Wacky SPF Policy

Discussion:

Wacky SPF Policy

a***@WPI.EDU

2014-02-05 20:58:38 UTC

I was directed by a young whippersnapper at the pobox help desk to sign up on
the SPF mailing list to learn something about it. He offered the comment that
pobox invented SPF (so there!).

I had complained to them about this mail stalling in my outbound server:

-----Q-ID----- --Size-- -Priority- ---Q-Time--- --------Sender/Recipient--------
s15Dbwo2018764 250 1290946+Feb 5 08:37 <***@WPI.EDU>
(Deferred: 453 Please see http://spf.pobox.com/why.html?sender=***@WPI.EDU&ip=65.254.18.67)
<***@eastmeadow.k12.ny.us>
(Deferred: 453 Please see http://spf.pobox.com/why.html?sender=***@WPI.EDU&ip=65.254.18.67)
s15DtnEW027481 501 1291256+Feb 5 08:55 <***@WPI.EDU>
(Deferred: 453 Please see http://spf.pobox.com/why.html?sender=***@WPI.EDU&ip=65.254.18.67)
<***@eastmeadow.k12.ny.us>
(Deferred: 453 Please see http://spf.pobox.com/why.html?sender=***@WPI.EDU&ip=65.254.18.67)
Total requests: 2

I tried following the link, which failed at first due to their web server being
unresponsive, and I eventually got this:

"
rejected a message that claimed an envelope sender address of ***@WPI.EDU.
received a message from host-65-254-18-67.static.longislandfiberexchange.net
(65.254.18.67) that claimed an envelope sender address of ***@WPI.EDU.

However, the domain wpi.edu has declared using SPF that it does not send mail
through host-65-254-18-67.static.longislandfiberexchange.net
(65.254.18.67). That is why the message was rejected.

If you are ***@WPI.EDU:
wpi.edu should have given you a way to send mail through an authorized server.
"

So, what appears to have happened here is that an infected pc in some home or
office in Long Island is running a mail bot which forged mail from my address.
Also, they tell me that my address should pass SPF. In any case, the result is
that my address is now rejected by pobox, even though it comes from a server on
which it passes SPF.

I complained and was told I should learn about SPF, as I mentioned at the start
of this message. Just to blow off steam, I'm posting to the list.

I set up SPF at WPI.EDU some years ago in hopes that @wpi.edu email from other
domains would be recognized as forged. This appeared to be the purpose of SPF.

Perhaps, had I not set up SPF, I wouldn't have been blackballed by pobox this
way, since the email from that infected pc would not have failed SPF and
therefore my email address would not have been screwed this way.

This process that pobox follows seems to be monumentally twisted.

I would have thought they might do a few things:

1. blacklist the pc, since it issued violating email
2. dropped that message in the first place, since it violates spf.

Heck, I'd like to drop SPF-violating email at our domain, except I found that
so much email that people want to get does violate SPF. All we do here is put
[SPF:Probably Forged] in the subject line. That seems to annoy our recipients,
since they know that the message is from their colleague and there is "no way"
it could be forged. Occasionally I remind them that if they see that mark on
email from the IRS, a bank or Amazon or Ebay or PayPal, they'd better pay
attention.

Anway, back to the pobox behavior, they don't do the things I would expect they
might do. Instead, they black list the email address which violated SPF. They
don't even relent when that message really is from a good SPF source.

This is astounding!

Is anybody aware of this? Am I just overreacting?

Sanford Whiteman

2014-02-05 21:11:34 UTC

Permalink

Post by a***@WPI.EDU
Anway, back to the pobox behavior, they don't do the things I would expect they
might do. Instead, they black list the email address which violated SPF. They
don't even relent when that message really is from a good SPF source.
This is astounding!
Is anybody aware of this? Am I just overreacting?

I can't independently confirm that it's happening, but if it is, you
are correct to be angry. It's an ignorant (mis)use of SPF if I've ever
seen one. The fact that a "joe job" was attempted against your address
must not result in address-level blacklisting.

Perhaps a temporary misconfiguration on their side is responsible.

-- Sandy

a***@WPI.EDU

2014-02-05 21:25:32 UTC

Permalink

sandy> I can't independently confirm that it's happening, but if it is, you are
sandy> correct to be angry. It's an ignorant (mis)use of SPF if I've ever seen
sandy> one. The fact that a "joe job" was attempted against your address must
sandy> not result in address-level blacklisting.

I can see the outbound queue at WPI and followed the link. I can't come to any
other conclusion. They are temp/failing the messages and the link they give
leads to that description.

sandy> Perhaps a temporary misconfiguration on their side is responsible.

Maybe. I came to the conclusion that maybe I should join this list, as pobox
suggested to me, and post about the policy. Their reason I should join the
list was so that I could learn about SPF.

Maybe someone at pobox who actually knows what SPF is may read these posts and
would recognize that something needs to be fixed. I suppose the odds are low.

Their helpdesk was unhelpful, so I'm grasping at straws.

It's hard to believe that an org whose business is email would have such a
fundamental misunderstanding. If it was a company, college, or whatever who
had some broken mail policy, it might be more understandable; email isn't at
the core of what they do.

Alex van den Bogaerdt

2014-02-05 21:59:02 UTC

Permalink

Post by a***@WPI.EDU
I was directed by a young whippersnapper at the pobox help desk to sign up on
the SPF mailing list to learn something about it. He offered the comment that
pobox invented SPF (so there!).
-----Q-ID----- --Size-- -Priority- ---Q-Time--- --------Sender/Recipient--------
(Deferred: 453 Please see
(Deferred: 453 Please see
(Deferred: 453 Please see
(Deferred: 453 Please see

alan

2014-02-05 22:34:30 UTC

Permalink

a the mails in this listing are from
<***@WPI.EDU>

to
<***@eastmeadow.k12.ny.us>
<***@eastmeadow.k12.ny.us>

so why are you blaming pobox.com ???

its the server for eastmeadow.k12.ny.us that is tempfailing the mails in your queue
(it is using an old canned response that directs you at http script on pobox that provides human readable spf errors, their only involvement)

according to the errors the connections came from 65.254.18.67
(is this your servers that these 453 errors are being recieved by)

if so the spf for
WPI.EDU
is
"v=spf1 ip4:130.215.36.91 ip4:130.215.5.39 ip4:66.151.109.16 ip4:209.235
.101.208/28 ip4:139.146.131.244/30 ip4:139.146.143.184/29 ip4:139.146.131.249/29
ip4:139.146.146.128/25 ip4:139.146.160.0/25 ip4:70.251.178.128/28 ip4:64.34.25.
64/27 ip4:206.107.42.254 ip4:206.107.43.223 include:enomia.com ip4:206.72.127
.0/24 -all"

including
"v=spf1 mx ip4:64.128.160.111 ip4:64.128.160.112 -all"

including the mxs (why does anyone use mx???)
64.128.160.11, 64.128.160.12
especially as these mx's have both the same 2 ips????

absolutely none of these have the ip 65.254.18.67

now the other possibility is the dumbass owner of 65.254.18.67 is receiving this message and sending NDR backscatter to you in which case you just blacklist the ip from sending you backscatter

but how you would see mentions of this in a log format i cannot guess

You say this is your email queue, and pobox says it is contacted from IP address 65.254.18.67 .
If both are correct, then the email policy as published by wpi.edu is to NOT authorize this message.
Reason: you are sending from 65.254.18.67 which is not authorized in the wpi.edu policy.
Did I miss anything relevant from your message perhaps?
Alex
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20140205165915:CE4544EC-8EB0-11E3-94FA-8E05D9E05B5A
Powered by Listbox: http://www.listbox.com

a***@WPI.EDU

2014-02-05 22:53:38 UTC

Permalink

fspfdiscuss> a the mails in this listing are from <***@WPI.EDU>

fspfdiscuss> to <***@eastmeadow.k12.ny.us>
fspfdiscuss> <***@eastmeadow.k12.ny.us>

fspfdiscuss> so why are you blaming pobox.com ???

Ouch. eastmeadow does not use pobox as an MX.

I lept to the conclusion that they had outsourced to pobox.com.

Does anyone know why is pobox storing some record of some spam sent from a
random IP from ***@wpi.edu?

Looking at

http://spf.pobox.com/why.html?sender=***@WPI.EDU&ip=65.254.18.67

which the delivery failure mentions, I get a description of some spam sent from
that IP, under my address.

Does pobox offer a SPF service that eastmeadow is maybe improperly using?

Why would pobox be storing an SPF failure record like this?

Are they're storing all the SPF failures in the universe?

a***@WPI.EDU

2014-02-05 22:45:02 UTC

Permalink

Post by a***@WPI.EDU
I was directed by a young whippersnapper at the pobox help desk to
sign up on the SPF mailing list to learn something about it. He
offered the comment that pobox invented SPF (so there!).
-----Q-ID----- --Size-- -Priority- ---Q-Time---
--------Sender/Recipient-------- s15Dbwo2018764 250 1290946+Feb 5
Please see

alex> You say this is your email queue, and pobox says it is contacted from IP
alex> address 65.254.18.67 . If both are correct, then the email policy as
alex> published by wpi.edu is to NOT authorize this message. Reason: you are
alex> sending from 65.254.18.67 which is not authorized in the wpi.edu policy.

alex> Did I miss anything relevant from your message perhaps?

The outbound queue I can see, with that failure message, is on VALID SPF
SENDER of WPI.EDU messages.

I never ever sent a message from 65.254.18.67.

Some spam came out of that IP forged as being from my address, I guess. I
never saw the message. I get the reference when I follow the web link that
pobox gives me.

So, some pc in Long Island, at IP 65.254.18.67, sent a message as if it came
from "me". That violated SPF, since I established a list of IPs which can sent
email from @wpi.edu and it DOES NOT include that Long Island IP address.

pobox is absolutely correct that the message violated SPF. I wish they just
dropped the damn thing.

However, as a result of that bogus message, pobox has poisoned my email
address, even if I send email from a valid, SPF-correct, sending system.

Alex van den Bogaerdt

2014-02-05 23:28:41 UTC

Permalink

Post by a***@WPI.EDU

Post by a***@WPI.EDU
-----Q-ID----- --Size-- -Priority- ---Q-Time---
--------Sender/Recipient-------- s15Dbwo2018764 250 1290946+Feb 5

alex> Did I miss anything relevant from your message perhaps?
The outbound queue I can see, with that failure message, is on VALID SPF
SENDER of WPI.EDU messages.

Ahhh... wait....

You are not sending to pobox, you are sending to eastmeadow.k12.ny.us

The problem is there; apparently they are relaying the message internally
and then use the IP address of the relay to check against your SPF policy.
Pobox is only used to synthesize the message, the message is generated by,
and delivered to you by, eastmeadow.k12.ny.us

http://www.openspf.org/Best_Practices/Checking_at_border_MTAs

There is nothing you can do about this, and nothing pobox can do about this.

Post by a***@WPI.EDU
However, as a result of that bogus message, pobox has poisoned my email
address, even if I send email from a valid, SPF-correct, sending system.

I think this did not happen.

a***@WPI.EDU

2014-02-06 00:55:46 UTC

Permalink

alex> You are not sending to pobox, you are sending to eastmeadow.k12.ny.us

Yes, this was my misunderstanding. When they declined the message with the
pobox url, I thought pobox was involved.

alex> The problem is there; apparently they are relaying the message internally
alex> and then use the IP address of the relay to check against your SPF
alex> policy. Pobox is only used to synthesize the message, the message is
alex> generated by, and delivered to you by, eastmeadow.k12.ny.us

Ah. They give a pobox URL, describing the failure, but the pobox url will
construct a message based on its arguments, as you say... So, I should calm
down, it's not about me at all.

You're guessing that eastmeadow has an internal IP of that address. The IP
they reference is 65.254.18.67, named
host-65-254-18-67.static.longislandfiberexchange.net, but their edge MX is
76.12.176.181, which is somewhat different. Of course, I have no clue about
their architecture.

I should have looked about whether Eastmeadow, NY is on Long Island. Guess
what? It is. The eastmeadow/longislandfiber linkage seems very likely as you
suggest.

I'm all upset for no reason. Also, I guess they're not getting mail from
anybody with SPF, but that's their issue.

Alex van den Bogaerdt

2014-02-06 01:01:27 UTC

Permalink

Post by a***@WPI.EDU
I'm all upset for no reason. Also, I guess they're not getting mail from
anybody with SPF, but that's their issue.

It's all very confusing but I think this is, indeed, what's going on.

This said, you may want to look at your TXT records as the total is too big
to fit in an UDP packet. This may cause problems in some cases, unrelated to
the case at hand.

cheers,
Alex