Bug ID: 7360
           Summary: SPF check plugin should verify reply to (From:) as
           Product: Spamassassin
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Plugins

Right now it's possible to easily bypass SPF checks by spoofing From: (reply
to) instead of envelope sender (sender).

Given that spam assasin checks only envelope sender, it doesn't notice that
someone is spoofing foreign domain and accepts the e-mail with no negative
score even if it originated from server that isn't listed in SPF records for a

How to reproduce:

send spoofed mail using this command:

mail -s "Your SPF can be easily hacked!"

SPF check will not be able to recognize that it's a spoof mail because envelope
sender will not be but the hostname of mail server. However
99% of all mail clients will display it as mail delivered by
and spam assasin should be able to know that.

You are receiving this mail because:
You are the assignee for the bug.

Reply via email to