Quite right, ASSP defies (unavoidably) a whole bunch of RFCs so that part isn't new. The fact that testing of the FROM header is not specified in the SPF framework is not in itself a problem.
I have mitigated the problem to a large extent by.... ....... Adding the major and known Listing Services (including this one) to no-processing senders (so they don't score any other points against them)...... SPF switched on for no-processing senders...... Setting SPF to score, not block (except for BlockstrictSPFre which is limited to high risk phishing targets such as banks and govt departments)....... On my system, most (not all) SPF failures due to ML are still passing through. ------------Thomas, any chance of having ASSP check the FROM header against BlockstrictSPFRE first, and only performing the second SPF test when there is a match? Again, imho, this second SPF test has been very successful so is worth the hassle to get it right. ................Bob -----Original Message----- From: GrayHat [mailto:[email protected]] Sent: Thursday, 10 November 2011 11:29 p.m. To: ASSP development mailing list Subject: Re: [Assp-test] Whitelisting > Recent change to SPF checking in ASSP has seen a lot of bogus bank > emails and tax refunds blocked which I am happy about. There's a problem, though, it may (and does) break some ML messages; see, with previous "regular SPF" checks acting on the envelope sender (as for SPF documents), a mailing list was able to send a message this way (e.g.) MAIL FROM: <[email protected]> Return-Path: <[email protected]> Errors-To: <[email protected]> From: <[email protected]> To: <[email protected]> Reply-To: <[email protected]> but now, if the same ML tries to send a message and if the "otherdomain.net" publishes an SPF record (and performs SPF checks) the same message will be refused due to SPF failure since (if I got it right), ASSP will also check the "MIME From" and not just the envelope from So, I'm respectfully asking Thomas to add an option to ASSP which will allow to disable this new behaviour and let the SPF checks only works on the envelope data ... then, by the way, who wants to also check the "MIME" data will still be able to do so by leaving the option enabled Thanks ---------------------------------------------------------------------------- -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
