https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7112
--- Comment #3 from Mark Martinec <[email protected]> --- Any opinion on the above? It does fix an fake ebay.com case, adding rule hits: 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.7 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) Rising the limit from a default 10 to 15 goes against RFC 4408 section 10.1: SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit. ... but this is ebay.com after all. Also 10 vs. 15 does not make much difference protecting against misuse. And we are already violating the 20 second time limit clause in section 10.1: MTAs or other processors MAY also impose a limit on the maximum amount of elapsed time to evaluate check_host(). Such a limit SHOULD allow at least 20 seconds. -- You are receiving this mail because: You are the assignee for the bug.
