27:47 2008 Info: MID 1073026 SPF: mailfrom identity xxx@aluvin.co.za Fail (v=spf1)
Wed Dec 3 02:27:48 2008 Info: MID 1073026 SPF: pra identity xxx@aluvin.co.za None headers from


Quarantines shows empty, even though the mail isn't being dropped. Suggestions?

  • Email Security
6 REPLIES
New Member

Re: SPF Filtering help

It may be case sensitive so, add this to your IF condition(s),

(?i) ---> will ignore case

SPFSoftfailQuarantine: if (spf-status == "(?i)softfail") { duplicate-quarantine ("SPF Softfail"); }

SPFFailQuarantine: if (spf-status == "(?i)fail") { duplicate-quarantine ("SPF Fail"); }





Snippets taken from the User Guide,

Verification Results
If you use the spf-status filter rule, you can check against the SPF/SIDF verification results using the following syntax:if (spf-status == "Pass")

If you want a single condition to check against multiple status verdicts, you can use the following syntax:if (spf-status == "PermError, TempError")

You can also check the verification results against the HELO, MAIL FROM, and PRA identities using the following syntax:if (spf-status("pra") == "Fail")

Note — You can only use the spf-status message filter rule to check results against HELO, MAIL FROM, and PRA identities. You cannot use the spf-status content filter rule to check against identities.
You can receive any of the following verification results:• None - no verification can be performed due to the lack of information.
• Pass - the client is authorized to send mail with the given identity.
• Neutral - the domain owner does not assert whether the client is authorized to use the given identity.
• SoftFail - the domain owner believes the host is not authorized to use the given identity but is not willing to make a definitive statement.
• Fail - the client is not authorized to send mail with the given identity.
• TempError - a transient error occurred during verification.
• PermError - a permanent error occurred during verification.

New Member

Re: SPF Filtering help

Thanks for your help in this matter kluu,

The rule sets I have pasted here is actually coming from the Content Filters GUI. So, unless IronPort wrote the detection incorrectly, I do not think that's it.

I guess my question is, by looking that mail logs I pasted here, what should be the outcome result to "spf-status" if one of the tests (such as mailfrom) is a softfail or fail, and the rest of the tests results None. If the expected result is None, then I guess I'll have to make a message filter instead.

Was thinking something along the lines of:

quarantine-spf-failed-mail:
if ((not spf-passed) AND ((spf-status("pra") == "SoftFail, Fail") OR (spf-status("mailfrom") == "SoftFail, Fail")
OR (spf-status("helo") == "SoftFail, Fail")) {
insert-header("X-IronPort-Qauarantine", "Quarantine");
}


The reason why I'm doing "not spf-passed" is because I have some hosts you fail on "helo" but pass on "mailfrom" for some screwed up reason. Bad mail administration on their side I guess?

Cisco Employee

Re: SPF Filtering help

For the sake of thoroughness, I would at least try the case insentive flag change kluu recommended.

The content filter is doing a regex comparison of the SPF value returned, and the capital letter would not match.

If it does happen that the content filter should be case-insensitive by default, it can be reported as a defect.

New Member

Re: SPF Filtering help

Hi Whardison,

I would love to do this, but you cannot put a case insensitive flag in the Content Filters GUI.

New Member

Re: SPF Filtering help

Also,

I tried moving to message filters resulted in the following:


An error occurred during processing: spf-status(): '(?i)softfail' is an invalid status list. Valid status values are PermError, None, TempError, Neutral, Pass, Fail, SoftFail.


So, (?i) is not the answer in both cases unfortunately. :(

Cisco Employee

Re: SPF Filtering help

I'd put in a ticket to support@ironport.com ( if you have not already ).

Tech Support can verify the behavior on a test system, and coordinate a work-around if necessary.

If you include the log snippet you posted here, they'd be able to try to replicate it.

-whardison

1885
Views
0
Helpful
6
Replies
This widget could not be displayed.