IETF Logo Mail Archive

Re: [spfbis] SPF-checking tool

"Frank Bulk" <frnkblk@iname.com> Fri, 28 February 2020 05:37 UTC

Return-Path: <frnkblk@iname.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CFAC3A1043 for <spfbis@ietfa.amsl.com>; Thu, 27 Feb 2020 21:37:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.297
X-Spam-Level:
X-Spam-Status: No, score=-0.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, SPF_FAIL=0.001, URIBL_BLOCKED=0.001, URI_HEX=0.1] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PkXjwWUwrLcz for <spfbis@ietfa.amsl.com>; Thu, 27 Feb 2020 21:37:41 -0800 (PST)
Received: from premieronline.net (mail.premieronline.net [IPv6:2607:fe28:0:4000::10]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ACA93A1047 for <spfbis@ietf.org>; Thu, 27 Feb 2020 21:37:41 -0800 (PST)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=199.120.69.4; envelope-from=<frnkblk@iname.com>;
Received: from FBULKPC (unverified [199.120.69.4]) by premieronline.net (SurgeMail 7.4f) with ESMTP id 12578095-1729245 for multiple; Thu, 27 Feb 2020 23:35:22 -0600
From: Frank Bulk <frnkblk@iname.com>
To: 'Stuart D Gathman' <stuart@gathman.org>
Cc: spfbis@ietf.org, 'Scott Kitterman' <sklist@kitterman.com>
References: <000001d5ecb6$106efd90$314cf8b0$@iname.com> <alpine.LRH.2.21.2002270235340.2087@mail.gathman.org> <000001d5ed86$6e0b90f0$4a22b2d0$@iname.com> <alpine.LRH.2.21.2002271430460.5527@mail.gathman.org>
In-Reply-To: <alpine.LRH.2.21.2002271430460.5527@mail.gathman.org>
Date: Thu, 27 Feb 2020 23:35:21 -0600
Message-ID: <001501d5edf8$de80c130$9b824390$@iname.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdXstTWAX0UO2VeETfGQ8rkT9QwrKgAvbOWAAAIkEGAAF5HuAAAFBuyA
Content-Language: en-us
X-Originating-IP: 199.120.69.4
X-Vpipe: restarted=25 started /var/surgemail/scavs.pl (/var/surgemail/scavs.pl)
X-SpamDetect: : 0.1 sd=0.1 0.04(X-myrbl:Color=white) 0.81(X-PhraseHits:verify) 0.74(Received:for multiple) [nnot=1, ng=1, nsum=0, nb=0, nw=1, -3.87]
X-LangGuess: English
X-MyRbl: Color=White (rbl) Age=0 Spam=0 Notspam=0 Stars=0 Good=29 Friend=0 Surbl=0 Catch=0 r=0 ip=199.120.69.4
X-IP-stats: Incoming Last 0, First 107, in=23648, out=0, spam=0 ip=199.120.69.4
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/0U1yxEfGzlsBrytacCtyg4SdS3g>
Subject: Re: [spfbis] SPF-checking tool
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 05:37:44 -0000

Thanks for you tool and this feedback.

I accept your 'lint' feedback on deerequipment.com -- but it is helpful to
be made aware of obvious redundancies.

Regarding visionnetusa.com and ghekkonetworks.com and zayo.com: it looks
like I need to do a plain check of the domain to check to certain errors?
Ideally I would have failures when performing the more complex checks, too.

I also understand your feedback billtrust.com -- but it is helpful to be
made aware of this kind of problem.

Looks like you agree that a simple and complex check that the problems in
tivo.com gets missed? 

root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py tivo.com
v=spf1 include:_spf.tivo.com mx include:authsmtp.com
include:stspg-customer.com include:spf.protection.outlook.com
include:aspmx.pardot.com include:_spf.centercode.com ~all
root@nagios:/usr/local/bin/spfcheck#
root@nagios:/usr/local/bin/spfcheck# python spf.py 204.176.49.0
root@tivo.com tivo.com
result: ('pass', 250, 'sender SPF authorized') include:_spf.tivo.com
root@nagios:/usr/local/bin/spfcheck#
oot@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1
include:_spf.tivo.com mx include:authsmtp.com include:stspg-customer.com
include:spf.protection.outlook.com include:aspmx.pardot.com
include:_spf.centercode.com ~all" 204.176.49.0 postmaster@tivo.com
mail.tivo.com
result: ('pass', 250, 'sender SPF authorized') include:_spf.tivo.com
root@nagios:/usr/local/bin/spfcheck#


Looks like errors are missed with simple and complex check of nex-tech.com?
root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py nex-tech.com
v=spf1 ip4:208.65.144.0/21 ip4:208.81.64.0/21 ip4:24.225.0.0/25
ip4:24.225.11.128/25 ip4:24.225.12.66 ip4:52.240.150.170
include:amazonses.com a:dispatch-us.ppe-hosted.com
include:449074.spf10.hubspotemail.net include:_spf.bigcommerce.com
include:azure.quotevalet.com include:spf.protection.outlook.com a -all
root@nagios:/usr/local/bin/spfcheck#
root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1
ip4:208.65.144.0/21 ip4:208.81.64.0/21 ip4:24.225.0.0/25
ip4:24.225.11.128/25 ip4:24.225.12.66 ip4:52.240.150.170
include:amazonses.com a:dispatch-us.ppe-hosted.com
include:449074.spf10.hubspotemail.net include:_spf.bigcommerce.com
include:azure.quotevalet.com include:spf.protection.outlook.com a -all"
208.65.144.0 postmaster@nex-tech.com mail.nex-tech.com
result: ('pass', 250, 'sender SPF authorized') ip4:208.65.144.0/21
root@nagios:/usr/local/bin/spfcheck#

Regards,

Frank 

-----Original Message-----
From: Stuart D Gathman <stuart@gathman.org> 
Sent: Thursday, February 27, 2020 1:53 PM
To: Frank Bulk <frnkblk@iname.com>
Cc: spfbis@ietf.org; 'Scott Kitterman' <sklist@kitterman.com>
Subject: Re: [spfbis] SPF-checking tool



On Thu, 27 Feb 2020, Frank Bulk wrote:

> Perhaps I'm using an old version of that Python script, but here are some
> examples.  My best guess is that the python script stops as soon as it
> passes the check, but doesn't evaluate the whole record.
>
>
> deerequipment.com: Dmarcian notes "The target name for
> "include:spf.protection.outlook.com" equals an already evaluated "include"
> mechanism / "redirect" modifier."

That is not an error.  That is more of a "lint" feature.

> visionnetusa.com: Dmarcian notes "Multiple SPF records found for
> "visionnetusa.com". There should only be one."

$ python spf.py visionnetusa.com
PermError:  Two or more type TXT spf records found.

> ghekkonetworks.com: Dmarcian notes "Multiple SPF records found for
> "ghekkonetworks.com". There should only be one."

$ python spf.py ghekkonetworks.com
PermError:  Two or more type TXT spf records found.

>
> billtrust.com: Dmarcian notes " A DMARC record was detected under
> "billtrust.com". DMARC records must be located at "_dmarc.billtrust.com",
> and not directly at "billtrust.com". If DMARC was set up as a wildcard
> record, that should be removed and placed only at the domain level."

SPF doesn't do DMARC.

> zayo.com: Dmarcian notes "12 DNS lookups required to evaluate the SPF
> record. The maximum is 10."

$ python spf.py 1.2.3.4 root@zayo.com zayo.com
result: ('permerror', 550, 'SPF Permanent Error: Too many DNS lookups')
None

Granted, the description should include the count.  Fixing now...

> tivo.com: Dmarcian notes:
> 	Error! 30 DNS lookups required to evaluate the SPF record. The
> maximum is 10.
> 	Error! SPF record is present, but invalid.
> root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1
> include:_spf.tivo.com mx include:authsmtp.com include:stspg-customer.com
> include:spf.protection.outlook.com include:aspmx.pardot.com
> include:_spf.centercode.com ~all" 204.176.49.0 postmaster@tivo.com
> mail.tivo.com
> result: ('pass', 250, 'sender SPF authorized') include:_spf.tivo.com
> root@nagios:/usr/local/bin/spfcheck#

Here's one Dmarc missed in the horribly perverted tivo.com policy (the 
sheer size of the trace should make tivo immediately erase their policy
and start over).

$ python spf.py -v 1.2.3.4 root@tivo.com tivo.com
result= ('tivo.com', 'TXT')
['RqJZ70Pn6J6AZTMjXGsp7DlGJ33V/G8i8mDWYfTLXWqRkvOqwFsSqQsX3QuDUNvjFaB9Tttla3
hcOixOuVcdQw==']
addcache= ('tivo.com', 'TXT')
['RqJZ70Pn6J6AZTMjXGsp7DlGJ33V/G8i8mDWYfTLXWqRkvOqwFsSqQsX3QuDUNvjFaB9Tttla3
hcOixOuVcdQw==']
result= ('tivo.com', 'TXT')
['status-page-domain-verification=fq5jzb9dvx37']
addcache= ('tivo.com', 'TXT')
['status-page-domain-verification=fq5jzb9dvx37']
result= ('tivo.com', 'TXT') ['v=spf1 include:_spf.tivo.com mx
include:authsmtp.com include:stspg-customer.com
include:spf.protection.outlook.com include:aspmx.pardot.com
include:_spf.centercode.com ~all']
addcache= ('tivo.com', 'TXT') ['v=spf1 include:_spf.tivo.com mx
include:authsmtp.com include:stspg-customer.com
include:spf.protection.outlook.com include:aspmx.pardot.com
include:_spf.centercode.com ~all']
result= ('tivo.com', 'TXT') ['MS=ms87319732']
addcache= ('tivo.com', 'TXT') ['MS=ms87319732']
result= ('tivo.com', 'TXT')
['pardot_43592_*=49af2b9098b2d30a71235cbf8a9855eb4846e62fcc95c9e47a8cdf9d5e5
842b7']
addcache= ('tivo.com', 'TXT')
['pardot_43592_*=49af2b9098b2d30a71235cbf8a9855eb4846e62fcc95c9e47a8cdf9d5e5
842b7']
result= ('tivo.com', 'TXT')
['onetrust-domain-verification=b96d88a367b2449c9b0f6062e3815b22']
addcache= ('tivo.com', 'TXT')
['onetrust-domain-verification=b96d88a367b2449c9b0f6062e3815b22']
result= ('tivo.com', 'TXT')
['0ed1fe018ac20dca8c20624109ac0610e88f36a065']
addcache= ('tivo.com', 'TXT')
['0ed1fe018ac20dca8c20624109ac0610e88f36a065']
result= ('tivo.com', 'TXT')
['e2cPMIx634wXtI6x2tFVmwNehpMoYRQ/Zt2xcek117k3drOPYN6uuCUDSC23Y9I4INWmUN4OF8
priX2RHbztUA==']
addcache= ('tivo.com', 'TXT')
['e2cPMIx634wXtI6x2tFVmwNehpMoYRQ/Zt2xcek117k3drOPYN6uuCUDSC23Y9I4INWmUN4OF8
priX2RHbztUA==']
result= ('tivo.com', 'TXT')
['pardot_43592_*=dfc113dde72c0a055d749915158b6234505740355598dd31d53be2f129a
ac8a1']
addcache= ('tivo.com', 'TXT')
['pardot_43592_*=dfc113dde72c0a055d749915158b6234505740355598dd31d53be2f129a
ac8a1']
top: tivo.com "v=spf1 include:_spf.tivo.com mx include:authsmtp.com
include:stspg-customer.com include:spf.protection.outlook.com
include:aspmx.pardot.com include:_spf.centercode.com ~all"
result= ('_spf.tivo.com', 'TXT') ['v=spf1
include:_spf_netblocks1.tivo.com include:_spf_netblocks2.tivo.com
include:_spf_netblocks3.tivo.com include:_spf.jobvite.com
include:_spf.salesforce.com include:us._netblocks.mimecast.com
include:us.confirmit.com a:secmail.ultipro.com ~all']
addcache= ('_spf.tivo.com', 'TXT') ['v=spf1
include:_spf_netblocks1.tivo.com include:_spf_netblocks2.tivo.com
include:_spf_netblocks3.tivo.com include:_spf.jobvite.com
include:_spf.salesforce.com include:us._netblocks.mimecast.com
include:us.confirmit.com a:secmail.ultipro.com ~all']
include: _spf.tivo.com "v=spf1 include:_spf_netblocks1.tivo.com
include:_spf_netblocks2.tivo.com include:_spf_netblocks3.tivo.com
include:_spf.jobvite.com include:_spf.salesforce.com
include:us._netblocks.mimecast.com include:us.confirmit.com
a:secmail.ultipro.com ~all"
result= ('_spf_netblocks1.tivo.com', 'TXT') ['v=spf1 ip4:204.176.49.0/24
ip4:209.34.86.213/31 ip4:208.73.180.0/22 ip4:69.25.59.161
ip4:198.61.141.237 ip4:216.23.184.197 ip4:207.38.45.154
ip4:204.14.232.64/28 ip4:202.129.242.64/31 ip4:156.45.254.11 ~all']
addcache= ('_spf_netblocks1.tivo.com', 'TXT') ['v=spf1
ip4:204.176.49.0/24 ip4:209.34.86.213/31 ip4:208.73.180.0/22
ip4:69.25.59.161 ip4:198.61.141.237 ip4:216.23.184.197 ip4:207.38.45.154
ip4:204.14.232.64/28 ip4:202.129.242.64/31 ip4:156.45.254.11 ~all']
include: _spf_netblocks1.tivo.com "v=spf1 ip4:204.176.49.0/24
ip4:209.34.86.213/31 ip4:208.73.180.0/22 ip4:69.25.59.161
ip4:198.61.141.237 ip4:216.23.184.197 ip4:207.38.45.154
ip4:204.14.232.64/28 ip4:202.129.242.64/31 ip4:156.45.254.11 ~all"
result= ('_spf_netblocks2.tivo.com', 'TXT') ['v=spf1
ip4:65.213.152.14/31 ip4:216.136.162.124/31 ip4:156.45.254.31
ip4:156.45.254.32/29 ip4:50.57.43.233 ip4:64.78.17.176 ip4:65.17.254.100
ip4:65.17.254.108/31 ip4:63.131.159.146 ~all']
addcache= ('_spf_netblocks2.tivo.com', 'TXT') ['v=spf1
ip4:65.213.152.14/31 ip4:216.136.162.124/31 ip4:156.45.254.31
ip4:156.45.254.32/29 ip4:50.57.43.233 ip4:64.78.17.176 ip4:65.17.254.100
ip4:65.17.254.108/31 ip4:63.131.159.146 ~all']
include: _spf_netblocks2.tivo.com "v=spf1 ip4:65.213.152.14/31
ip4:216.136.162.124/31 ip4:156.45.254.31 ip4:156.45.254.32/29
ip4:50.57.43.233 ip4:64.78.17.176 ip4:65.17.254.100 ip4:65.17.254.108/31
ip4:63.131.159.146 ~all"
result= ('_spf_netblocks3.tivo.com', 'TXT') ['v=spf1 ip4:63.131.159.151
ip4:216.157.16.107 ip4:216.136.162.123 ip4:207.106.123.26
ip4:192.237.163.108 ip4:66.150.161.30 ip4:108.166.45.120
ip4:50.31.43.169 ip4:50.57.175.27 ip4:166.78.203.73
include:_spf_o365.tivo.com ~all']
addcache= ('_spf_netblocks3.tivo.com', 'TXT') ['v=spf1
ip4:63.131.159.151 ip4:216.157.16.107 ip4:216.136.162.123
ip4:207.106.123.26 ip4:192.237.163.108 ip4:66.150.161.30
ip4:108.166.45.120 ip4:50.31.43.169 ip4:50.57.175.27 ip4:166.78.203.73
include:_spf_o365.tivo.com ~all']
include: _spf_netblocks3.tivo.com "v=spf1 ip4:63.131.159.151
ip4:216.157.16.107 ip4:216.136.162.123 ip4:207.106.123.26
ip4:192.237.163.108 ip4:66.150.161.30 ip4:108.166.45.120
ip4:50.31.43.169 ip4:50.57.175.27 ip4:166.78.203.73
include:_spf_o365.tivo.com ~all"
result= ('_spf_o365.tivo.com', 'TXT') ['v=spf1
include:_spf_netblockso.tivo.com include:_spf_netblockso2.tivo.com
include:_spf_netblockso3.tivo.com ~all']
addcache= ('_spf_o365.tivo.com', 'TXT') ['v=spf1
include:_spf_netblockso.tivo.com include:_spf_netblockso2.tivo.com
include:_spf_netblockso3.tivo.com ~all']
include: _spf_o365.tivo.com "v=spf1 include:_spf_netblockso.tivo.com
include:_spf_netblockso2.tivo.com include:_spf_netblockso3.tivo.com
~all"
result= ('_spf_netblockso.tivo.com', 'TXT') ['v=spf1 ip4:13.111.0.0/22
ip4:13.111.53.0/24 ip4:13.111.54.0/24 ip4:23.253.182.103
ip4:23.253.183.145 ip4:23.253.183.146/31 ip4:23.253.183.148
ip4:23.253.183.150 ip4:50.31.43.169 ip4:50.57.43.233 ip4:50.57.175.27
~all']
addcache= ('_spf_netblockso.tivo.com', 'TXT') ['v=spf1 ip4:13.111.0.0/22
ip4:13.111.53.0/24 ip4:13.111.54.0/24 ip4:23.253.182.103
ip4:23.253.183.145 ip4:23.253.183.146/31 ip4:23.253.183.148
ip4:23.253.183.150 ip4:50.31.43.169 ip4:50.57.43.233 ip4:50.57.175.27
~all']
include: _spf_netblockso.tivo.com "v=spf1 ip4:13.111.0.0/22
ip4:13.111.53.0/24 ip4:13.111.54.0/24 ip4:23.253.182.103
ip4:23.253.183.145 ip4:23.253.183.146/31 ip4:23.253.183.148
ip4:23.253.183.150 ip4:50.31.43.169 ip4:50.57.43.233 ip4:50.57.175.27
~all"
result= ('_spf_netblockso2.tivo.com', 'TXT') ['v=spf1 ip4:54.240.0.0/18
ip4:62.13.128.0/24 ip4:62.13.129.128/25 ip4:62.13.136.0/21
ip4:62.13.144.0/21 ip4:62.13.152.0/23 ip4:63.128.21.0/24
ip4:63.131.159.146 ip4:63.131.159.151 ip4:64.78.17.176 ip4:65.17.254.100
~all']
addcache= ('_spf_netblockso2.tivo.com', 'TXT') ['v=spf1
ip4:54.240.0.0/18 ip4:62.13.128.0/24 ip4:62.13.129.128/25
ip4:62.13.136.0/21 ip4:62.13.144.0/21 ip4:62.13.152.0/23
ip4:63.128.21.0/24 ip4:63.131.159.146 ip4:63.131.159.151
ip4:64.78.17.176 ip4:65.17.254.100 ~all']
include: _spf_netblockso2.tivo.com "v=spf1 ip4:54.240.0.0/18
ip4:62.13.128.0/24 ip4:62.13.129.128/25 ip4:62.13.136.0/21
ip4:62.13.144.0/21 ip4:62.13.152.0/23 ip4:63.128.21.0/24
ip4:63.131.159.146 ip4:63.131.159.151 ip4:64.78.17.176 ip4:65.17.254.100
~all"
result= ('_spf_netblockso3.tivo.com', 'TXT') ['v=spf1
ip4:65.17.254.108/31 ip4:65.213.152.14/31 include:
spf.protection.outlook.com ~all']
addcache= ('_spf_netblockso3.tivo.com', 'TXT') ['v=spf1
ip4:65.17.254.108/31 ip4:65.213.152.14/31 include:
spf.protection.outlook.com ~all']
include: _spf_netblockso3.tivo.com "v=spf1 ip4:65.17.254.108/31
ip4:65.213.152.14/31 include: spf.protection.outlook.com ~all"
result: ('permerror', 550, 'SPF Permanent Error:
_spf_netblockso3.tivo.com empty domain:: include:') None

v2.23.0 | Report a Bug | By Email