Shouldn't ignore_received_spf_header default to 1?

[da...@chaosreigns.com]

By default, it seems SA will honor Received-SPF headers, while I would
guess most people aren't inserting it at their MTA, so it's a great
opportunity for spammers to forge the header to say their email passed SPF.

So, shouldn't it be disabled by default, by setting
ignore_received_spf_header to 1?


It seems like it would be nice to have a rule like 
(SPF_PASS && !SPF_IN_HOSTKARMA_BL)
where SPF_IN_HOSTKARMA_BL is a lookup of the domain from the Received-SPF
header in the hostkarma.junkemailfilter.com zone returning 127.0.0.2.  Or
any other domain blacklist.  I just grabbed one from the bottom of
http://www.sdsc.edu/~jeff/spam/cbc.html

-- 
"You will need: a big heavy rock, something with a bit of a swing to it...
perhaps Mars" - How to destroy the Earth
http://www.ChaosReigns.com

Re: Shouldn't ignore_received_spf_header default to 1?

[Benny Pedersen <me...@junc.org>]

On Thu, 21 Apr 2011 13:36:16 -0400, darxus@chaosreigns.com wrote:

> Ohh, sounds like it might ignore anything added before an internal
relay,
> so the current default is fine?

this mail have:

Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
client-ip=140.211.11.3; helo=mail.apache.org;
envelope-from=dev-return-45187-me=junc.org@spamassassin.apache.org;
receiver=me@junc.org

where is my ip or hostname ? :)

spf plugin should only check envelope sender not from: also why i created
a bug on it, it even not filter out maillists with maillist.pm, i will try
to make a patch to show how to atleast minimize the problem

Re: Shouldn't ignore_received_spf_header default to 1?

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

On 21/04/2011 1:41 PM, darxus@chaosreigns.com wrote:
> Yep, I have a bunch of emails where google inserted a "Received-SPF: pass"
> header that didn't hit SA's SPF_PASS rule.  Then I started inserting that
> header myself, and it hits SPF_PASS.  So it is ignoring Received-SPF
> headers from non-local relays.  Nicely done.

Occasionally I design things properly. ;)

Daryl

Re: Shouldn't ignore_received_spf_header default to 1?

[da...@chaosreigns.com]

Yep, I have a bunch of emails where google inserted a "Received-SPF: pass"
header that didn't hit SA's SPF_PASS rule.  Then I started inserting that
header myself, and it hits SPF_PASS.  So it is ignoring Received-SPF
headers from non-local relays.  Nicely done.

(The ignore_received_spf_header should not be changed to 1.)

A rule for (SPF_PASS && !SPF_IN_*_BL) would still be nice.

-- 
"This hurts quite a bit. Very painful."
"Think of the sensation as reassurance that you are not dead yet. What
you are feeling is life in you!" - Johnny The Homicidal Maniac
http://www.ChaosReigns.com

Re: Shouldn't ignore_received_spf_header default to 1?

[da...@chaosreigns.com]

I meant to link to the relevant docs:
http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_SPF

On 04/21, Benny Pedersen wrote:
> this header could be removed in mta, and readded if spf pass in mta, its
> just not any stable milters that does it so far, but if headers is removed
> and added it most likely invalidates dkim if remote signed it

"By default, when using Received-SPF headers, the plugin will attempt to
use the oldest (bottom most) Received-SPF headers, that were added by
internal relays..."
^^^^^^^^^^^^^^^

Ohh, sounds like it might ignore anything added before an internal relay,
so the current default is fine?


Also, postfix can add this Received-SPF header with
https://launchpad.net/postfix-policyd-spf-perl/

-- 
"It's never too late to panic."
http://www.ChaosReigns.com

Re: Shouldn't ignore_received_spf_header default to 1?

[Benny Pedersen <me...@junc.org>]

On Thu, 21 Apr 2011 12:55:38 -0400, darxus@chaosreigns.com wrote:
> By default, it seems SA will honor Received-SPF headers, while I would
> guess most people aren't inserting it at their MTA, so it's a great
> opportunity for spammers to forge the header to say their email passed
SPF.

this header could be removed in mta, and readded if spf pass in mta, its
just not any stable milters that does it so far, but if headers is removed
and added it most likely invalidates dkim if remote signed it

> So, shouldn't it be disabled by default, by setting
> ignore_received_spf_header to 1?

agree

> It seems like it would be nice to have a rule like 
> (SPF_PASS && !SPF_IN_HOSTKARMA_BL)
> where SPF_IN_HOSTKARMA_BL is a lookup of the domain from the
Received-SPF
> header in the hostkarma.junkemailfilter.com zone returning 127.0.0.2. 
Or
> any other domain blacklist.  I just grabbed one from the bottom of
> http://www.sdsc.edu/~jeff/spam/cbc.html

or report to spamhaus dbl zone, if thats possible ?