• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

spf checking of incoming mail

K

kdimson

Guest
Note the header info from a message received by my plesk server.

This is one of the typical spam emails about checking your paypal.com account.

The from address is [email protected] and I would have assumed that the plesk server would check the dns for the domain paypal.com and verify the spf record. Instead it seems the plesk server checks for an spf record for the sending server mail.toek.de which of course does not have an spf record.

Is this a settings issue on my side or is the Plesk server not really doing a proper spf check?

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 1965 invoked from network); 6 Aug 2006 05:18:58 -0500
Received: from toek.de (HELO mail.toek.de) (213.133.99.215)
by dynserv.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 6 Aug 2006 05:18:57 -0500
Received-SPF: none (dynserv.com: domain at mail.toek.de does not designate permitted sender hosts)
Received: (qmail 3311 invoked by uid 1008); 6 Aug 2006 09:44:57 +0200
Date: 6 Aug 2006 09:44:57 +0200
Message-ID: <[email protected]>
To: [email protected]
From: [email protected] <[email protected]>
 
Acording to the mail headers, the e-mail came from a mail server named mail.toek.de. What you need to do now is verify that tha tis a valid sending host from PayPal, which I highly doubt.

PayPal has the MX records..

paypal.com. MX IN 3600 smtp2.nix.paypal.com. [Preference = 10]
paypal.com. MX IN 3600 smtp1.nix.paypal.com. [Preference = 10]
paypal.com. MX IN 3600 smtp1.sc5.paypal.com. [Preference = 10]

So smtp1.nix, smtp2.nix, and smtp1.sc5, which resolve to 64.4.240.74, 64.4.240.75, and 64.4.240.74 (respectively). Unfortunately for you, the mail server you received your e-mail from is from germany 213.133.99.215 (http://www.dnsstuff.com/tools/whois.ch?ip=213.133.99.215).

This means that the e-mail did not come (originally) from the PayPal mail server, which is why it failed the SPF lookup.

Hope that answers your question...

-John
 
Actually I want this to fail. I believe it should return a SOFTFAIL since the ip address of the sending mail server does not match the ips allowed by the domain for the sender.

Instead, Plesk is giving an answer that the sending mail server does not have an spf record.

If I go to dnstuff.com and use their spf checker, enter the domain and the ip address of the sending mail server I get a softfail. Why does Plesk not give me the same answer.
 
You did not get a softfail because the <return path> was to: mail.toek.de. This is the actual server that sent the mail. This "spoof" was from an amuteur. To block further spam from him, blacklist toek.de. Had the return path been set to "[email protected]" then you would have received the softfail. I verified this by setting up my own spoof email from "[email protected]" that I sent to myself through a know open relay server. I did receive the "softfail" notice. Notice below (some information deleted to hide the idenity of the open relay server)


Return-Path: <[email protected]>
Delivered-To: [email protected]
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on --------------------------------
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=5.0 tests=DNS_FROM_RFC_ABUSE,
HTML_MESSAGE,MIME_HTML_MOSTLY autolearn=no version=3.1.3
Received: (qmail 26068 invoked by uid 10021); 9 Aug 2006 10:09:06 -0500
Received: from xx.xx.xx.xx by klickhosting.com (envelope-from <[email protected]>, uid 2020) with qmail-scanner-2.01st
(clamdscan: 0.88.3/1641. perlscan: 2.01st.
Clear:RC:0(xx.xx.xx.xx.xx):.
Processed in 0.072125 secs); 09 Aug 2006 15:09:06 -0000
Received: from --------------------- by ----------------------- with (DHE-RSA-AES256-SHA encrypted) SMTP; 9 Aug 2006 10:09:06 -0500
Received-SPF: softfail (ip-xx-xx.xx.xx: transitioning SPF record at spf-1.paypal.com does not designate xx.xx.xx.xx.xx as permitted sender)
Reply-To: <[email protected]>
From: "Test" <[email protected]>
To: <[email protected]>
Subject: Test of SPF
Date: Wed, 9 Aug 2006 10:08:06 -0500
 
You must log in or register to reply here.

Similar threads

D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
2K
drdna
D
Erwin Fiten
Question Spam sent from my server by other hosts ???
Replies
4
Views
641
Bitpalast
Bitpalast
EnriqueR
Question Incoming mail is stored in Junk folder
Replies
6
Views
1K
EnriqueR
EnriqueR
mapodec
Resolved Emails sent from Plesk accounts are not delivering only to Google Workspace
Replies
2
Views
767
mapodec
mapodec
ilogus
Resolved Incoming email DKIM issue
Replies
4
Views
671
ilogus
ilogus
Back
Top