Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Thwack SPF Spam

On or around 9/11 Thwack emails started being diverted to my Postini email quarantine. Further investigation shows they are being caught by the Sender Policy Framework (SPF) rule. Basically this means someone has modified solarwinds.com DNS in a mannor that does not authorize the Thwack email server as a valid email server. Examples:

Thwack email header from today:

Received: from na3sys009amo105.postini.com ([74.125.149.39]) by [removed] with Microsoft SMTPSVC(6.0.3790.4675);

Wed, 19 Sep 2012 10:48:51 -0700

Received: from postini.com (na3sys009amc123.postini.com [74.125.149.188])

by na3sys009amo105.postini.com (Postfix) with ESMTP id 5EDA9FE8A9B

for [removed]; Wed, 19 Sep 2012 10:48:51 -0700 (PDT)

Received-SPF: fail (google.com: domain of nondelivery@solarwinds.com does not designate 209.46.39.252 as permitted sender) client-ip=209.46.39.252;

Received: from mx-out4.sgvm2hosted.jiveland.com ([209.46.39.252]) (using TLSv1) by na3sys009amx200.postini.com ([74.125.148.10]) with SMTP;

Wed, 19 Sep 2012 15:11:22 GMT

Received: from solarwinds-wa02.sgvm2hosted.jiveland.com (unknown [10.122.0.4])

by mx-out4.sgvm2hosted.jiveland.com (Postfix) with ESMTP id 19AD1D0989

for [removed]; Wed, 19 Sep 2012 09:11:21 -0600 (MDT)

Date: Wed, 19 Sep 2012 10:11:21 -0500

From: "IGFCSS.DSI" <solarwindscommunityteam@communications.solarwinds.com>

Reply-To: jive-912748380-362d-2-3vtl@solarwinds.hosted.jivesoftware.com

To: [removed]

Message-ID: <2-181209-3-53625-1348067455485.jive.jivemailuser@solarwinds.hosted.jivesoftware.com>

Subject: [Patch Manager] - Solarwinds WMI Provider 1.80.785.0 strange behavior

X-Jive-Office: jive-912748380-362d-2-3vtl@solarwinds.hosted.jivesoftware.com

X-pstn-dkim: 0 skipped:disp

X-pstn-disposition: quarantine

Return-Path: nondelivery@solarwinds.com

X-OriginalArrivalTime: 19 Sep 2012 17:48:51.0403 (UTC) FILETIME=[078181B0:01CD968F]

Thwack email header from 7/20:

Received: from psmtp.com ([74.125.149.42]) by [removed] with Microsoft SMTPSVC(6.0.3790.4675);

Fri, 20 Jul 2012 09:00:16 -0700

Received: from mx-out2.sgvm2hosted.jiveland.com ([209.46.39.252]) (using TLSv1) by na3sys009amx202.postini.com ([74.125.148.10]) with SMTP;

Fri, 20 Jul 2012 16:00:14 GMT

Received: from solarwinds-wa02.sgvm2hosted.jiveland.com (unknown [10.122.0.4])

by mx-out2.sgvm2hosted.jiveland.com (Postfix) with ESMTP id BA2D2D103A

for [removed]; Fri, 20 Jul 2012 10:00:11 -0600 (MDT)

Date: Fri, 20 Jul 2012 10:00:11 -0600

From: SolarWinds Community Team <solarwindscommunityteam@communications.solarwinds.com>

To: [removed]

Message-ID: <810138766.1050811342800011760.JavaMail.jive@solarwinds-wa02.sgvm2hosted.jiveland.com>

Subject: thwack Updates, July 17 - July 20

X-pstn-levels: (S: 0.06945/99.55832 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )

X-pstn-dkim: 0 skipped:not-enabled

X-pstn-settings: 3 (1.0000:0.0005) s cv gt3 GT2 gt1 r p m c

X-pstn-addresses: from <solarwindscommunityteam@communications.solarwinds.com> [1437/60]

Return-Path: nondelivery@solarwinds.com

X-OriginalArrivalTime: 20 Jul 2012 16:00:16.0838 (UTC) FILETIME=[C1530660:01CD6690]

Solarwinds.com SPF Record:

C:\Windows\System32>nslookup -type=txt solarwinds.com 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

solarwinds.com text =

"v=spf1 ip4:74.121.49.100 ip4:74.121.49.101 ip4:74.121.49.102 ip4:74.121.49.103 ip4:74.121.49.141 ip4:74.121.49.97 ip4:74.121.49.98 ip4:74.121.49.99 ip4:74.115.12.109 ip4:74.115.14.109 include:netsuite.com include:en25.com include:salesforce.com -all"

As you can see the IP 209.46.39.252 has not been included in the Solarwinds.com SPF record and that is causing the SPF fail. An SPF fail will cause most, if not all, outbound email to be either diverted to end users quarantines, or deleted before delivery.

This fix is easy. Just add that IP to the SPF record, or change the SPF record from -all (at the end) to a ~all. Changing the -all to an ~all will cause Thwack email to SPF "soft" fail and opposed to the SPF "hard" fail that is occurring now. However adding the appropriate IP to the SPF record would certainly be the ideal solution.

Hope that helps!

-mark

Find more posts tagged with

Accepted answers

All comments

danielleh

You just nailed an issue we've been hunting down for awhile now. I'm forwarding this on to our IT team to see if they've tried this route yet or not. Thanks for all this information and I'll follow up when I hear back from IT.

strict

Sweet, glad I could help! Looks like this is fixed as I recieved an email to my Inbox this morning!

Today's Thwack message header:

Microsoft Mail Internet Headers Version 2.0

Received: from psmtp.com ([74.125.149.52]) by [removed] with Microsoft SMTPSVC(6.0.3790.4675);

Thu, 20 Sep 2012 06:26:25 -0700

Received: from mx-out6.sgvm2hosted.jiveland.com ([209.46.39.252]) (using TLSv1) by na3sys009amx212.postini.com ([74.125.148.10]) with SMTP;

Thu, 20 Sep 2012 13:26:24 GMT

Received: from solarwinds-wa02.sgvm2hosted.jiveland.com (unknown [10.122.0.4])

by mx-out6.sgvm2hosted.jiveland.com (Postfix) with ESMTP id 663F3D07A4

for <[removed]>; Thu, 20 Sep 2012 07:26:22 -0600 (MDT)

Date: Thu, 20 Sep 2012 08:26:22 -0500

From: LGarvin <solarwindscommunityteam@communications.solarwinds.com>

Reply-To: jive-1390395402-362d-2-3vw6@solarwinds.hosted.jivesoftware.com

To: [removed]

Message-ID: <2-181209-3-53625-1348067711419-2-181302-3-137928-1348147522705.jive.jivemailuser@solarwinds.hosted.jivesoftware.com>

In-Reply-To: <2-181209-3-53625-1348067711419-2-181282-3-53625-1348135274094.jive.jivemailuser@solarwinds.hosted.jivesoftware.com>

References: <2-181209-3-53625-1348067711419.jive.jivemailuser@solarwinds.hosted.jivesoftware.com> <2-181209-3-53625-1348067711419-2-181239-3-137928-1348079184284.jive.jivemailuser@solarwinds.hosted.jivesoftware.com> <2-181209-3-53625-1348067711419-2-181282-3-53625-1348135274094.jive.jivemailuser@solarwinds.hosted.jivesoftware.com>

Subject: Re: [Patch Manager] - Solarwinds WMI Provider 1.80.785.0 strange behavior

Auto-Submitted: auto-replied

Content-Disposition: inline

X-Jive-Office: jive-1390395402-362d-2-3vw6@solarwinds.hosted.jivesoftware.com

X-pstn-levels: (S:15.50776/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )

X-pstn-dkim: 0 skipped:not-enabled

X-pstn-settings: 3 (1.0000:0.0005) s cv gt3 GT2 gt1 r p m c

X-pstn-addresses: from <solarwindscommunityteam@communications.solarwinds.com> forward (user good) [1563/64]

Return-Path: nondelivery@solarwinds.com

X-OriginalArrivalTime: 20 Sep 2012 13:26:25.0576 (UTC) FILETIME=[88ACBA80:01CD9733]

It would that the SPF issue might have been with jivesoftware.com rather than solarwinds.com as I see the solarwinds.com SPF record has not changed. Good to see they got it fixed for you.

Maybe we can talk offline about your expericne with Jive Software? I have some clients interested in such a service. Thanks!

-mark

strict

Looks like I spoke too soon! Turns out the email above was the ONLY email to have been let through. Not sure what to make of it. Below is a header of the very last email I received that WAS caught in my quarantine. On that note, this might not be a solarwinds.com issue. This could be jive email server issue. Its hard to say because how jive uses SPF is not clear.

Received: from na3sys009amo105.postini.com ([74.125.149.39]) by [removed] with Microsoft SMTPSVC(6.0.3790.4675);

Mon, 24 Sep 2012 12:08:37 -0700

Received: from postini.com (na3sys009amc130.postini.com [74.125.149.195])

by na3sys009amo105.postini.com (Postfix) with ESMTP id 4240DFEA12C

for <[removed]>; Mon, 24 Sep 2012 12:08:37 -0700 (PDT)

Received-SPF: fail (google.com: domain of nondelivery@solarwinds.com does not designate 209.46.39.252 as permitted sender) client-ip=209.46.39.252;

Received: from mx-out6.sgvm2hosted.jiveland.com ([209.46.39.252]) (using TLSv1) by na3sys009amx224.postini.com ([74.125.148.10]) with SMTP;

Mon, 24 Sep 2012 16:32:27 GMT

Received: from solarwinds-wa02.sgvm2hosted.jiveland.com (unknown [10.122.0.4])

by mx-out6.sgvm2hosted.jiveland.com (Postfix) with ESMTP id 3831FD0372

for <[removed]>; Mon, 24 Sep 2012 10:32:26 -0600 (MDT)

Date: Mon, 24 Sep 2012 11:32:26 -0500

From: antwesor <solarwindscommunityteam@communications.solarwinds.com>

Reply-To: jive-2044745638-362d-2-3w38@solarwinds.hosted.jivesoftware.com

To: Mark Reid <[removed]>

Message-ID: <2-181209-3-53625-1348067711419-2-181556-3-135038-1348504296131.jive.jivemailuser@solarwinds.hosted.jivesoftware.com>

In-Reply-To: <2-181209-3-53625-1348067711419-2-181397-3-137928-1348266824375.jive.jivemailuser@solarwinds.hosted.jivesoftware.com>

References: <2-181209-3-53625-1348067711419.jive.jivemailuser@solarwinds.hosted.jivesoftware.com> <2-181209-3-53625-1348067711419-2-181382-3-151512-1348169485718.jive.jivemailuser@solarwinds.hosted.jivesoftware.com> <2-181209-3-53625-1348067711419-2-181397-3-137928-1348266824375.jive.jivemailuser@solarwinds.hosted.jivesoftware.com>

Subject: Re: [Patch Manager] - Solarwinds WMI Provider 1.80.785.0 strange behavior

Auto-Submitted: auto-replied

Content-Disposition: inline

X-Jive-Office: jive-2044745638-362d-2-3w38@solarwinds.hosted.jivesoftware.com

X-pstn-dkim: 0 skipped:disp

X-pstn-disposition: quarantine

Return-Path: nondelivery@solarwinds.com

X-OriginalArrivalTime: 24 Sep 2012 19:08:37.0556 (UTC) FILETIME=[00573F40:01CD9A88]

danielleh

Hey Mark,

You're correct, the fix has not been implemented yet. We are in a freeze period and will not be able to make the changes for another week or so. I have a case open with Jive about this as well. Just letting you know we have all the corners covered. I will certainly update this thread when we've confirmed the fix has corrected the issue.

Thanks for your help with this!

Danielle

danielleh

Mark,

Our IT team implemented the fix a little over a week ago. The fix seems to be working from our end but please let us know if you are still seeing issues.

We'd like to say thank you for all your help with this. We have created a badge for those of you who help us make our site better each day. It's called "thwack Helping Hand". You can go to your profile to check it out now!

Thanks again,

Danielle

strict

This is happening again!

strict

It appears somebody changed the email server without updating the SPF record:

Email Header:

Received-SPF: fail (google.com: domain of solarwindscommunityteam@communications.solarwinds.com does not designate 204.93.64.116 as permitted sender) client-ip=204.93.64.116

>nslookup -type=txt solarwinds.com 8.8.8.8

"v=spf1 ip4:74.115.12.109 ip4:74.115.14.109 ip4:209.46.39.252 include:netsuite.com include:en25.com include:salesforce.com ?all"

Once again, all Thwack email is being caught by Google's Postini Spam filter...

danielleh

Hi Mark,

Apologies for the delay here. Our site was recently migrated between data centers and it seems we have a few outstanding issues that I am actively working on. I assure you we are working with our IT dept and platform vendor to remedy this. I hope to have an update for you soon.

Thank you for your patience!

Danielle

strict

When will this issue be resolved?

danielleh

So sorry for the delay here. There was a holdup but we are actively working on this now. I will provide an update ASAP.

danielleh

Mark - our IT team has implemented the changes needed. Can you confirm from your end that this is remedied?

Thanks,

Danielle