[SOLVED] - Zimbra 8.8.15 - SpamAssassin not checking SPF for incoming email (part of them)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
lovelord
Advanced member
Advanced member
Posts: 96
Joined: Sat Sep 13, 2014 12:23 am

[SOLVED] - Zimbra 8.8.15 - SpamAssassin not checking SPF for incoming email (part of them)

Post by lovelord »

Hello everybody admins,

I'm a little bit confused because I've just discovered that my Zimbra main install in office is not checking SPF for incoming email (through spamassassin), not for all incoming messages (at least).

Let me explain scenario:
Release 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P33
my relevant part of sauser.cf file is the following

Code: Select all

ifplugin Mail::SpamAssassin::Plugin::SPF

score SPF_PASS -0.01
score SPF_NEUTRAL 0
score SPF_FAIL 2.0
score SPF_SOFTFAIL 1.0
score SPF_NONE 4.0

score SPF_HELO_PASS -0.01
score SPF_HELO_NEUTRAL 0
score SPF_HELO_FAIL 2.0
score SPF_HELO_SOFTFAIL 1.0
score SPF_HELO_NONE 2.0
score T_SPF_HELO_TEMPERROR 0.1
score T_SPF_TEMPERROR 0.1

header   T_LOCAL_VALID      subject =~ /test/i
describe T_LOCAL_VALID      A test rule to see if an if block is executing
score    T_LOCAL_VALID      -0.1

endif
I've inserted that T_LOCAL_VALID to validate plugin loading, I tested that and it works, but even grepping zimbra.log (AmavisLogLevel is already set to 2) we can notice that module is loaded regularly on amavisd startup

Code: Select all

grep SPF /var/log/zimbra.log|grep Module
Sep 20 15:31:15 mail amavis[15475]: Module Mail::SPF           v2.009
GMAIL -> ZIMBRA TEST EMAIL

As you can see sending and email from Gmail to my personal email (the one on the server I'm testing) is pretty obvious that T_SPF_HELO_TEMPERROR & T_SPF_TEMPERROR are scored, even the T_LOCAL_VALID score is flagged, so the module is loaded and the score is setup through spamassassin (sanitized email addresses)

Code: Select all

Sep 20 15:27:50 mail amavis[10639]: (10639-02) spam-tag, <example@gmail.com> -> <example@domain.com>, No, score=4.492 required=6 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.01, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=2, FSL_BULK_SIG=0.001, HTML_MESSAGE=0.001, PYZOR_CHECK=2.5, T_LOCAL_VALID=-0.1, T_SPF_HELO_TEMPERROR=0.1, T_SPF_TEMPERROR=0.1] autolearn=disabled
Why I receive no SPF_HELO_PASS or SPF_PASS score at all? I tried to do the reject test too, forging email address from Thunderbird and using a not allowed MTA for that domain (the forged one) but even in this case there is no SPF_FAIL score at all.

OUTLOOK.COM -> ZIMBRA TEST EMAIL

Code: Select all

Sep 20 15:56:58 mail amavis[4596]: (04596-12) spam-tag, <example@outlook.com> -> <example@domain.com>, No, score=4.591 required=6 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.01, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=2, HTML_MESSAGE=0.001, PYZOR_CHECK=2.5, T_SPF_HELO_TEMPERROR=0.1, T_SPF_TEMPERROR=0.1] autolearn=disabled
ZIMBRA SERVER ACCOUNT (external server) -> ZIMBRA TEST EMAIL

Using another Zimbra server as sender (same versione 8.8.15), it seems that SPF check is done correctly

Code: Select all

Sep 20 15:53:19 mail amavis[1496]: (01496-12) spam-tag, <external@zimbra.com> -> <example@domain.com>, No, score=3.582 required=6 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.01, DKIM_VALID_AU=-0.1, DMARC_PASS_QUAR=-1, FSL_BULK_SIG=0.001, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.1, PYZOR_CHECK=2.5, SPF_HELO_NONE=2, SPF_PASS=-0.01] autolearn=disabled
As you can see, in this case the DMARC_PASS_QUAR score is applied too, not true for GMAIL nor OUTLOOK.COM (why?)

For testing purposes I've replicated THE EXACT SAME TESTS on 2nd Zimbra install, the external one, based on same version (without any spamassassin customization at all) and the result is absolutly IDENTICAL.

Can you please help me with this rebus?

Kind regards,
Andrea
Last edited by lovelord on Tue Sep 27, 2022 7:16 am, edited 1 time in total.
lovelord
Advanced member
Advanced member
Posts: 96
Joined: Sat Sep 13, 2014 12:23 am

Re: Zimbra 8.8.15 - SpamAssassin not checking SPF for incoming email (part of them)

Post by lovelord »

SPAM EMAIL EXAMPLE
(sanitized)

Code: Select all

Return-Path: <secrettechnique@jokefund.ru.com>
Received: from mail.example.com (LHLO mail.example.com) (1.2.3.4) by
 mail.example.com with LMTP; Tue, 20 Sep 2022 16:24:08 +0200 (CEST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mail.example.com (Postfix) with ESMTP id DB265820756
	for <example@domain.com>; Tue, 20 Sep 2022 16:24:07 +0200 (CEST)
X-Virus-Scanned: amavisd-new at example.com
X-Spam-Flag: NO
X-Spam-Score: 2.936
X-Spam-Level: **
X-Spam-Status: No, score=2.936 required=6 tests=[HTML_MESSAGE=0.001,
	HTML_MIME_NO_HTML_TAG=0.635, MIME_HTML_ONLY=0.1, RDNS_NONE=2,
	T_SPF_HELO_TEMPERROR=0.1, T_SPF_TEMPERROR=0.1] autolearn=disabled
Received: from mail.example.com ([127.0.0.1])
	by localhost (mail.example [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id hK51qk9VGfUA for <example@domain.com>;
	Tue, 20 Sep 2022 16:24:06 +0200 (CEST)
Received: from jokefund.ru.com (unknown [107.179.64.231])
	by mail.example.com (Postfix) with ESMTP id A2E2F820749
	for <example@domain.com>; Tue, 20 Sep 2022 16:24:06 +0200 (CEST)
Date: Tue, 20 Sep 2022 09:18:02 -0500
From: "SECRET-Techniques" <secrettechnique@jokefund.ru.com>
MIME-Version: 1.0
Precedence: bulk
To: <example@domain.com>
Subject: Learn The SECRET Techniques Most Men Will never Know!
Message-ID: <9TvWXtu3KIx9aDYofLkO2j8CH8xv_HPcBFMhmJf9TzM.I1zqMcfp7Qzv0HkKBGqyOVXIl2LsizCZuhH_-_jOR6Y@jokefund.ru.com>
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<div class="tve-page-section-in tve_empty_dropzone" data-css="tve-u-1637eaa8796">
<div class="thrv_wrapper thrv_heading" data-css="tve-u-1637ea92561" data-tag="h2" style="">
<h2 data-css="tve-u-1637ea95fed" style="text-align: center;">Learn The <strong>SECRET </strong>Techniques Most Men Will <strong>NEVER</strong> Know About Squirting<strong> </strong><strong>Tonight.</strong></h2>
</div>
<div class="thrv_wrapper tve_image_caption" data-css="tve-u-1656aca30ea" style="text-align: center;"><span class="tve_image_frame" style="width: 100%;"><a href="http://www.jokefund.ru.com/Ieebbxl/kbuejlk875754jjwjxplsj/rTKvvz4dfhQGwMbIDH1PbRrljQLPhzL2c8ho7cw8gDk/egsgYuCjrgwHdmPs6GnucuxlRTDb85-SHDMA3yO-EkM6u_gqphdyC_duBmFzNNq01rpCS3MyMqidBb46flAgjuUPg7utamWwHH6Otr8doLP-Jr9RmFfh19-Xv8DzMucS9fMHIg7SDB8bDmpOMD4Jhw" rel="nofollow"><img alt="" class="tve_image wp-image-1006591" data-id="1006591" loading="lazy" scale="0" sizes="(max-width: 300px) 100vw, 300px" src="http://www.jokefund.ru.com/clicks/SquirtingSchool2_files/click-box.jpg" srcset="SquirtingSchool2_files/click-box.jpg 1x" style="width: 500px; height: 363px;" title="" /> </a></span></div>
<div class="thrv_wrapper thrv_text_element" data-css="tve-u-1656ac44f57">
<p data-css="tve-u-1656ac7620b" style="text-align: center;"><em>Prepare to enter the realm of bliss-based alternative sex education...</em></p>
</div>
<div class="thrv_wrapper thrv_text_element tve_empty_dropzone" data-css="tve-u-1637eaa3783" style="">
<p data-css="tve-u-1656246c4e7" style="text-align: center;">Our step-by-step <strong>video lessons</strong> will teach you simple, MIND-BLOWING tricks to make your girlfriend or wife squirt like NEVER before (or for the first time!)<strong>. </strong></p>
<p data-css="tve-u-1656246f612" style="text-align: center;"> </p>
<p data-css="tve-u-1637eaa25ed" style="text-align: center;"><strong>You'll be able to put what we teach into practice right away - and see some AMAZING results </strong></p>
 
<h1 style="text-align: center;"><a href="http://www.jokefund.ru.com/Ieebbxl/kbuejlk875754jjwjxplsj/rTKvvz4dfhQGwMbIDH1PbRrljQLPhzL2c8ho7cw8gDk/egsgYuCjrgwHdmPs6GnucuxlRTDb85-SHDMA3yO-EkM6u_gqphdyC_duBmFzNNq01rpCS3MyMqidBb46flAgjuUPg7utamWwHH6Otr8doLP-Jr9RmFfh19-Xv8DzMucS9fMHIg7SDB8bDmpOMD4Jhw"><span style="color:#2980b9;"><span style="font-size:48px;">Watch Now</span></span></a></h1>
<p> </p><br />
<img src="http://www.jokefund.ru.com/tlsfhv5gs/rTKvvz4dfhQGwMbIDH1PbRrljQLPhzL2c8ho7cw8gDk/egsgYuCjrgwHdmPs6GnucuxlRTDb85-SHDMA3yO-EkM6u_gqphdyC_duBmFzNNq01rpCS3MyMqidBb46flAgjuUPg7utamWwHH6Otr8doLP-Jr9RmFfh19-Xv8DzMucS9fMHIg7SDB8bDmpOMD4Jhw" >
<p> </p>
<p><span style="font-size:11px;"><strong><span style="font-family:Arial,Helvetica,sans-serif;"><span style="line-height:normal">To <a href="http://www.jokefund.ru.com/qfrww/whJ4DMOpmDb8BDS7gIHMf9ScuMzD8vX-91hfFmR9rJ-PLod8rtO6HHwWmatu7gPUujgAlf64bBdiqMyM3SCpr10qNNzFmBud_Cydhpqg_u6MkE-Oy3AMDHS-58bDTRlxucunG6sPmdHwgrjCuYgsge.kDg8wc7oh8c2LzhPLQjlrRbP1HDIbMwGQhfd4zvvKTr" style="color:blue; text-decoration:underline">opt-out</a>:<br />
or send post-mail To 150 First Ave. New York, NY 10150</span></span></strong></span></p>
<p> </p>
<p> </p>
<p> </p>
</div>
</div>


As you can see, this is pretty spam. I've done an nslookup for TXT records in jokefund.ru.com and those funny people has a SPF record setup, so it is ok to accept this and score, but no score at all is here in the header! I'd like to have a SPF_PASS here, and maybe a DMARC tag too
Server predefinito: one.one.one.one
Address: 1.1.1.1

> set q=txt
> jokefund.ru.com
Server: one.one.one.one
Address: 1.1.1.1

Risposta da un server non autorevole:
jokefund.ru.com text =

"v=spf1 a mx ptr ip4:107.179.64.231 ~all"
>
they have no RDNS setup
Server predefinito: one.one.one.one
Address: 1.1.1.1

> set q=ptr
> 231.64.179.107.in-addr.arpa
Server: one.one.one.one
Address: 1.1.1.1

*** one.one.one.one non è in grado di trovare 231.64.179.107.in-addr.arpa: Non-existent domain
>
so it is ok to obtain a RDNS_NONE score.

What the heck those tags stay for: T_SPF_HELO_TEMPERROR, T_SPF_TEMPERROR , are they relevant and why are they present and not the SPF_XXX tag?
lovelord
Advanced member
Advanced member
Posts: 96
Joined: Sat Sep 13, 2014 12:23 am

Re: Zimbra 8.8.15 - SpamAssassin not checking SPF for incoming email (part of them)

Post by lovelord »

Good morning everybody, anybody has the possibility to help or reply with its own tests? It will help me a lot.

Thanks anybody taking care about it.

A.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Zimbra 8.8.15 - SpamAssassin not checking SPF for incoming email (part of them)

Post by phoenix »

That domain does have an SPF record but the problem is that it has two SPF records and one of them is invalid, I'm not an expert but I'd guess that might be part of the problem. FWIW, in my rspamd system the headers that you've provided do show that as spam. You might like to ask on a spamassassin form about the problem with duplicate SPF records.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
lovelord
Advanced member
Advanced member
Posts: 96
Joined: Sat Sep 13, 2014 12:23 am

Re: Zimbra 8.8.15 - SpamAssassin not checking SPF for incoming email (part of them)

Post by lovelord »

phoenix wrote:That domain does have an SPF record but the problem is that it has two SPF records and one of them is invalid, I'm not an expert but I'd guess that might be part of the problem. FWIW, in my rspamd system the headers that you've provided do show that as spam. You might like to ask on a spamassassin form about the problem with duplicate SPF records.
Hi Phoenix,
thanks for your time. Referring to test spam email from jokefund.ru.com you're totally right (they have now published a 2nd TXT record it was not present before, when I tested), the bold one has the ip4 statement with a typo (or intentional, don't know).


jokefund.ru.com text =

"v=spf1 a mx ptr ip4:23.228.104.165 ~all"
jokefund.ru.com text =

"v=spf1 a mx ptr ip:23.228.104.165 ~all"


Prolly, this can "confuse" spamassassin, and it doesn't intervene with any score at all (it should be), I'll dig on this error as you suggested in a specific SA's forum.

What do you think instead on the problem reported in the 1st post where SA doesn't score from outside big names providers, but scored SPF if I'm sending from another Zimbra environment (adding even DMARC score)? It is very strange to me...
lovelord
Advanced member
Advanced member
Posts: 96
Joined: Sat Sep 13, 2014 12:23 am

Re: Zimbra 8.8.15 - SpamAssassin not checking SPF for incoming email (part of them)

Post by lovelord »

Finally I solved!

Just to let anybody known, if you receive a tag like those

T_SPF_HELO_TEMPERROR
T_SPF_TEMPERROR

it means your DNS resolution is not working properly!

I've found the solution thanks to this external forum, please check your /etc/resolv.conf and consider to modify sauser.cf using dns_server directive if needed in your setup.

I hope this can help someone else to solve.

Have a nice day,
Andrea
Post Reply