Getting a list of recursive SPF records


2013/06/28

A Kerio Connect customer needs to receive email from a certain customer of his. We'll call that customer "Office 365 Guy" to make things more clear as we go along.

The problem is that Office 365 Guy uses Microsoft Office 365 (that's why we are calling him that, right?). Microsoft, in their infinite stupidity, uses multiple IP addresses for Office 365 customers and apparently hasn't bothered to put up PTR records for some of those IP's.

I say "apparently" because my customer has been blocking Office 365 Guy for DNS issues - lack of PTR records, specifically. He'd like to whitelist all the addresses that Microsoft uses for Office 365, but where can you get that list?

Well, it turns out that Microsoft has an SPF record especially for Office 365 customers. It's "spf.protection.outlook.com". We can look that up and see what it includes:


$ dig +short spf.protection.outlook.com TXT
"v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com include:spf-c.outlook.com
include:spf.messaging.microsoft.com -all"
 

That's obviously not enough: we need to go deeper. I found that nslookup was easier to use for this, and wrote the following code:

#!/usr/bin/perl
$domain=shift @ARGV;
@results=getit($domain);


sub getit {
  my $domain=shift;

  my @foo=`nslookup -q=TXT $domain`;
  my @results=();
  foreach (@foo) {
   next if not /$domain\ttext/;
   s/$domain\ttext = "v=spf1//;
   @results=split /\s+/;
   foreach (@results) {
    next if /-all/;
    print "$_\n";
    if (/include:/) {
     s/include://;
     getit($_);
    }
   } 
  } 
}
 

Running that as "getspf.pl spf.protection.outlook.com " produces this output:

include:spf-a.outlook.com

ip4:157.56.232.0/21
ip4:157.56.240.0/20
ip4:207.46.198.0/25
ip4:207.46.4.128/25
ip4:157.56.24.0/25
ip4:157.55.157.128/25
ip4:157.55.61.0/24
ip4:157.55.49.0/25
ip4:65.55.174.0/25
ip4:65.55.126.0/25
ip4:65.55.113.64/26
ip4:65.55.94.0/25
include:spf-b.outlook.com

ip4:65.55.78.128/25
ip4:111.221.112.0/21
ip4:207.46.58.128/25
ip4:111.221.69.128/25
ip4:111.221.66.0/25
ip4:111.221.23.128/25
ip4:70.37.151.128/25
ip4:157.56.248.0/21
ip4:213.199.177.0/26
ip4:157.55.225.0/25
ip4:157.55.11.0/25
include:spf-c.outlook.com

ip4:157.55.9.128/25
ip4:157.55.47.0/24
ip4:157.55.224.128/25
ip4:157.56.96.0/24
ip4:157.56.106.0/24
ip4:132.245.0.0/16
include:spf.messaging.microsoft.com

include:spfa.frontbridge.com

ip4:157.55.116.128/26
ip4:157.55.133.0/24
ip4:157.55.158.0/23
ip4:157.55.234.0/24
ip4:157.56.112.0/24
ip4:157.56.116.0/25
ip4:157.56.120.0/25
ip4:207.46.100.0/24
ip4:207.46.108.0/25
ip4:207.46.163.0/24
ip4:134.170.140.0/24
ip4:157.56.110.0/23
include:spfb.frontbridge.com

ip4:207.46.51.64/26
ip4:213.199.154.0/24
ip4:213.199.180.128/26
ip4:216.32.180.0/23
ip4:64.4.22.64/26
ip4:65.55.83.128/27
ip4:65.55.169.0/24
ip4:65.55.88.0/24
ip4:94.245.120.64/26
ip4:131.107.0.0/16
ip4:157.56.73.0/24
ip4:134.170.132.0/24
include:spfc.frontbridge.com

ip4:207.46.101.128/26
ip6:2a01:111:f400:7c00::/54
ip6:2a01:111:f400:fc00::/54
ip4:157.56.87.192/26
ip4:157.55.40.32/27
ip4:157.56.123.0/27
ip4:157.56.91.0/27
ip4:157.55.206.0/24
ip4:157.55.207.0/24
ip4:157.56.206.0/23
ip4:157.56.208.0/22
 

We can enter those into our whitelist (perhaps with another script or API call to automate it).

Of course, if Microsoft fails to keep that up to date, that's no help, and of course we have to check that list frequently. That's annoying!

Should Kerio have a function to automatically whitelist a valid SPF check? I think maybe they should.. however, it's more complicated than that. You probably don't want to whitelist EVERYBODY who passes SPF, just somebody like this Office 365 Guy. So really, we again need more powerful rules!

Remember: The purpose of SPF is to prevent someone who ISN'T you from pretending to be you. It isn't a whitelist; it's the opposite.

The code above is something I just dashed off this morning - it's rough and it's unchecked and therefore could easily run into situations that would break it. Something more robust would be needed to fully automate this function.

My hope is that someone will read this and say "Dude! You don't need to do that! Just do..".



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Getting a list of recursive SPF records


3 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Fri Jun 28 15:57:11 2013: 12169   TonyLawrence

gravatar


One more thing here: thanks to Microsoft's ignorance, ANY Office 365 customer can pass an SPF check while pretending to be some otherOffice 365 customer.

Isn't that just peachy keen?







Fri Jun 28 23:58:21 2013: 12174   anonymous

gravatar


"Dude! You don't need to do that! Just do.."

There ya go!








Sat Jun 29 00:08:58 2013: 12175   TonyLawrence

gravatar


Thanks. I was hoping for a bit more, though :-)

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





It's hard to study much history and not dislike religion - (Tony Lawrence)

Your computer needn't be the first thing your see in the morning and the last thing you see at night. (Simon Mainwaring)








This post tagged: