Bug ID: 7360
Summary: SPF check plugin should verify reply to (From:) as
Right now it's possible to easily bypass SPF checks by spoofing From: (reply
to) instead of envelope sender (sender).
Given that spam assasin checks only envelope sender, it doesn't notice that
someone is spoofing foreign domain and accepts the e-mail with no negative
score even if it originated from server that isn't listed in SPF records for a
How to reproduce:
send spoofed mail using this command:
mail -aFrom:hac...@apache.org -s "Your SPF can be easily hacked!"
SPF check will not be able to recognize that it's a spoof mail because envelope
sender will not be hac...@apache.org but the hostname of mail server. However
99% of all mail clients will display it as mail delivered by hac...@apache.org
and spam assasin should be able to know that.
You are receiving this mail because:
You are the assignee for the bug.