Re: v=spf1 +all
On 4/24/2015 11:23 AM, Dianne Skoll wrote: On Fri, 24 Apr 2015 16:20:41 +0100 Paul Stead wrote: I've had thoughts of an extension which calculates the number of IP addresses specified in an SPF record, then calculating the % of world-wide addresses this SPF declares... I don't seem to be able to bend the Perl SPF module to spit out any numbers etc so seems it would have to be coded separately Someone sent me off-list some Perl that does that. I haven't looked closely at it. If that person is on this list, maybe he'll send it on-list? Regards, Dianne. I suppose it's safe enough to post publicly. Be aware that it's just a proof of concept and not tested thoroughly enough to guarantee it's correct, performant, or even if it terminates in all cases. Theoretically, it does the following detect +all and ?all (both of which specify to deliver without marking) detect coverage of the IPv4 and v6 address spaces (by /16) detect when followed records exceed a max depth detect when an SPF record loops on itself detect uninterpolated exists detect syntax errors in exists macros It also stores IP coverage as a bitmask, so it should measure somewhere around 16k - 20k of memory consumption as well. Script is attached, anyone can feel free to adapt it for SA. use strict; use warnings; use Net::DNS; use Net::IP; # fetch spf record for domain my $argument_domain = $ARGV[0]; print &check_domain($argument_domain) ."\n"; # returns one of "not useless", "useless - $reason", "gave up - $reason", "invalid - $reason" # for SPF syntax, see http://www.openspf.org/SPF_Record_Syntax # for macro syntax, see http://www.openspf.org/RFC_4408#macros sub check_domain { my ($domain, %params) = @_; my $dns = Net::DNS::Resolver->new; my $query = $dns->search($domain, 'TXT') or die "Error performing TXT query for $domain! ". $dns->errorstring; if (not defined $params{'domains_seen'}) { $params{'domains_seen'} = []; } if (grep {$_ eq $domain} @{$params{'domains_seen'}}) { return "invalid - detected domain loop beginning with $domain"; } push(@{$params{'domains_seen'}}, $domain); $params{'iteration'} ||= 1; $params{'max_iterations'} ||= 40; # build array of /16s for ip range masking # an spf record is useless if it allows at least one ip address in every /16 # this is a messy heuristic to avoid resource exhaustion, especially with ipv6 # array is 2 ** 16 flags stored as 32-bit bitmasks (each mask holding 2 ** 5 flags) if (not defined $params{'ipv4_coverage'}) { $params{'ipv4_coverage'} = []; $#{$params{'ipv4_coverage'}} = 2 ** (16 - 5) - 1; } if (not defined $params{'ipv6_coverage'}) { $params{'ipv6_coverage'} = []; $#{$params{'ipv6_coverage'}} = 2 ** (16 - 5) - 1; } if ($params{'iteration'} > $params{'max_iterations'}) { return "gave up - max dns query iteration limit ($params{'max_iterations'}) reached"; } foreach my $result ($query->answer) { next unless $result->type eq 'TXT'; my $spf_line = $result->txtdata; if ($spf_line =~ /^v=spf[12]/i) { # split into clauses my @clauses = split / /, $spf_line; # first, search for replace and operate on that instead foreach my $clause (@clauses) { if ($clause =~ /^redirect=(.*)$/) { my $domain = $1; if ($domain =~ /%[{_-]/) { return "gave up - macros in redirect modifier not supported ($domain)"; } elsif ($domain =~ /%[^{_%-]/) { return "invalid - syntax error in macro interpolation for $domain"; } else { # format escaped percent literals $domain =~ s/%%/%/g; # return recursed result return &check_domain($domain, %params, iteration=>$params{'iteration'} + 1); } } } foreach my $clause (@clauses) { # for each clause that is pass or neutral # clauses default to + # + (pass) and ? (neutral) both specify to deliver mail # - (fail) and ~ (soft fail) specify to deliver or mark # we don't care about - and ~ results because they can't be used to falsely improve score next if $clause =~ /^[-~]/; # if ip address or range, add to ip coverage # track ipv4 and ipv6 separately by /16 if ($clause =~ /^.?ip4:(.*)/) { my $address = $1; &mark_ip_ranges($params{'ipv4_coverage'}, $params{'ipv6_coverage'}, $address); } elsif ($clause =~ /^.?ip6:(.*)/) { my $address = $1; &mark_ip_ranges($params{'ipv4_coverage'}, $params{'ipv6_coverage'}, $address); } elsif ($clause =~ /^.?all/) { # if +all, rule is clearly useless return "useless - use of universal pass rule $clause"; } elsif ($clause =~ /^.?exists:(.*)/) { my $exists_domain = $1; # if using an exists rule without macros, rule is clearly useless if ($exists_domain !~ /%{/) {
Re: v=spf1 +all
On Fri, 24 Apr 2015 16:20:41 +0100 Paul Stead wrote: > I've had thoughts of an extension which calculates the number of IP > addresses specified in an SPF record, then calculating the % of > world-wide addresses this SPF declares... I don't seem to be able to > bend the Perl SPF module to spit out any numbers etc so seems it would > have to be coded separately Someone sent me off-list some Perl that does that. I haven't looked closely at it. If that person is on this list, maybe he'll send it on-list? Regards, Dianne.
Re: v=spf1 +all
On 24/04/15 14:13, Dianne Skoll wrote: On Fri, 24 Apr 2015 13:13:12 +0200 Benny Pedersen wrote: thanks for update, nice work Yes. I wonder how long until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all or even: v=spf1 exists:gmail.com -all I've had thoughts of an extension which calculates the number of IP addresses specified in an SPF record, then calculating the % of world-wide addresses this SPF declares... I don't seem to be able to bend the Perl SPF module to spit out any numbers etc so seems it would have to be coded separately Paul -- Paul Stead Systems Engineer Zen Internet
Re: v=spf1 +all
On Fri, 24 Apr 2015 17:03:11 +0200 Reindl Harald wrote: > besides that i am responsible for a single domain with currently > 12000 users and the usernumber don't matter because it don't say > anything about your insight it's pointless what spammers do and don't > do OK. You essentially said: "+all is pointless for spammers because I'm smart and that wouldn't fool me." Well, not all anti-spam filters are run by Reindl-class geniuses, so just because you know all about fighting spam, it doesn't mean you can make blanket statements about what makes sense for spammers. Spammers obviously feel it *does* make sense to register domains that pass SPF because we see that all the time. If it really didn't make sense, market forces would dictate that spammers stop doing it because it wouldn't be cost-effective. I know you will reply because misunderstood high-IQ geniuses generally like to have the last word. So go ahead and have the last word because I think I've beaten this topic to death. Regards, Dianne. signature.asc Description: PGP signature
Re: v=spf1 +all
Am 24.04.2015 um 16:53 schrieb Dianne Skoll: On Fri, 24 Apr 2015 16:40:07 +0200 Reindl Harald wrote: WTF read the thread and context - i just statet "I wonder how long until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all" makes no sense for spammers, not more and not less It makes plenty of sense. We filter spam for hundreds of thousands of end users and I think we're in a better position than you to know what spammers do and don't do besides that i am responsible for a single domain with currently 12000 users and the usernumber don't matter because it don't say anything about your insight it's pointless what spammers do and don't do the only relevant question is could the achieve anything with it and the anser to the question above is simply "no" - and to "we're in a better position than you to know" - well given "I wonder how long until" in your oginal question i referred to they don't do it now so what's the purpose of that stupid dicussion now even going in the direction "my setup is bigger than yours" at all? my expierience is that the same amount a setup grows the personal knowledge of the involved people about it goes down, so don't try to impress me with "i am bigger than you" signature.asc Description: OpenPGP digital signature
Re: v=spf1 +all
On Fri, 24 Apr 2015 16:40:07 +0200 Reindl Harald wrote: > WTF read the thread and context - i just statet "I wonder how long > until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all" makes > no sense for spammers, not more and not less It makes plenty of sense. We filter spam for hundreds of thousands of end users and I think we're in a better position than you to know what spammers do and don't do. Regards, Dianne. signature.asc Description: PGP signature
Re: v=spf1 +all
Am 24.04.2015 um 16:35 schrieb Matus UHLAR - fantomas: Am 24.04.2015 um 16:11 schrieb Matus UHLAR - fantomas: SA setup will detect such domains and will score mail positively. Is there something other to explain? On 24.04.15 16:16, Reindl Harald wrote: i don't really and everybody who pretends the opposite should be quiet in the future when it comes to highly false positive prone rules with scores of 1.5 or even higher Have you lowered _all_ scores to be below 1.5? like BAYES_99 or DEAR_FRIEND ? There's plenty of them: it talk about rules hit *a single* spam message which would have been caught by other rules too and on the other side a lot of ham mails like RCVD_ILLEGAL_IP where people always argue "1.5 points is not a FP" grep -hr '^score' /var/lib/spamassassin/3.003002/updates_spamassassin_org | egrep -c '(1[5-9]|[2-9]|[1-9]0)\.' 288 Have you already implemented the SPF_PASS_PLUSALL to see how much of false positives it gives? BTW, default proposed score for SPF_PASS_PLUSALL was 0.001 so what exactly are you complaining about? WTF read the thread and context - i just statet "I wonder how long until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all" makes no sense for spammers, not more and not less signature.asc Description: OpenPGP digital signature
Re: v=spf1 +all
Am 24.04.2015 um 16:11 schrieb Matus UHLAR - fantomas: SA setup will detect such domains and will score mail positively. Is there something other to explain? On 24.04.15 16:16, Reindl Harald wrote: i don't really and everybody who pretends the opposite should be quiet in the future when it comes to highly false positive prone rules with scores of 1.5 or even higher Have you lowered _all_ scores to be below 1.5? like BAYES_99 or DEAR_FRIEND ? There's plenty of them: grep -hr '^score' /var/lib/spamassassin/3.003002/updates_spamassassin_org | egrep -c '(1[5-9]|[2-9]|[1-9]0)\.' 288 Have you already implemented the SPF_PASS_PLUSALL to see how much of false positives it gives? BTW, default proposed score for SPF_PASS_PLUSALL was 0.001 so what exactly are you complaining about? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends?
Re: v=spf1 +all
Am 24.04.2015 um 16:11 schrieb Matus UHLAR - fantomas: On Fri, 24 Apr 2015 15:38:15 +0200 Reindl Harald wrote: well, and how becomes SPF part of the game in case of a throw-away domain as long as "score SPF_NONE 0" - why in the world should a spammer add a TXT record to a throw-away domain? Am 24.04.2015 um 15:50 schrieb Dianne Skoll: Ummm are you really that unclear on the concept? I'll explain it carefully: Spammers know that (some) filters filter less aggressively than normal on an SPF "pass". So they register a throwaway domain and use that in the envelope sender. They publish a TXT record for that domain to ensure they get an SPF pass. There. That wasn't so hard, was it? On 24.04.15 15:55, Reindl Harald wrote: and how does that care a SA setup? SA setup will detect such domains and will score mail positively. Is there something other to explain? i don't really and everybody who pretends the opposite should be quiet in the future when it comes to highly false positive prone rules with scores of 1.5 or even higher signature.asc Description: OpenPGP digital signature
Re: v=spf1 +all
On Fri, 24 Apr 2015 15:38:15 +0200 Reindl Harald wrote: well, and how becomes SPF part of the game in case of a throw-away domain as long as "score SPF_NONE 0" - why in the world should a spammer add a TXT record to a throw-away domain? Am 24.04.2015 um 15:50 schrieb Dianne Skoll: Ummm are you really that unclear on the concept? I'll explain it carefully: Spammers know that (some) filters filter less aggressively than normal on an SPF "pass". So they register a throwaway domain and use that in the envelope sender. They publish a TXT record for that domain to ensure they get an SPF pass. There. That wasn't so hard, was it? On 24.04.15 15:55, Reindl Harald wrote: and how does that care a SA setup? SA setup will detect such domains and will score mail positively. Is there something other to explain? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: v=spf1 +all
On Fri, 24 Apr 2015 15:55:50 +0200 Reindl Harald wrote: > and how does that care a SA setup? It probably doesn't seriously affect a default SA setup, but I have quite a few customers who (despite my warnings) knock off a couple of points on SPF "pass" for any domain. Also, as someone else mentioned, a lot of SA rules include __NOT_SPOOFED which fires on valid SPF. So even default SA installations are affected somewhat. Regards, Dianne. signature.asc Description: PGP signature
Re: v=spf1 +all
Am 24.04.2015 um 15:50 schrieb Dianne Skoll: On Fri, 24 Apr 2015 15:38:15 +0200 Reindl Harald wrote: well, and how becomes SPF part of the game in case of a throw-away domain as long as "score SPF_NONE 0" - why in the world should a spammer add a TXT record to a throw-away domain? Ummm are you really that unclear on the concept? I'll explain it carefully: Spammers know that (some) filters filter less aggressively than normal on an SPF "pass". So they register a throwaway domain and use that in the envelope sender. They publish a TXT record for that domain to ensure they get an SPF pass. There. That wasn't so hard, was it? and how does that care a SA setup? it's that filters fault to score SPF pass lower instead only penalty SPF fail since *most* spam making it through the filters before SA anyways has SPF_PASS and comes from gmail, hotmail and other freemail providers score ENV_AND_HDR_SPF_MATCH -0.5 score SPF_NONE 0 score SPF_HELO_NONE 0 score SPF_PASS -0.001 score SPF_HELO_PASS -0.001 score SPF_FAIL 0 0.919 0 0.001 # n=0 n=2 score SPF_HELO_FAIL 0 0.001 0 0.001 # n=0 n=2 score SPF_HELO_NEUTRAL 0 0.001 0 0.112 # n=0 n=2 score SPF_HELO_SOFTFAIL 0 0.896 0 0.732 # n=0 n=2 score SPF_NEUTRAL 0 0.652 0 0.779 # n=0 n=2 score SPF_SOFTFAIL 0 0.972 0 0.665 # n=0 n=2 score FROM_MISSP_SPF_FAIL 0.001 1.000 0.001 1.000 score TO_EQ_FM_DOM_SPF_FAIL 0.001 0.001 0.001 0.001 score TO_EQ_FM_SPF_FAIL 0.001 0.001 0.001 0.001 signature.asc Description: OpenPGP digital signature
Re: v=spf1 +all
On Fri, 24 Apr 2015 15:38:15 +0200 Reindl Harald wrote: > > Am 24.04.2015 um 15:22 schrieb Dianne Skoll: > > Spammers often register and use throwaway domains. And check how > > the exists: mechanism works > > well, and how becomes SPF part of the game in case of a throw-away > domain as long as "score SPF_NONE 0" - why in the world should a > spammer add a TXT record to a throw-away domain? Not everyone uses SpamAssassin.
Re: v=spf1 +all
On Fri, 24 Apr 2015 15:38:15 +0200 Reindl Harald wrote: > well, and how becomes SPF part of the game in case of a throw-away > domain as long as "score SPF_NONE 0" - why in the world should a > spammer add a TXT record to a throw-away domain? Ummm are you really that unclear on the concept? I'll explain it carefully: Spammers know that (some) filters filter less aggressively than normal on an SPF "pass". So they register a throwaway domain and use that in the envelope sender. They publish a TXT record for that domain to ensure they get an SPF pass. There. That wasn't so hard, was it? Regards, Dianne. signature.asc Description: PGP signature
Re: v=spf1 +all
On 4/24/2015 9:38 AM, Reindl Harald wrote: Am 24.04.2015 um 15:22 schrieb Dianne Skoll: On Fri, 24 Apr 2015 15:17:45 +0200 Reindl Harald wrote: v=spf1 exists:gmail.com -all makes no sense - the spammer don't own the domain in most cases and if they do then they just don't add a SPF policy to use it with infected clients Spammers often register and use throwaway domains. And check how the exists: mechanism works well, and how becomes SPF part of the game in case of a throw-away domain as long as "score SPF_NONE 0" - why in the world should a spammer add a TXT record to a throw-away domain? Because passing SPF causes other checks to not trigger. For instance, KAM.cf has a lot of rules that meta on KAM_LAZY_DOMAIN_SECURITY. The default spamassassin rules also meta extensively on SPF failure, via __NOT_SPOOFED.
Re: v=spf1 +all
Am 24.04.2015 um 15:22 schrieb Dianne Skoll: On Fri, 24 Apr 2015 15:17:45 +0200 Reindl Harald wrote: v=spf1 exists:gmail.com -all makes no sense - the spammer don't own the domain in most cases and if they do then they just don't add a SPF policy to use it with infected clients Spammers often register and use throwaway domains. And check how the exists: mechanism works well, and how becomes SPF part of the game in case of a throw-away domain as long as "score SPF_NONE 0" - why in the world should a spammer add a TXT record to a throw-away domain? signature.asc Description: OpenPGP digital signature
Re: v=spf1 +all
On Fri, 24 Apr 2015 15:17:45 +0200 Reindl Harald wrote: > > v=spf1 exists:gmail.com -all > makes no sense - the spammer don't own the domain in most cases and > if they do then they just don't add a SPF policy to use it with > infected clients Spammers often register and use throwaway domains. And check how the exists: mechanism works. Regards, Dianne.
Re: v=spf1 +all
Am 24.04.2015 um 15:13 schrieb Dianne Skoll: On Fri, 24 Apr 2015 13:13:12 +0200 Benny Pedersen wrote: thanks for update, nice work Yes. I wonder how long until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all or even: v=spf1 exists:gmail.com -all makes no sense - the spammer don't own the domain in most cases and if they do then they just don't add a SPF policy to use it with infected clients signature.asc Description: OpenPGP digital signature
Re: v=spf1 +all
On Fri, 24 Apr 2015 13:13:12 +0200 Benny Pedersen wrote: > thanks for update, nice work Yes. I wonder how long until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all or even: v=spf1 exists:gmail.com -all Unfortunately, the SPF spec makes it tricky to chase down all possible equivalencies to +all. Bah. Regards, Dianne.
Re: v=spf1 +all
A. Schulze skrev den 2015-04-23 19:24: I wrote a little patch for the SPF plugin to detect domains authenticating any IP by SPF. thanks for update, nice work Unfortunately I found also domains not really sending spam use "+all" ¹) Any comments? in spamassassin +all will not inhirit whitelist_from_spf if the plusall domains start spaming it will be added here to blacklist_from
Re: v=spf1 +all
On 4/23/2015 1:24 PM, A. Schulze wrote: Hello, I wrote a little patch for the SPF plugin to detect domains authenticating any IP by SPF. Usage: local.cf header SPF_PASS_PLUSALL eval:check_for_spf_pass_plusall() header SPF_HELO_PASS_PLUSALL eval:check_for_spf_helo_pass_plusall() describe SPF_PASS_PLUSALL SPF: SPF record allow any sender describe SPF_HELO_PASS_PLUSALL SPF: SPF record allow any HELO lang de describe SPF_PASS_PLUSALL SPF: SPF-Datensatz erlaubt beliebige Senderechner lang de describe SPF_HELO_PASS_PLUSALL SPF: SPF-Datensatz erlaubt beliebige HELO-Namen score SPF_PASS_PLUSALL 0.001 score SPF_HELO_PASS_PLUSALL 0.001 Unfortunately I found also domains not really sending spam use "+all" ¹) Any comments? Andreas ¹) https://listi.jpberlin.de/pipermail/postfixbuch-users/2015-April/062921.html https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7099#c4 Over the past 10 days on a busy production server, we've seen 7164 hits, of which only 36 are ham.
Re: v=spf1 +all
Am 23.04.2015 um 19:24 schrieb A. Schulze: Hello, I wrote a little patch for the SPF plugin to detect domains authenticating any IP by SPF. Usage: local.cf header SPF_PASS_PLUSALL eval:check_for_spf_pass_plusall() header SPF_HELO_PASS_PLUSALL eval:check_for_spf_helo_pass_plusall() describe SPF_PASS_PLUSALL SPF: SPF record allow any sender describe SPF_HELO_PASS_PLUSALL SPF: SPF record allow any HELO lang de describe SPF_PASS_PLUSALL SPF: SPF-Datensatz erlaubt beliebige Senderechner lang de describe SPF_HELO_PASS_PLUSALL SPF: SPF-Datensatz erlaubt beliebige HELO-Namen score SPF_PASS_PLUSALL 0.001 score SPF_HELO_PASS_PLUSALL 0.001 Unfortunately I found also domains not really sending spam use "+all" ¹) Any comments? shouldn't that be combined in SPF_NONE what it is practically instead a new tag / rule? signature.asc Description: OpenPGP digital signature
v=spf1 +all
Hello, I wrote a little patch for the SPF plugin to detect domains authenticating any IP by SPF. Usage: local.cf header SPF_PASS_PLUSALL eval:check_for_spf_pass_plusall() header SPF_HELO_PASS_PLUSALL eval:check_for_spf_helo_pass_plusall() describe SPF_PASS_PLUSALL SPF: SPF record allow any sender describe SPF_HELO_PASS_PLUSALL SPF: SPF record allow any HELO lang de describe SPF_PASS_PLUSALL SPF: SPF-Datensatz erlaubt beliebige Senderechner lang de describe SPF_HELO_PASS_PLUSALL SPF: SPF-Datensatz erlaubt beliebige HELO-Namen score SPF_PASS_PLUSALL 0.001 score SPF_HELO_PASS_PLUSALL 0.001 Unfortunately I found also domains not really sending spam use "+all" ¹) Any comments? Andreas ¹) https://listi.jpberlin.de/pipermail/postfixbuch-users/2015-April/062921.html Index: spamassassin-3.4.0/lib/Mail/SpamAssassin/Plugin/SPF.pm === --- spamassassin-3.4.0.orig/lib/Mail/SpamAssassin/Plugin/SPF.pm +++ spamassassin-3.4.0/lib/Mail/SpamAssassin/Plugin/SPF.pm @@ -55,11 +55,13 @@ sub new { bless ($self, $class); $self->register_eval_rule ("check_for_spf_pass"); + $self->register_eval_rule ("check_for_spf_pass_plusall"); $self->register_eval_rule ("check_for_spf_neutral"); $self->register_eval_rule ("check_for_spf_none"); $self->register_eval_rule ("check_for_spf_fail"); $self->register_eval_rule ("check_for_spf_softfail"); $self->register_eval_rule ("check_for_spf_helo_pass"); + $self->register_eval_rule ("check_for_spf_helo_pass_plusall"); $self->register_eval_rule ("check_for_spf_helo_neutral"); $self->register_eval_rule ("check_for_spf_helo_none"); $self->register_eval_rule ("check_for_spf_helo_fail"); @@ -231,6 +233,12 @@ sub check_for_spf_pass { $scanner->{spf_pass}; } +sub check_for_spf_pass_plusall { + my ($self, $scanner) = @_; + $self->_check_spf ($scanner, 0) unless $scanner->{spf_checked}; + $scanner->{spf_pass_plusall}; +} + sub check_for_spf_neutral { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 0) unless $scanner->{spf_checked}; @@ -264,6 +272,12 @@ sub check_for_spf_helo_pass { $scanner->{spf_helo_pass}; } +sub check_for_spf_helo_pass_plusall { + my ($self, $scanner) = @_; + $self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked}; + $scanner->{spf_helo_pass_plusall}; +} + sub check_for_spf_helo_neutral { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked}; @@ -377,6 +391,7 @@ sub _check_spf { # we'd set these if we actually did the check $scanner->{"spf_${identity}checked"} = 1; $scanner->{"spf_${identity}pass"} = 0; + $scanner->{"spf_${identity}pass_plusall"} = 0; $scanner->{"spf_${identity}neutral"} = 0; $scanner->{"spf_${identity}none"} = 0; $scanner->{"spf_${identity}fail"} = 0; @@ -426,6 +441,7 @@ sub _check_spf { # we'd set these if we actually did the check $scanner->{"spf_${identity}checked"} = 1; $scanner->{"spf_${identity}pass"} = 0; + $scanner->{"spf_${identity}pass_plusall"} = 0; $scanner->{"spf_${identity}neutral"} = 0; $scanner->{"spf_${identity}none"} = 0; $scanner->{"spf_${identity}fail"} = 0; @@ -520,6 +536,7 @@ sub _check_spf { # SPF HELO-checking variant $scanner->{spf_helo_checked} = 1; $scanner->{spf_helo_pass} = 0; +$scanner->{spf_helo_pass_plusall} = 0; $scanner->{spf_helo_neutral} = 0; $scanner->{spf_helo_none} = 0; $scanner->{spf_helo_fail} = 0; @@ -529,6 +546,7 @@ sub _check_spf { # SPF on envelope sender (where possible) $scanner->{spf_checked} = 1; $scanner->{spf_pass} = 0; +$scanner->{spf_pass_plusall} = 0; $scanner->{spf_neutral} = 0; $scanner->{spf_none} = 0; $scanner->{spf_fail} = 0; @@ -674,7 +692,10 @@ sub _check_spf { $text =~ s/\s+/ /gs; # no newlines please if ($ishelo) { -if ($result eq 'pass') { $scanner->{spf_helo_pass} = 1; } +if ($result eq 'pass') { + $scanner->{spf_helo_pass} = 1; + $scanner->{spf_helo_pass_plusall} = 1 if $text =~ /\'all\' matched/; +} elsif ($result eq 'neutral') { $scanner->{spf_helo_neutral} = 1; } elsif ($result eq 'none') { $scanner->{spf_helo_none} = 1; } elsif ($result eq 'fail') { $scanner->{spf_helo_fail} = 1; } @@ -684,7 +705,10 @@ sub _check_spf { $scanner->{spf_helo_failure_comment} = "SPF failed: $comment"; } } else { -if ($result eq 'pass') { $scanner->{spf_pass} = 1; } +if ($result eq 'pass') { + $scanner->{spf_pass} = 1; + $scanner->{spf_pass_plusall} = 1 if $text =~ /\'all\' matched/; +} elsif ($result eq 'neutral') { $scanner->{spf_neutral} = 1; } elsif ($result eq 'none') { $scanner->{spf_none} = 1; } elsif ($result eq 'fail') { $scanner->{spf_fail} =