I am trying to understand how SpamAssassin 3.0.0 is checking SPF on
messages. It seems to be checking the Return-Path: address (envelope
address) and not the From: address (header address). That's wrong,
isn't it? Shouldn't it be checking the header address? Of course
when I reply my mailer uses the header From: address to generate the
response message.
Here is an example typical of the forgeries that are getting passed
through SA at the moment. I trimmed a real forged message to a
smaller example. This should trigger an SPF failure because I have
SPF records published for this domain just to stop this type of
forgery. But SA does not see it and passes it through.
From [EMAIL PROTECTED] Sun Oct 17 09:51:15 2004
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from zahav.net.il (unknown [66.219.104.215])
by joseki.proulx.com (Postfix) with ESMTP id 41C174B3C7
for <[EMAIL PROTECTED]>; Sun, 17 Oct 2004 09:51:10 -0600 (MDT)
Message-ID: <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: I am spam, spam I am
Date: 17 Oct 2004 11:51:08 -0400
spam spam spam
And SA says this in the debug output.
debug: SPF: query for [EMAIL PROTECTED]/66.219.104.215/zahav.net.il: result:
none, comment: SPF: domain of sender [EMAIL PROTECTED] does not designate
mailers
By this I deduce that SA is checking the "Return-Path:" and ignoring
the "From:" address. What is the logic behind this? Shouldn't SA be
checking the From: address headers?
Second related question. If this message comes from a mail relay on
in my trusted_networks then SA thinks it can't trust the mail relay.
But isn't that the entire purpose for the trusted_networks setting to
say that I can trust that host? It does still check the helo name.
From [EMAIL PROTECTED] Sun Oct 17 09:51:15 2004
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from joseki.proulx.com (joseki.proulx.com [216.17.153.58])
by misery.proulx.com (Postfix) with ESMTP id 02F598A209
for <[EMAIL PROTECTED]>; Sun, 17 Oct 2004 09:51:15 -0600 (MDT)
Received: from zahav.net.il (unknown [66.219.104.215])
by joseki.proulx.com (Postfix) with ESMTP id 41C174B3C7
for <[EMAIL PROTECTED]>; Sun, 17 Oct 2004 09:51:10 -0600 (MDT)
Message-ID: <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: I am spam, spam I am
Date: 17 Oct 2004 11:51:08 -0400
spam spam spam
I get this message from SA.
debug: SPF: relayed through one or more trusted relays, cannot use
header-based Envelope-From, skipping
Obviously this eliminates any usefulness of the SPF checks in SA. So
I am wondering if I should disable those checks to avoid the DNS
lookups and to speed up SA processing.
Thanks
Bob
