Saturday, December 13, 2008

Google SPF checking FAIL

Google inbound SPF checking is shit. Even for hardfail specifications, it delivers the email to the user's inbox with no visual indication it has failed SPF. See below for an email that was delivered normally to my inbox when it should have been dropped, or at the very least marked as evil.


Delivered-To: xxxxxx@gmail.com
Received: by 10.210.77.11 with SMTP id z11cs98143eba;
Sat, 13 Dec 2008 21:10:18 -0800 (PST)
Received: by 10.150.53.2 with SMTP id b2mr9887397yba.167.1229231416967;
Sat, 13 Dec 2008 21:10:16 -0800 (PST)
Return-Path:
Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25])
by mx.google.com with ESMTP id 5si9650165ywd.41.2008.12.13.21.10.16;
Sat, 13 Dec 2008 21:10:16 -0800 (PST)
Received-SPF: fail (google.com: domain of evil@xxxxx.com does not designate 66.111.4.25 as permitted sender) client-ip=66.111.4.25;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of evil@xxxxxxx.com does not designate 66.111.4.25 as permitted sender) smtp.mail=evil@xxxxxxxx.com
Received: from compute1.internal (compute1.internal [10.202.2.41])
by out1.messagingengine.com (Postfix) with ESMTP id 34BA11E6BF8
for ; Sun, 14 Dec 2008 00:10:16 -0500 (EST)
Received: from web7.messagingengine.com ([10.202.2.216])
by compute1.internal (MEProxy); Sun, 14 Dec 2008 00:10:16 -0500
Received: by web7.messagingengine.com (Postfix, from userid 99)
id 0E9F4545AD; Sun, 14 Dec 2008 00:10:16 -0500 (EST)
From: "xxxxxxxx"
To: xxxxxxxxxx@gmail.com
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="ISO-8859-1"
MIME-Version: 1.0
X-Mailer: MessagingEngine.com Webmail Interface
Subject: testing spf
Date: Sun, 14 Dec 2008 00:10:16 -0500

sdflskjdf

No comments: