[LINK] Question re spoofing with bad reply address

Jeremy Visser jeremy at visser.name
Fri Jul 11 11:59:45 AEST 2014


Hi Stephen,

On 09/07/14 17:35, Stephen Rothwell wrote:
> SPF is broken by design (consider forwarding - including mailing 
> lists).

That’s because you’re forwarding incorrectly.  SPF validation is done based on the envelope, not the To/From headers, and all good mailing list software will fix this for you.  For example, your e-mail from the list to me contained these pertinent headers:

  From: Stephen Rothwell <sfr at rothwell.id.au>
  To: Hamish Moffatt <hamish at cloud.net.au>
  Sender: link-bounces at mailman.anu.edu.au
  Return-Path: <link-bounces at mailman.anu.edu.au>

And the SMTP exchange would (presumably) have begin with "MAIL FROM:<link-bounces at mailman.anu.edu.au>".  Therefore, the SPF validation is done against whether the sender can send from mailman.anu.edu.au, not rothwell.id.au.

A different situation I commonly encounter where forwarding happens but the envelope doesn’t change is if you deploy a spam filtering box (e.g. Postfix + Amavisd) in front of another box (e.g. MS Exchange).  If you don’t tell the downstream box (in this case, the MS Exchange box) to fully trust the upstream box, then it may erroneously perform SPF validation (MS calls it Sender ID validation, but same diff) on incoming messages (which will obviously fail).  I don’t see this as an SPF failure — rather, it’s a misconfiguration that stems from not thinking about the mail flow properly.

Jeremy.



More information about the Link mailing list