You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2014/12/11 16:06:47 UTC

[Bug 7112] New: SPF failures not caught for deeply nested records

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112

            Bug ID: 7112
           Summary: SPF failures not caught for deeply nested records
           Product: Spamassassin
           Version: 3.4.1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Rules (Eval Tests)
          Assignee: dev@spamassassin.apache.org
          Reporter: jquinn+SAbug@pccc.com

Created attachment 5259
  --> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5259&action=edit
Sample that reproduces the bug

We have been receiving spam that forges ebay.com, however it is not failing SPF
as it should. eBay's SPF records are quite large and deep, so we get an error
similar to the one described here:

http://www.openspf.org/Why?show-form=1&identity=ebay.com&ip-address=88.79.78.138&.submit=Submit

Attached is a snipped log of the SPF portion of scanning, as well as one of the
messages. Some searching implies it is a somewhat common issue, but nothing
SA-specific pops up. Perhaps there is a more elegant way we can deal with this
sort of error besides just giving up midway through checking? Maybe a rule like
SPF_BROKEN to detect this and apply a score?

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7112] SPF failures not caught for deeply nested records

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112

--- Comment #7 from Kevin A. McGrail <km...@pccc.com> ---
I think higher is good and we can see what ruleQA says.

Regards,
KAM

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7112] SPF failures not caught for deeply nested records

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112

--- Comment #2 from Mark Martinec <Ma...@ijs.si> ---
Maybe:

--- lib/Mail/SpamAssassin/Plugin/SPF.pm (revision 1646363)
+++ lib/Mail/SpamAssassin/Plugin/SPF.pm (working copy)
@@ -470,3 +470,6 @@
                                hostname     => $scanner->get_tag('HOSTNAME'),
-                               dns_resolver => $self->{main}->{resolver} );
+                               dns_resolver => $self->{main}->{resolver},
+                               max_dns_interactive_terms => 15);
+      # Bug 7112: max_dns_interactive_terms defaults to 10, but even 14 is
+      # not enough for ebay.com, setting it to 15
       1;

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7112] SPF failures not caught for deeply nested records

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112

--- Comment #6 from Joe Quinn <jq...@pccc.com> ---
I have committed additional return status checking for SPF queries, and added
test rules for permerror and temperror/error.

There are two backends supported for performing the SPF queries, and they
handle errors differently. I was able to test the Mail::SPF backend against an
eBay forgery and correctly get T_SPF_TEMPERROR, but had to rely on
documentation for Mail::SPF::Query. I would also have liked to add unit testing
for it, but that requires someone to set up broken SPF records.

I think this should be enough of a framework for server operators to make more
informed decisions when a domain has this type of DNS issue.

Does anyone have an opinion on what sort of score this rule should be given? I
am inclined to give it 0.001 to line up with some of the other SPF rules, but I
can also argue scoring it higher for its indication of technical issues and
potential to bypass user rules that test SPF_NONE.

Committed revision 1656028.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7112] SPF failures not caught for deeply nested records

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112

--- Comment #8 from Joe Quinn <jq...@pccc.com> ---
Found another bug, with a missing case for From SPF error handling.

Committed revision 1658431.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7112] SPF failures not caught for deeply nested records

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112

--- Comment #3 from Mark Martinec <Ma...@ijs.si> ---
Any opinion on the above?

It does fix an fake ebay.com case, adding rule hits:

  0.7 SPF_SOFTFAIL       SPF: sender does not match SPF record (softfail)
  0.7 SPF_HELO_SOFTFAIL  SPF: HELO does not match SPF record (softfail)


Rising the limit from a default 10 to 15 goes against RFC 4408
section 10.1:

  SPF implementations MUST limit the number of mechanisms and modifiers
  that do DNS lookups to at most 10 per SPF check, including any
  lookups caused by the use of the "include" mechanism or the
  "redirect" modifier.  If this number is exceeded during a check, a
  PermError MUST be returned.  The "include", "a", "mx", "ptr", and
  "exists" mechanisms as well as the "redirect" modifier do count
  against this limit.

... but this is ebay.com after all. Also 10 vs. 15 does not make
much difference protecting against misuse. And we are already violating
the 20 second time limit clause in section 10.1:

  MTAs or other processors MAY also impose a limit on the maximum
  amount of elapsed time to evaluate check_host().  Such a limit SHOULD
  allow at least 20 seconds.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7112] SPF failures not caught for deeply nested records

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112

Joe Quinn <jq...@pccc.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jquinn+SAbug@pccc.com

--- Comment #1 from Joe Quinn <jq...@pccc.com> ---
Created attachment 5260
  --> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5260&action=edit
Snipped log of scanning sample.txt

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7112] SPF failures not caught for deeply nested records

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112

--- Comment #5 from Joe Quinn <jq...@pccc.com> ---
I think we also need some code to handle the underlying issue. Namely, some
kind of error handling for the case where a domain exceeds the limit, and
produce a rule like SPF_INVALID that scores between 0.5 and 1.0. Otherwise,
we'll have this exact same issue again the next time someone damns the
torpedoes and breaks the spec.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7112] SPF failures not caught for deeply nested records

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112

Kevin A. McGrail <km...@pccc.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kmcgrail@pccc.com

--- Comment #4 from Kevin A. McGrail <km...@pccc.com> ---
I think it's a good patch because RFCs aside, we have to deal with real-world
issues.  We'll test it.

-- 
You are receiving this mail because:
You are the assignee for the bug.