172.20.8.86 is in a private network. Do you trust it? Control it? In any case, it appears that Trusted/Internal networks are not set up correctly. You need to provide more information about your setup and the forwarder.
Dan -----Original Message----- From: Brian Wilson [mailto:[EMAIL PROTECTED] Sent: Monday, March 19, 2007 7:48 AM To: Paul Hurley Cc: users@spamassassin.apache.org Subject: Re: Problem with forwarding and SPF On Mar 19, 2007, at 5:22 AM, Paul Hurley wrote: Hello all, Happy Pi day for last week... I'm running Spam Assassin V3.1.7.0 via SAProxy for Win32 (http://sourceforge.net/projects/sawin32/). I've recently implemented SPF for my domain, which is working well. However I ahve a problem with SPF on email I receieve. I have a few old email accounts that use forwarding into my current account. These generate false SPF failures because of the forward (see below, this is a recruitment email that is ham to me) Now I could create a rule for mail receievd from 172.20.8.86 and a meta rule that cancelled out mail that hit SPF fails and the receieved rule, but that essentially means turning off SPF for that domain. Any better ideas ? Thanks Paul. <quote> This mail is probably spam. The original message has been attached intact in RFC 822 format. Content preview: Employers of Choice Employers of choice New Scientist Jobs Employers of Choice are organisations that are searching for the best science and technology jobseekers. Do you fit their brief? To find out more details and view any current vacancies from the organisations below, just click on their logo. To search for a specific job visit NewScientistJobs.com [...] Content analysis details: (6.5 points, 6.0 required) 0.1 cust_LOCAL_TO_RCVD Found Received: after the To: 0.0 RM_hc_HTML Email is text/html format -0.0 PH_TO_PAULH Has Paul.Hurley@ in To: 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) [SPF failed: Please see http://spf.pobox.com/why.html?sender=newscientistjobs%40email.newscientist.c om&ip=172.20.8.86&receiver=casseopia] 0.5 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 0.1 PH_BODY_LERA BODY: Body contains a gappy version of 'le..ra' 0.1 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 RM_rb_ANCHOR RAW: Testing for HTML end of anchor in emails 0.0 RM_rb_TITLE RAW: Testing for HTML title in emails 0.0 RM_rb_HTML RAW: Testing for HTML tag in emails 0.0 RM_rb_BREAK RAW: Testing for HTML Break in emails 0.0 RM_rb_FONT RAW: Testing for HTML Font tag in emails 0.0 RM_rb_PARA RAW: Testing for HTML Paragraph in emails 4.0 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org 0.1 AWL AWL: From: address is in the auto white-list The original message was not completely plain text and may be unsafe to open with some email clients; in particular, it may contain a virus or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. -------------------------------------------------------------------------- Subject: Employers of choice From: "New Scientist Jobs"<[EMAIL PROTECTED]> Date: Mon, 12 Mar 2007 14:18:24 +0000 (GMT) To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 29777 invoked from network); 12 Mar 2007 18:31:30 -0000 Received: from smtp-a02.internal.boltblue.com (HELO smtp.boltblue.com) ([172.20.8.86]) (envelope-sender <[EMAIL PROTECTED]>) by bblite.backend.boltblue.com (qmail-ldap-1.03) with SMTP for <[EMAIL PROTECTED]>; 12 Mar 2007 18:31:30 -0000 Received: (qmail 92833 invoked from network); 12 Mar 2007 17:22:47 -0000 Received: from unknown (HELO mta1.primary.edc.dartmail.net) (216.73.95.131) by smtp-a02.boltblue.com with SMTP; 12 Mar 2007 17:22:47 -0000 Message-ID: <[EMAIL PROTECTED]> Unless you manage DNS for newscientist.com then you're SOL. SPF has to deal with verifying that the sending party's IP address is authorized to send email from that particular domain (newscientist.com) and does not have to do anything with your domain or domains that forward to your email address unless you are sending the message. Click the link where SPF failed and read. -B
