You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2014/12/11 16:06:47 UTC
[Bug 7112] New: SPF failures not caught for deeply nested records
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112
Bug ID: 7112
Summary: SPF failures not caught for deeply nested records
Product: Spamassassin
Version: 3.4.1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Rules (Eval Tests)
Assignee: dev@spamassassin.apache.org
Reporter: jquinn+SAbug@pccc.com
Created attachment 5259
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5259&action=edit
Sample that reproduces the bug
We have been receiving spam that forges ebay.com, however it is not failing SPF
as it should. eBay's SPF records are quite large and deep, so we get an error
similar to the one described here:
http://www.openspf.org/Why?show-form=1&identity=ebay.com&ip-address=88.79.78.138&.submit=Submit
Attached is a snipped log of the SPF portion of scanning, as well as one of the
messages. Some searching implies it is a somewhat common issue, but nothing
SA-specific pops up. Perhaps there is a more elegant way we can deal with this
sort of error besides just giving up midway through checking? Maybe a rule like
SPF_BROKEN to detect this and apply a score?
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7112] SPF failures not caught for deeply nested records
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112
--- Comment #7 from Kevin A. McGrail <km...@pccc.com> ---
I think higher is good and we can see what ruleQA says.
Regards,
KAM
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7112] SPF failures not caught for deeply nested records
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112
--- Comment #2 from Mark Martinec <Ma...@ijs.si> ---
Maybe:
--- lib/Mail/SpamAssassin/Plugin/SPF.pm (revision 1646363)
+++ lib/Mail/SpamAssassin/Plugin/SPF.pm (working copy)
@@ -470,3 +470,6 @@
hostname => $scanner->get_tag('HOSTNAME'),
- dns_resolver => $self->{main}->{resolver} );
+ dns_resolver => $self->{main}->{resolver},
+ max_dns_interactive_terms => 15);
+ # Bug 7112: max_dns_interactive_terms defaults to 10, but even 14 is
+ # not enough for ebay.com, setting it to 15
1;
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7112] SPF failures not caught for deeply nested records
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112
--- Comment #6 from Joe Quinn <jq...@pccc.com> ---
I have committed additional return status checking for SPF queries, and added
test rules for permerror and temperror/error.
There are two backends supported for performing the SPF queries, and they
handle errors differently. I was able to test the Mail::SPF backend against an
eBay forgery and correctly get T_SPF_TEMPERROR, but had to rely on
documentation for Mail::SPF::Query. I would also have liked to add unit testing
for it, but that requires someone to set up broken SPF records.
I think this should be enough of a framework for server operators to make more
informed decisions when a domain has this type of DNS issue.
Does anyone have an opinion on what sort of score this rule should be given? I
am inclined to give it 0.001 to line up with some of the other SPF rules, but I
can also argue scoring it higher for its indication of technical issues and
potential to bypass user rules that test SPF_NONE.
Committed revision 1656028.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7112] SPF failures not caught for deeply nested records
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112
--- Comment #8 from Joe Quinn <jq...@pccc.com> ---
Found another bug, with a missing case for From SPF error handling.
Committed revision 1658431.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7112] SPF failures not caught for deeply nested records
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112
--- Comment #3 from Mark Martinec <Ma...@ijs.si> ---
Any opinion on the above?
It does fix an fake ebay.com case, adding rule hits:
0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.7 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
Rising the limit from a default 10 to 15 goes against RFC 4408
section 10.1:
SPF implementations MUST limit the number of mechanisms and modifiers
that do DNS lookups to at most 10 per SPF check, including any
lookups caused by the use of the "include" mechanism or the
"redirect" modifier. If this number is exceeded during a check, a
PermError MUST be returned. The "include", "a", "mx", "ptr", and
"exists" mechanisms as well as the "redirect" modifier do count
against this limit.
... but this is ebay.com after all. Also 10 vs. 15 does not make
much difference protecting against misuse. And we are already violating
the 20 second time limit clause in section 10.1:
MTAs or other processors MAY also impose a limit on the maximum
amount of elapsed time to evaluate check_host(). Such a limit SHOULD
allow at least 20 seconds.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7112] SPF failures not caught for deeply nested records
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112
Joe Quinn <jq...@pccc.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jquinn+SAbug@pccc.com
--- Comment #1 from Joe Quinn <jq...@pccc.com> ---
Created attachment 5260
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5260&action=edit
Snipped log of scanning sample.txt
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7112] SPF failures not caught for deeply nested records
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112
--- Comment #5 from Joe Quinn <jq...@pccc.com> ---
I think we also need some code to handle the underlying issue. Namely, some
kind of error handling for the case where a domain exceeds the limit, and
produce a rule like SPF_INVALID that scores between 0.5 and 1.0. Otherwise,
we'll have this exact same issue again the next time someone damns the
torpedoes and breaks the spec.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7112] SPF failures not caught for deeply nested records
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112
Kevin A. McGrail <km...@pccc.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kmcgrail@pccc.com
--- Comment #4 from Kevin A. McGrail <km...@pccc.com> ---
I think it's a good patch because RFCs aside, we have to deal with real-world
issues. We'll test it.
--
You are receiving this mail because:
You are the assignee for the bug.