Hi, On 19/06/18 20:19, G.W. Haywood wrote: > On Tue, 19 Jun 2018, Andrew McGlashan wrote: > >> SPF RECORDS: "v=spf1 mx ip4:173.37.93.145/32 include:cisco.com >> a:lists.clamav.net" > > I've been in touch with Joel privately about this already, but now > it's out in the open the problem is that the record for cisco.com > includes the record for sco.cisco.com which includes the record for > cisco.com which includes... > > Kinda surprising that an organization like Cisco could get this so > very badly wrong, and then ignore people who tell them about it:
Yes, this is why I distrust using includes with SPF records. I have my own way of dealing with these problems; most people ignore the problem and there are so many broken SPF records. I have a script that checks for SPF record changes and I build my SPF entries myself for those domain names that I am responsible for. When there are errors, I can "fix them" as best I can and make sure that my own SPF records are valid. The clamav SPF record also doesn't have an "all" value, which should be the last entry for each record. Most people put in soft fail in there too, which is just like saying, it may be broken and if it is, ignore the result -- which defeats the whole reason for spf. Therefore, I fail with "-all" .... a hard fail, every time. My spamassassin result will be heavily increased if the SPF fails. # cat spf.cf header _Received_SPF Received-SPF =~ /permerror/ score _Received_SPF 100 And due to how many SPF records are just plain wrong, or how many have more than 1 entry (having only 1 is valid, more than 1 is a fail), I have another script that parses the SApermreject emails to find me some entries to follow up for legitimate emails that have bad records in play. So, I say, best to build your own SPF record from all the necessary inputs and make sure your SPF record is 100% valid. And check your sources regularly if you must rely upon the values that would come via an include. Kind Regards AndrewM
signature.asc
Description: OpenPGP digital signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
