spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SPF implementation error

2004-05-13 09:22:27
from [Mark] [Permanent Link] 
Roy Badami wrote:


During the SMTP transaction from apache.org to that list member, the
list member (or their ISP) applied SMTP-time SPF checks (presumably
during the DATA phase) and incorrectly used the value of the
pre-existing Return-Path header rather than the address specified in
the MAIL FROM command. They hence looked up the SPF record of the
orignal sender of the message, and as a result they rejected the
transaction as forged.


The problem is right there: it is astoundingly NOT okay to use the Return-Path, 
instead of the envelope-from! Hence, it is wholly inconsequential who when 
inserted what header to whom, and why.


And this filter either has a bug or is incorrectly configured in this
instance, causing it to inspect the Return-Path header during the SMTP
transaction.


This is decidely wrong. I am not on spamassasin-devel; but you can tell em I 
said so. :)


Anyone have any ideas what they're running?


Since the envelope-from is not always available to filters like SA, I 
understand that some implementors will use the old shortcut, and simply grab 
something "useful" from the headers instead. They should not do that -- for 
obvious reasons. Instead, if you must do SPF at the LDA phase, have your MTA 
add an extra, local header, which specifically holds the envelope-from (if it 
does not already do so; sendmail does), and use that. For instance, a typical 
sendmail header will look like this (live header):

Received: from mail.apache.org (hermes.apache.org [209.237.227.199])
  by asarian-host.net (8.12.11/8.12.11) with SMTP id i4DG9hdE069744
  for <admin(_at_)asarian-host(_dot_)net>; Thu, 13 May 2004 18:09:44 +0200 
(CEST)
  (envelope-from spamassassin-users ... @incubator.apache.org)

Let the LDA grab that for envelope-address.

Yes, I sound a bit passionate about this. But I feel it is really important 
that SPF implementors, such as the folks at SA, really do not get the wrong 
idea about SPF. A few bad apples, and all.

Cheers,

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SV: Recursion limit of 20 include/redirects total, Paul Howarth
Next by Date:  Re: SPF implementation error, Roy Badami
Previous by Thread:  Re: SPF implementation error, Różański Sergiusz
Next by Thread:  Re: SPF implementation error, Roy Badami
Indexes:  [Date] [Thread] [Top] [All Lists]