Chris Linfoot | Hotmail, SPF, False positives

Friday, 17. March 2006

Hotmail, SPF, False positives

A user complains that her friend attempting to email from somewhere in South America has received a hard bounce. This isn't hugely surprising but I offer to take a look. Fortunately she has samples of email sent by the same sender in the recent past which were successfully delivered. I ask to see one, to look at the headers.

It's from Hotmail! How come we bounced it - we have them whitelisted, don't we?

Well. Yes and no. We certainly have a lot of Hotmail IPs whitelisted but do we have them all? How to check...

I know. Let's look at their SPF records. Those will tell me what IPs are permitted to send Hotmail.

The SPF TXT record in hotmail.com currently points to four other SPF records in four subdomains, spf-a.hotmail.com, spf-b.hotmail.com, spf-c.hotmail.com and spf-d.hotmail.com.

Each of those lists an impressive range of IPv4 networks. There are a total of 39 networks listed ranging in size from /24 (256 individual IP addresses) to /14 (262,144 individual IP addresses).

In total 1,014,528 IP addresses are permitted senders for Hotmail.

Seems a little high.

And of course we didn't have all of these whitelisted so a SORBS DNSBL listing, probably caused by a spamtrap hit, was sufficient to bounce my user's friend's email.

Added 65.54.128.0/17 to the whitelist. Moved on. But not before wondering, why?

There is actually a lot of duplication within the Hotmail SPF records. For example, both 65.52.0.0/14 and 65.54.128.0/17 are listed as permitted senders but the latter network is wholly enclosed by the former. But even taking this duplication into account there are still several hundred thousand unique IPs explicitly permitted to send Hotmail.
And them there are all the others. The Hotmail SPF records all end in "~all" so any other IP sending Hotmail will only ever cause a soft fail at a receiving site and sites that do any SPF checking will probably accept them anyway.
And what about those networks named in Hotmail SPF that never send any email at all? Why are they listed? Here's an example

157.56.0.0/14 is a Hotmail permitted sender. That's four consecutive class B networks from 157.56.0.0 to 157.59.255.255 or 262,144 addresses. According to Senderbase, not one of these IPs has ever been witnessed sending email.

Bottom line - if you want to be sure of accepting Hotmail (and actually, we do so long as the sender's email address is not a "Personal Address"), it is all but impossible to pre-empt all blacklisting using your whitelist because Hotmail's sender policy is so opaque.

Category: Spam miscellany
Technorati: Spam Hotmail

Comments :

1. Dennis20/03/2006 16:40:28

We use a filtering service and have been seeing false positives with MSN, Hotmail and Yahoo. They have had servers periodically blacklisted for SPAM. The contents of our quarantine show a lot of SPAM from those sources.

2. Chris Linfoot20/03/2006 16:56:18

Yes there is a lot of spam from those sources. There's also a lot of good email - they have a very large number of users.

DNSBLs are an ineffective tool against web mail spam because they will cause both good and bad mail to be blocked. This is why we whitelist MSN/Hotmail, Gmail and Yahoo.

It is usually possible to pick out spam after delivery using mail rules or similar filtering so very little web mail spam is ever delivered to a final recipient here but we don't usually bounce web mail either.

Unable to post a comment? Please read this for a possible explanation...