spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Hole in spfmilter 0.95

2005-08-19 07:09:09
from [Daniel Taylor] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If the MAIL From: is quoted, spfmilter-0.95 will not parse it correctly,
resulting in NONE results where it should generate a FAIL.

I'm checking this against other implementations right now, but I expect
this is unique to spfmilter.


Example:

EHLO j.random.example.org
MAIL FROM: "user(_at_)example(_dot_)com"
RCPT TO: user(_at_)example(_dot_)com

Slips through spfmilter.

This will not be a problem for compliant checkers, as HELO will
probably fail, but it could be a problem for anyone using older
implementations.

Lesson: make sure you validate your input.

- - --
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDBegF8/QSptFdBtURAl3/AJ0dUg/A9ENJtq4ePCRkVZOqKU7WNACfV0ZE
wuphmv6eVvyktC1h9JpFm0c=
=/urn
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: SPF Filter Questions, Stuart D. Gathman
Next by Date:  RE: No more xxxx=yes please (was: possibilities for 2822), Seth Goodman
Previous by Thread:  SPF Filter Questions, Bill IconSystemsNetwork.com
Next by Thread:  Re: Hole in spfmilter 0.95, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]