1
Why the sudden increase in [_SPF: Fail] spam?
Question asked by Dan Horne - August 28, 2014 at 7:41 AM
Unanswered
On Tuesday our Smartermail server (hosted at Amazon) crashed. After two hours on the phone with support the server was back up and running.  Thank you AWS support.  The only difference was the private IP address.
 
Since then I have received several complaints that email from regular clients were suddenly being marked as spam. Looking over the delivery log I noticed the only "failure" in Spam check results was: [_SPF: Fail].  the number of "failures" shows a definite pattern.
 
DATE    COUNT of lines in delivery log 
08-20    114
08-21    126
08-22    108
08-23    39
08-24    33
08-25    131
08-26    3039  (Crash day)
08-27    3550
08-28    1213  (Disabled SPF in AntiSpam Administration)
 
Can anyone help me understand what happened?  Why the dramatic spike in SPF fail?  What to do about it?  What to do next?
 
Help?

9 Replies

Reply to Thread
0
Steve Reid Replied
August 28, 2014 at 8:41 AM
Amazons AWS is definitely not ideal for hosting Smartermail. Because the internal IP can change at any given point it will most certainly always lead to a failure.
 
Please check you IP addresses and Bindings within Smartermail's setup.
0
Dan Horne Replied
August 28, 2014 at 10:16 AM
I won't argue the merits of AWS except it has served us well since 2011.  Over the last 3 years the private IP address has changed twice and "Bindings --> IP Addresses" was the first thing checked and changed (otherwise no mail flow at all). 
 
How does that answer the question?  Rather how does changing the internal IP address make the SPF test fail so many messages?  I know of no other change in the mail server from Monday to Tuesday.
0
Bruce Barnes Replied
August 29, 2014 at 2:55 AM
Since Amazon changes your IP address, it probably doesn't match tour rDNS any linger, and youll5have to update your rDNS to remap the FQDN of your server to the new IP address.
 
As was mentioned above, Amazon will randomly change IP addresses with the kind of virtualized service you are running, and you should consider a new virtualized environment with dedicated, static IP addresses. If you don't, you'll fond a lot of rejected email.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Steve Reid Replied
August 29, 2014 at 5:10 AM
Are you using your own DNS servers?
0
Bruce Barnes Replied
August 29, 2014 at 5:44 AM
RE: The way AWS works it will never change your external IP. Only the natted internal IP is affected. Steve Reid (Today at 7:08 AM)
 
But if the NATTED IP is changed, then the mappings and settings for  SmarterMail's ports all have to be updated to match the new NATTED IP assigned by Amazon.
 
 
 
The IP ADDRESS for the SMTP and DOMAIN also have to be updated so they match the NATTED IP ADDRESS which was modified by Amazon.
 
 
Given the fact that Amazon is even capable of modifying IP addresses, whether internal or external, no MX server should ever be run on an Amazon AWS server - too many things to go wrong and no fully dedicated services.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Dan Horne Replied
August 29, 2014 at 7:00 AM

Oh come on, knock it off with arguing if Amazon is good or bad, none of that matters to me.  My whole mail system is hosted on Amazon (2 MX and the Mail server) and as I said before, it has served me well these past 3 years. There have been a grand total of two internal IP address changes, one a surprise the other expected.  Both handled within minutes with very little disruption in service as a result.
 
This is all academic because it doesn't answer the question of why the spam filter SPF suddenly spiked...
 
Can anyone shed some light on that?
 
(BTW  Steve Reid, we are using Google public DNS.)
 
0
Dan Horne Replied
August 29, 2014 at 10:15 AM
We have DNS running on the server however...  (Bruce how are you inserting those screen shots?)
the IP of Primary and Secondary DNS in General Settings is set to:  8.8.8.8 and 8.8.4.4 respectively.
It has been set up this way for as long as I can remember.
 
Which log?  Delivery?
 
 
0
Dan Horne Replied
August 29, 2014 at 2:58 PM
Ok I may have stumbled across the problem.  Staring at Bruce's screen shot above I started going down the list of domains checking that Outbound IPv4 was in fact configured correctly.  I thought once it was done in "General Settings" that it would propagate down through the domains.  However, I discovered many (not all) were either left "Unassigned" or still listed with the previous IP address!
 
I have worked through all 81 domains and set everyone to the proper IP and I will be watching the SPF test over the weekend (it is enabled but set to add 0 points) and see if the count drops.
 
Have a great Labor Day weekend one and all, and Thank you for your assistance Bruce and Steve!
 
0
Bruce Barnes Replied
September 1, 2014 at 10:25 AM
 
 
Good catch, Dan.
 
The IP ADDRESS assigned as the SMTP OUT IP ADDRESS does not auto-propagate.  It must be manually assigned to each domain.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread