http://bugzilla.spamassassin.org/show_bug.cgi?id=3859
Summary: SPF HELO false positives
Product: Spamassassin
Version: 3.0.0
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Plugins
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
The SPF plugin, when checking HELO, gets rid of the hostname and uses only the
domain:
# get rid of hostname part of domain, understanding delegation
$helo = Mail::SpamAssassin::Util::RegistrarBoundaries::trim_domain ($helo);
However, this causes problems when a host does a HELO as xxx.example.com and the
SPF record for example.com does not allow xxx.example.com (even if
xxx.example.com has a SPF record which would allow the sending host).
The SPF FAQ (http://spf.pobox.com/faq.html) implies one should add a SPF record
for every host, and the HELO checking should be based on the full hostname on
the HELO. The SPF Classic RFC also looks like only the FQDN should be tested.
The FP I got was with a host with no SPF record using its own hostname as both
the HELO and the MAIL FROM domain name, in a domain with a SPF record which
wouldn't allow it to send email as the domain (SPF_HELO_SOFTFAIL). A couple of
other rules pushed it over the limit. The right behaviour IMO would be for it to
act as if it had no SPF record at all (since it really has no SPF record).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
