On 2024-12-06 at 12:40:03 UTC-0500 (Fri, 6 Dec 2024 11:40:03 -0600)
Bryan K. Walton via users <bwalton.24...@leepfrog.com>
is rumored to have said:
I'm confused about how SpamAssassin processed an email that we
received
from the domain registrar, godaddy.com. Specifically, the rules fired
on SPF_NONE, and I don't understand why. As you can see from the
below
headers, the return-path was donotre...@godaddy.com. Go Daddy does
have
an SPF record and farther down below, you can see that DMARC's own spf
checks show that it passed. Indeed, the sending IP address is listed
in
their SPF record. The resulting SPF_NONE, then triggered a hit on
some of Kevin's other rules, and resulted in this email getting
miscategorized. I'm confused as to why/how this email would have had
a
hit on SPF_NONE.
This is most likely a problem with the large response to a TXT query for
godaddy.com. If your DNS resolver can't handle large responses (ideally
EDNS0=4096) that query gets truncated and would need to be retried via
TCP, as may the subsequent query for the included spf-0.godaddy.com TXT,
if your resolver doesn't support EDNS0 or TCP Retry.
DNS retries over TCP were added in v4.0.1, but may not have covered all
cases. You also may need to be running a reasonably current Net::DNS
module. There was recently (within the past 2 months) a bug reported
about SpamAssassin's queries not retrying in some cases and I don't
believe it was resolved; I do not have the time at the moment to hunt it
down. It should be findable with some searching of
https://bz.apache.org/SpamAssassin.
It is also possible that your trusted_networks and internal_networks
settings are causing SA to test SPF with the right client IP, but I
think that should hit one of the other SPF rules rather than SPF_NONE
and affect much more than just GoDaddy.
Headers below.
Thanks,
Bryan
Return-Path: <donotre...@godaddy.com>
X-Original-To: postmas...@courseleaf.com
Delivered-To: postmas...@courseleaf.com
Received: from wrangell.leepfrog.com (wrangell.leepfrog.com
[12.2.169.195])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256
bits)
key-exchange ECDHE (P-384) server-signature RSA-PSS (2048
bits)
server-digest SHA256)
(No client certificate requested)
by mojave.leepfrog.com (Postfix) with ESMTPS id 3CEEB8065C53
for <postmas...@courseleaf.com>; Thu, 5 Dec 2024 13:25:00
-0600 (CST)
Received: from localhost (localhost [127.0.0.1])
by wrangell.leepfrog.com (Postfix) with ESMTP id 39FDD634CDC6
for <postmas...@courseleaf.com>; Thu, 5 Dec 2024 13:25:00
-0600 (CST)
X-Quarantine-ID: <LnO19qvf0Ur0>
X-Virus-Scanned: amavis at leepfrog.com
X-Amavis-Alert: BAD HEADER SECTION, Missing required header field:
"Date"
X-Spam-Flag: YES
X-Spam-Score: 7.373
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.373 tagged_above=-9999 required=5
tests=[BAYES_50=0.8, DCC_CHECK=1.1, DMARC_PASS=-0.001,
FSL_BULK_SIG=0.001,
HTML_MESSAGE=0.001, KAM_DMARC_REJECT=3, KAM_DMARC_STATUS=0.01,
KAM_LAZY_DOMAIN_SECURITY=1, MIME_HTML_ONLY=0.1,
MISSING_DATE=1.36,
SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no
autolearn_force=no
X-Spam-Languages: en
Received: from wrangell.leepfrog.com ([127.0.0.1])
by localhost (wrangell.leepfrog.com [127.0.0.1]) (amavis, port
10024)
with ESMTP id LnO19qvf0Ur0 for <postmas...@courseleaf.com>;
Thu, 5 Dec 2024 13:24:55 -0600 (CST)
Received: from osplemlrelay03.prod.phx3.secureserver.net
(osplemlrelay03.prod.phx3.secureserver.net [72.167.218.255])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
(256/256 bits))
(No client certificate requested)
by wrangell.leepfrog.com (Postfix) with ESMTPS id D457E634CDB6
for <postmas...@courseleaf.com>; Thu, 5 Dec 2024 13:24:51
-0600 (CST)
DMARC-Filter: OpenDMARC Filter v1.4.2 wrangell.leepfrog.com
D457E634CDB6
Authentication-Results: wrangell.leepfrog.com; dmarc=pass (p=reject
dis=none)
header.from=godaddy.com
Authentication-Results: wrangell.leepfrog.com; spf=pass
smtp.mailfrom=godaddy.com
DKIM-Filter: OpenDKIM Filter v2.11.0 wrangell.leepfrog.com
D457E634CDB6
Authentication-Results: wrangell.leepfrog.com; dkim=none
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
