spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SPF implementation error

2004-05-12 15:36:03
from [Roy Badami] [Permanent Link] 

There's currently a thread on spamassassin-dev which relates to a list
message being bounced (incorrectly, as far as I can see) as a result
of SPF checks by a list member.

Of course, it's possible that this is due to configuration error or a
homebrew SPF implemenation, but it's also possible that it's due to a
bug in a widely-distributed SPF implementation, which is why I'm
raising the issue here.

Here is my best guess as to what happened...

Someone who publishes SPF records posted to the spamassassin-users
list, which is hosted by apache.org.  Apache.org's MTA added a
Return-Path header to the message (containing the originator's
address) when it delivered the message to the list processor software.

The list processor software left the Return-Path header in the message
when it sent it to the list members.  Normally, Return-Path is only
added at final delivery, and RFC2821 says that SMTP messages SHOULD
NOT be sent with an existing Return-Path header.  But since it says
SHOULD NOT rather than MUST NOT, one has to be prepared to receive
such messages.

So the list processor distributed the message to list members, and one
list member (or their ISP) was employing SPF checks.

During the SMTP transaction from apache.org to that list member, the
list member (or their ISP) applied SMTP-time SPF checks (presumably
during the DATA phase) and incorrectly used the value of the
pre-existing Return-Path header rather than the address specified in
the MAIL FROM command.  They hence looked up the SPF record of the
orignal sender of the message, and as a result they rejected the
transaction as forged.

I suspect that the cause of the recipent's misbehaviour is that they
are using an SPF filter at SMTP time that is designed to also support
use at (or after) delivery time, and hence has logic to extract the
envelope sender from the headers.

And this filter either has a bug or is incorrectly configured in this
instance, causing it to inspect the Return-Path header during the SMTP
transaction.

Anyone have any ideas what they're running?

You can find the spamassassin-dev thread on MARC here:

http://marc.theaimsgroup.com/?l=spamassassin-devel&m=108434614413252&w=2

Alternatively you can browse the recent spamassassin-dev archives on
GMANE here:

http://news.gmane.org/gmane.mail.spam.spamassassin.devel

Look for a thread with subject "spamassassin-users-owner SPF rejection"

     -roy
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SV: SV: Recursion limit of 20 include/redirects total, Lars Dybdahl
Next by Date:  Re: SPF implementation error, Różański Sergiusz
Previous by Thread:  fallback SPF records, Jeremy Jackson
Next by Thread:  Re: SPF implementation error, Różański Sergiusz
Indexes:  [Date] [Thread] [Top] [All Lists]