https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7360

            Bug ID: 7360
           Summary: SPF check plugin should verify reply to (From:) as
                    well
           Product: Spamassassin
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Plugins
          Assignee: dev@spamassassin.apache.org
          Reporter: petr@bena.rocks

Right now it's possible to easily bypass SPF checks by spoofing From: (reply
to) instead of envelope sender (sender).

Given that spam assasin checks only envelope sender, it doesn't notice that
someone is spoofing foreign domain and accepts the e-mail with no negative
score even if it originated from server that isn't listed in SPF records for a
domain.

How to reproduce:

send spoofed mail using this command:

mail -aFrom:hac...@apache.org -s "Your SPF can be easily hacked!"
some...@apache.org

SPF check will not be able to recognize that it's a spoof mail because envelope
sender will not be hac...@apache.org but the hostname of mail server. However
99% of all mail clients will display it as mail delivered by hac...@apache.org
and spam assasin should be able to know that.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to