You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Bob Proulx <bo...@proulx.com> on 2004/10/17 23:37:04 UTC

SA with SPF and Return-Path: versus From:

I am trying to understand how SpamAssassin 3.0.0 is checking SPF on
messages.  It seems to be checking the Return-Path: address (envelope
address) and not the From: address (header address).  That's wrong,
isn't it?  Shouldn't it be checking the header address?  Of course
when I reply my mailer uses the header From: address to generate the
response message.

Here is an example typical of the forgeries that are getting passed
through SA at the moment.  I trimmed a real forged message to a
smaller example.  This should trigger an SPF failure because I have
SPF records published for this domain just to stop this type of
forgery.  But SA does not see it and passes it through.

  From shayfift252@zahav.net.il Sun Oct 17 09:51:15 2004
  Return-Path: <sh...@zahav.net.il>
  Delivered-To: bob@proulx.com
  Received: from zahav.net.il (unknown [66.219.104.215])
  	  by joseki.proulx.com (Postfix) with ESMTP id 41C174B3C7
  	  for <bo...@proulx.com>; Sun, 17 Oct 2004 09:51:10 -0600 (MDT)
  Message-ID: <20...@from.header.has.no.domain>
  From: forged-from@proulx.com
  To: bob@example.com
  Subject: I am spam, spam I am
  Date: 17 Oct 2004 11:51:08 -0400

  spam spam spam

And SA says this in the debug output.

  debug: SPF: query for shayfift252@zahav.net.il/66.219.104.215/zahav.net.il: result: none, comment: SPF: domain of sender shayfift252@zahav.net.il does not designate mailers

By this I deduce that SA is checking the "Return-Path:" and ignoring
the "From:" address.  What is the logic behind this?  Shouldn't SA be
checking the From: address headers?

Second related question.  If this message comes from a mail relay on
in my trusted_networks then SA thinks it can't trust the mail relay.
But isn't that the entire purpose for the trusted_networks setting to
say that I can trust that host?  It does still check the helo name.

  From shayfift252@zahav.net.il Sun Oct 17 09:51:15 2004
  Return-Path: <sh...@aol.com>
  Delivered-To: bob@misery.proulx.com
  Received: from joseki.proulx.com (joseki.proulx.com [216.17.153.58])
          by misery.proulx.com (Postfix) with ESMTP id 02F598A209
          for <bo...@misery.proulx.com>; Sun, 17 Oct 2004 09:51:15 -0600 (MDT)
  Received: from zahav.net.il (unknown [66.219.104.215])
  	  by joseki.proulx.com (Postfix) with ESMTP id 41C174B3C7
  	  for <bo...@proulx.com>; Sun, 17 Oct 2004 09:51:10 -0600 (MDT)
  Message-ID: <20...@from.header.has.no.domain>
  From: forged-from@proulx.com
  To: bob@proulx.com
  Subject: I am spam, spam I am
  Date: 17 Oct 2004 11:51:08 -0400

  spam spam spam

I get this message from SA.

  debug: SPF: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping

Obviously this eliminates any usefulness of the SPF checks in SA.  So
I am wondering if I should disable those checks to avoid the DNS
lookups and to speed up SA processing.

Thanks
Bob

Re: SA with SPF and Return-Path: versus From:

Posted by Bob Proulx <bo...@proulx.com>.

Kelson wrote:
> Bob Proulx wrote:
> > I am trying to understand how SpamAssassin 3.0.0 is checking SPF on
> > messages.  It seems to be checking the Return-Path: address (envelope
> > address) and not the From: address (header address).  That's wrong,
> > isn't it?  Shouldn't it be checking the header address?  Of course
> > when I reply my mailer uses the header From: address to generate the
> > response message.
> 
> No, SPF is designed to check the envelope sender, not the address in the 
> header.
> 
> In case you're wondering why, note the From: and Return-Path addresses 
> on this message.  If SPF checked the From: address (@speed.net), it 
> wouldn't pass (mail.apache.org is not likely to be listed in the average 
> list member's SPF record)

Aha!  Yes, that makes perfect sense.  (Feeling sheepish that I did not
see that clearly myself.)

Thanks
Bob

Re: SA with SPF and Return-Path: versus From:

Posted by Kelson <ke...@speed.net>.

Bob Proulx wrote:
> I am trying to understand how SpamAssassin 3.0.0 is checking SPF on
> messages.  It seems to be checking the Return-Path: address (envelope
> address) and not the From: address (header address).  That's wrong,
> isn't it?  Shouldn't it be checking the header address?  Of course
> when I reply my mailer uses the header From: address to generate the
> response message.

No, SPF is designed to check the envelope sender, not the address in the 
header.

In case you're wondering why, note the From: and Return-Path addresses 
on this message.  If SPF checked the From: address (@speed.net), it 
wouldn't pass (mail.apache.org is not likely to be listed in the average 
list member's SPF record)

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>

Re: SA with SPF and Return-Path: versus From:

Posted by David Brodbeck <gu...@gull.us>.

On Sun, 17 Oct 2004 15:37:04 -0600, Bob Proulx wrote
> I am trying to understand how SpamAssassin 3.0.0 is checking SPF on
> messages.  It seems to be checking the Return-Path: address (envelope
> address) and not the From: address (header address).  That's wrong,
> isn't it?

No...SPF is designed to check the envelope sender.  If you check the From:
header, you start running into problems with things like mailing lists.