Re: [exim] advanced SPF Checking

Top Page
Delete this message
Reply to this message
Author: James Gibbard
Date:  
To: exim-users
Subject: Re: [exim] advanced SPF Checking
Untested, but you should me able to do something like this perhaps?


# set acl variable to result of SPF lookup.
spf_test:
warn    set acl_m_spfrec = ${lookup dnsdb{txt=$sender_address_domain}{$value}}


# deny  if result is +all
deny  condition = ${if match {$acl_m_spfrec}{\\+all}}
          message = Invalid SPF record detected.
          log_message = SPF denied due to +all presence.


I don't use spfquery myself, but I'd assume there is not a way to do
this with that.

Jamie

On Fri, Jul 1, 2016 at 1:30 PM, Cyborg <cyborg2@???> wrote:
> Hi,
>
> as i'm implementing SPF Checks atm , i came cross this log entry from
> google :
>
> 2016-06-29 14:21:07 1bIEUB-0002yU-TK SMTP error from remote mail server
> after end of data: 421-4.7.0 [XXXXXXX] The SPF record of the sending
> domain has one or\n421-4.7.0 more suspicious entries. To protect our
> users from spam, mail sent\n421-4.7.0 from your IP address has been
> temporarily rate limited. Please visit\n421-4.7.0
> https://support.google.com/mail/answer/81126#authentication for
> more\n421 4.7.0 information. 78si4520019iol.86 - gsmtp
>
> The SPF Record looks like this :     "v=spf1 +all"

>
> Which means roughly: "I don't care about my EMailservers, I like to be
> spammed with my own domain."
>
>
> Problem is, with my current spfquery check, this SPF would be considered
> valid, which is it, it's just not very usefull at all.
>
> I like to react like google in this special case, because that entry is
> nonsense, you also could remove it from your DNS and nobody would notice.
>
> Does anyone have an exim rule / idea to check for it, before running the
> spfquery at all?
>
> best regards,
> Marius
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/