1
Why the sudden increase in [_SPF: Fail] spam?
Question asked by Dan Horne - 8/28/2014 at 7:41 AM
Unanswered
On Tuesday our Smartermail server (hosted at Amazon) crashed. After two hours on the phone with support the server was back up and running.  Thank you AWS support.  The only difference was the private IP address.
 
Since then I have received several complaints that email from regular clients were suddenly being marked as spam. Looking over the delivery log I noticed the only "failure" in Spam check results was: [_SPF: Fail].  the number of "failures" shows a definite pattern.
 
DATE    COUNT of lines in delivery log 
08-20    114
08-21    126
08-22    108
08-23    39
08-24    33
08-25    131
08-26    3039  (Crash day)
08-27    3550
08-28    1213  (Disabled SPF in AntiSpam Administration)
 
Can anyone help me understand what happened?  Why the dramatic spike in SPF fail?  What to do about it?  What to do next?
 
Help?

14 Replies

Reply to Thread
0
Steve Reid Replied
Amazons AWS is definitely not ideal for hosting Smartermail. Because the internal IP can change at any given point it will most certainly always lead to a failure.
 
Please check you IP addresses and Bindings within Smartermail's setup.
0
Dan Horne Replied
I won't argue the merits of AWS except it has served us well since 2011.  Over the last 3 years the private IP address has changed twice and "Bindings --> IP Addresses" was the first thing checked and changed (otherwise no mail flow at all). 
 
How does that answer the question?  Rather how does changing the internal IP address make the SPF test fail so many messages?  I know of no other change in the mail server from Monday to Tuesday.
0
Steve Reid Replied
I do not know why your server is behaving that way. I have however had experience with AWS problems, so that's what I offered...
0
Dan Horne Replied
Thanks for the reply and sorry you had a bad experience with AWS. Perhaps I have been very lucky, who knows. I am hoping someone has seen this before and solved it. I do not like disabling this test just because it has become overly aggressive.
0
Bruce Barnes Replied
Since Amazon changes your IP address, it probably doesn't match tour rDNS any linger, and youll5have to update your rDNS to remap the FQDN of your server to the new IP address.
 
As was mentioned above, Amazon will randomly change IP addresses with the kind of virtualized service you are running, and you should consider a new virtualized environment with dedicated, static IP addresses. If you don't, you'll fond a lot of rejected email.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Steve Reid Replied
The way AWS works it will never change your external IP. Only the natted internal IP is affected.
0
Steve Reid Replied
Are you using your own DNS servers?
0
Bruce Barnes Replied
RE: The way AWS works it will never change your external IP. Only the natted internal IP is affected. Steve Reid (Today at 7:08 AM)
 
But if the NATTED IP is changed, then the mappings and settings for  SmarterMail's ports all have to be updated to match the new NATTED IP assigned by Amazon.
 
 
 
The IP ADDRESS for the SMTP and DOMAIN also have to be updated so they match the NATTED IP ADDRESS which was modified by Amazon.
 
 
Given the fact that Amazon is even capable of modifying IP addresses, whether internal or external, no MX server should ever be run on an Amazon AWS server - too many things to go wrong and no fully dedicated services.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Steve Reid Replied
Yeah but he already stated he had done that, or else mail would not flow at all.
0
Dan Horne Replied

Oh come on, knock it off with arguing if Amazon is good or bad, none of that matters to me.  My whole mail system is hosted on Amazon (2 MX and the Mail server) and as I said before, it has served me well these past 3 years. There have been a grand total of two internal IP address changes, one a surprise the other expected.  Both handled within minutes with very little disruption in service as a result.
 
This is all academic because it doesn't answer the question of why the spam filter SPF suddenly spiked...
 
Can anyone shed some light on that?
 
(BTW  Steve Reid, we are using Google public DNS.)
 
0
Steve Reid Replied
It is recommended that you use your own local instance for dns. We have it installed on our mail server.

Sometimes lookups can be blocked from public DNS ips.

Not positive this is your problem, but I am trying.

What does your logs say for the failed emails?
0
Dan Horne Replied
We have DNS running on the server however...  (Bruce how are you inserting those screen shots?)
the IP of Primary and Secondary DNS in General Settings is set to:  8.8.8.8 and 8.8.4.4 respectively.
It has been set up this way for as long as I can remember.
 
Which log?  Delivery?
 
 
0
Dan Horne Replied
Ok I may have stumbled across the problem.  Staring at Bruce's screen shot above I started going down the list of domains checking that Outbound IPv4 was in fact configured correctly.  I thought once it was done in "General Settings" that it would propagate down through the domains.  However, I discovered many (not all) were either left "Unassigned" or still listed with the previous IP address!
 
I have worked through all 81 domains and set everyone to the proper IP and I will be watching the SPF test over the weekend (it is enabled but set to add 0 points) and see if the count drops.
 
Have a great Labor Day weekend one and all, and Thank you for your assistance Bruce and Steve!
 
0
Bruce Barnes Replied
 
 
Good catch, Dan.
 
The IP ADDRESS assigned as the SMTP OUT IP ADDRESS does not auto-propagate.  It must be manually assigned to each domain.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread