Your message dated Sat, 1 Sep 2007 17:03:54 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#440450: libmail-spf-query-perl: Suggest increasing default
max DNS lookups to work with paypal
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libmail-spf-query-perl
Version: 1:1.999.1-3
Severity: normal
Hi,
By defauly spfquery limits itself to 10 DNS lookups. This can be overridden
from
the command line. It returns an "unknown" response if more than 10 lookups are
needed.
It seems that getting all the SPF information for paypal.com takes 11 lookups.
(It
looks like there is a limit on the length of the TXT record, and in order to
list all
its IP ranges paypal has to use a number of includes.)
Since phishing emails with a forged @paypal.com sender are rather common, I
suggest
slightly increasing the default limit to accommodate it.
Or, perhaps the limit could be substantially increased, e.g. 50 - I can't think
what
it's guarding against, except for misconfigured SPF records with include loops,
and
I'm not aware of that being a serious problem. I note that the limit was
reduced
from 20 to 10 in 1.998-1, but I am unaware of the rationale for that.
Regards,
Phil.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.21-1-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages libmail-spf-query-perl depends on:
ii libnet-cidr-lite-perl 0.20-1 Merge IPv4 or IPv6 CIDR address ra
ii libnet-dns-perl 0.60-1 Perform DNS queries from a Perl sc
ii libsys-hostname-long-perl 1.4-1 Figure out the long (fully-qualifi
ii liburi-perl 1.35.dfsg.1-1 Manipulates and accesses URI strin
ii perl 5.8.8-7 Larry Wall's Practical Extraction
libmail-spf-query-perl recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
phil wrote:
> By defauly spfquery limits itself to 10 DNS lookups. This can be
> overridden from the command line. It returns an "unknown" response if
> more than 10 lookups are needed.
>
> It seems that getting all the SPF information for paypal.com takes 11
> lookups. (It looks like there is a limit on the length of the TXT
> record, and in order to list all its IP ranges paypal has to use a
> number of includes.)
This is because the PayPal admins can't read. The SPF specification (RFC
4408) says[1]:
| SPF implementations MUST limit the number of mechanisms and modifiers
| that do DNS lookups to at most 10 per SPF check, including any lookups
| caused by the use of the "include" mechanism or the "redirect" modifier.
| If this number is exceeded during a check, a PermError MUST be returned.
| The "include", "a", "mx", "ptr", and "exists" mechanisms as well as
| the "redirect" modifier do count against this limit. [...]
So this is an error in the paypal.com SPF record and not a bug in Mail::
SPF::Query. It has happened before, e.g. with hotmail.com. Such broken
records will have to (and eventually will) be fixed by their owners.
> Since phishing emails with a forged @paypal.com sender are rather
> common, I suggest slightly increasing the default limit to accommodate
> it.
>
> Or, perhaps the limit could be substantially increased, e.g. 50 - I
> can't think what it's guarding against, except for misconfigured SPF
> records with include loops, and I'm not aware of that being a serious
> problem.
This limit exists in the SPF specification for security reasons (with
regard to DoS attacks), so it will NOT be increased in Mail::SPF::Query.
> I note that the limit was reduced from 20 to 10 in 1.998-1, but I am
> unaware of the rationale for that.
Mail::SPF::Query was the original SPF implementation and has been in
existence long before the security limits were added to the SPF
specification (before the latter was frozen and published as an IETF
RFC). However, in mid-2005 I took over upstream maintenance of
Mail::SPF::Query and updated it to make it compliant with the SPF spec as
best as I could (given M:S:Q's arcane architecture). Said security limit
was part of this update.
FYI, in the mid term Mail::SPF::Query will be made obsolete by the new
Mail::SPF library (not yet uploaded to Debian), which fully conforms to
RFC 4408 and thus also implements this security limit.
References:
1. http://www.openspf.org/RFC_4408#processing-limits
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
