You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Bob Proulx <bo...@proulx.com> on 2004/10/17 23:37:04 UTC
SA with SPF and Return-Path: versus From:
I am trying to understand how SpamAssassin 3.0.0 is checking SPF on
messages. It seems to be checking the Return-Path: address (envelope
address) and not the From: address (header address). That's wrong,
isn't it? Shouldn't it be checking the header address? Of course
when I reply my mailer uses the header From: address to generate the
response message.
Here is an example typical of the forgeries that are getting passed
through SA at the moment. I trimmed a real forged message to a
smaller example. This should trigger an SPF failure because I have
SPF records published for this domain just to stop this type of
forgery. But SA does not see it and passes it through.
From shayfift252@zahav.net.il Sun Oct 17 09:51:15 2004
Return-Path: <sh...@zahav.net.il>
Delivered-To: bob@proulx.com
Received: from zahav.net.il (unknown [66.219.104.215])
by joseki.proulx.com (Postfix) with ESMTP id 41C174B3C7
for <bo...@proulx.com>; Sun, 17 Oct 2004 09:51:10 -0600 (MDT)
Message-ID: <20...@from.header.has.no.domain>
From: forged-from@proulx.com
To: bob@example.com
Subject: I am spam, spam I am
Date: 17 Oct 2004 11:51:08 -0400
spam spam spam
And SA says this in the debug output.
debug: SPF: query for shayfift252@zahav.net.il/66.219.104.215/zahav.net.il: result: none, comment: SPF: domain of sender shayfift252@zahav.net.il does not designate mailers
By this I deduce that SA is checking the "Return-Path:" and ignoring
the "From:" address. What is the logic behind this? Shouldn't SA be
checking the From: address headers?
Second related question. If this message comes from a mail relay on
in my trusted_networks then SA thinks it can't trust the mail relay.
But isn't that the entire purpose for the trusted_networks setting to
say that I can trust that host? It does still check the helo name.
From shayfift252@zahav.net.il Sun Oct 17 09:51:15 2004
Return-Path: <sh...@aol.com>
Delivered-To: bob@misery.proulx.com
Received: from joseki.proulx.com (joseki.proulx.com [216.17.153.58])
by misery.proulx.com (Postfix) with ESMTP id 02F598A209
for <bo...@misery.proulx.com>; Sun, 17 Oct 2004 09:51:15 -0600 (MDT)
Received: from zahav.net.il (unknown [66.219.104.215])
by joseki.proulx.com (Postfix) with ESMTP id 41C174B3C7
for <bo...@proulx.com>; Sun, 17 Oct 2004 09:51:10 -0600 (MDT)
Message-ID: <20...@from.header.has.no.domain>
From: forged-from@proulx.com
To: bob@proulx.com
Subject: I am spam, spam I am
Date: 17 Oct 2004 11:51:08 -0400
spam spam spam
I get this message from SA.
debug: SPF: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping
Obviously this eliminates any usefulness of the SPF checks in SA. So
I am wondering if I should disable those checks to avoid the DNS
lookups and to speed up SA processing.
Thanks
Bob
Re: SA with SPF and Return-Path: versus From:
Posted by Bob Proulx <bo...@proulx.com>.
Kelson wrote:
> Bob Proulx wrote:
> > I am trying to understand how SpamAssassin 3.0.0 is checking SPF on
> > messages. It seems to be checking the Return-Path: address (envelope
> > address) and not the From: address (header address). That's wrong,
> > isn't it? Shouldn't it be checking the header address? Of course
> > when I reply my mailer uses the header From: address to generate the
> > response message.
>
> No, SPF is designed to check the envelope sender, not the address in the
> header.
>
> In case you're wondering why, note the From: and Return-Path addresses
> on this message. If SPF checked the From: address (@speed.net), it
> wouldn't pass (mail.apache.org is not likely to be listed in the average
> list member's SPF record)
Aha! Yes, that makes perfect sense. (Feeling sheepish that I did not
see that clearly myself.)
Thanks
Bob
Re: SA with SPF and Return-Path: versus From:
Posted by Kelson <ke...@speed.net>.
Bob Proulx wrote:
> I am trying to understand how SpamAssassin 3.0.0 is checking SPF on
> messages. It seems to be checking the Return-Path: address (envelope
> address) and not the From: address (header address). That's wrong,
> isn't it? Shouldn't it be checking the header address? Of course
> when I reply my mailer uses the header From: address to generate the
> response message.
No, SPF is designed to check the envelope sender, not the address in the
header.
In case you're wondering why, note the From: and Return-Path addresses
on this message. If SPF checked the From: address (@speed.net), it
wouldn't pass (mail.apache.org is not likely to be listed in the average
list member's SPF record)
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: SA with SPF and Return-Path: versus From:
Posted by David Brodbeck <gu...@gull.us>.
On Sun, 17 Oct 2004 15:37:04 -0600, Bob Proulx wrote
> I am trying to understand how SpamAssassin 3.0.0 is checking SPF on
> messages. It seems to be checking the Return-Path: address (envelope
> address) and not the From: address (header address). That's wrong,
> isn't it?
No...SPF is designed to check the envelope sender. If you check the From:
header, you start running into problems with things like mailing lists.