SA Bugzilla – Bug 7360
SPF check plugin should verify reply to (From:) as well
Last modified: 2016-10-14 19:13:03 UTC
Right now it's possible to easily bypass SPF checks by spoofing From: (reply to) instead of envelope sender (sender). Given that spam assasin checks only envelope sender, it doesn't notice that someone is spoofing foreign domain and accepts the e-mail with no negative score even if it originated from server that isn't listed in SPF records for a domain. How to reproduce: send spoofed mail using this command: mail -aFrom:hacker@apache.org -s "Your SPF can be easily hacked!" someone@apache.org SPF check will not be able to recognize that it's a spoof mail because envelope sender will not be hacker@apache.org but the hostname of mail server. However 99% of all mail clients will display it as mail delivered by hacker@apache.org and spam assasin should be able to know that.
SPF checks are applied the envelope sender address. "From:" is not part of the SPF spec.
Do you realize that this renders SPF check absolutely useless? Every script kiddie can bypass it as it's implemented in SA right now.
(In reply to Petr Bena from comment #2) > Do you realize that this renders SPF check absolutely useless? Every script > kiddie can bypass it as it's implemented in SA right now. SpamAssassin didn't invent the spec. SpamAssassin follows the spec.
Please take further comments to the SA users list. Bugzilla is not the right place do discuss this.
maybe Sender-ID is much much better then SPF? ironical microsoft does not use it anymore :-) (use dkim would be solution) or maybe time to make dmarc testing in SpamAssassin ?
(In reply to Benny Pedersen from comment #5) > maybe Sender-ID is much much better then SPF? > > ironical microsoft does not use it anymore :-) > > (use dkim would be solution) > > or maybe time to make dmarc testing in SpamAssassin ? Please take further comments to the SA users list. Bugzilla is not the right place do discuss this. this also applies to you.