7360 – SPF check plugin should verify reply to (From:) as well

Bug 7360 - SPF check plugin should verify reply to (From:) as well

Summary: SPF check plugin should verify reply to (From:) as well

Status:	RESOLVED INVALID

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Plugins (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 major
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-10-14 18:48 UTC by Petr Bena
Modified:	2016-10-14 19:13 UTC (History)
CC List:	1 user (show)

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Petr Bena 2016-10-14 18:48:07 UTC

Right now it's possible to easily bypass SPF checks by spoofing From: (reply to) instead of envelope sender (sender).

Given that spam assasin checks only envelope sender, it doesn't notice that someone is spoofing foreign domain and accepts the e-mail with no negative score even if it originated from server that isn't listed in SPF records for a domain.

How to reproduce:

send spoofed mail using this command:

mail -aFrom:hacker@apache.org -s "Your SPF can be easily hacked!" someone@apache.org

SPF check will not be able to recognize that it's a spoof mail because envelope sender will not be hacker@apache.org but the hostname of mail server. However 99% of all mail clients will display it as mail delivered by hacker@apache.org and spam assasin should be able to know that.

Comment 1 AXB 2016-10-14 18:58:20 UTC

SPF checks are applied the envelope sender address.
"From:" is not part of the SPF spec.

Comment 2 Petr Bena 2016-10-14 18:59:51 UTC

Do you realize that this renders SPF check absolutely useless? Every script kiddie can bypass it as it's implemented in SA right now.

Comment 3 AXB 2016-10-14 19:06:19 UTC

(In reply to Petr Bena from comment #2)
> Do you realize that this renders SPF check absolutely useless? Every script
> kiddie can bypass it as it's implemented in SA right now.


SpamAssassin didn't invent the spec.
SpamAssassin  follows the spec.

Comment 4 AXB 2016-10-14 19:08:16 UTC

Please take further comments to the SA users list.
Bugzilla is not the right place do discuss this.

Comment 5 Benny Pedersen 2016-10-14 19:09:36 UTC

maybe Sender-ID is much much better then SPF?

ironical microsoft does not use it anymore :-)

(use dkim would be solution)

or maybe time to make dmarc testing in SpamAssassin ?

Comment 6 AXB 2016-10-14 19:13:03 UTC

(In reply to Benny Pedersen from comment #5)
> maybe Sender-ID is much much better then SPF?
> 
> ironical microsoft does not use it anymore :-)
> 
> (use dkim would be solution)
> 
> or maybe time to make dmarc testing in SpamAssassin ?

Please take further comments to the SA users list.
Bugzilla is not the right place do discuss this.

this also applies to you.