On Thu, 12 Nov 2020 12:34:25 +0100 Matus UHLAR - fantomas wrote: > >On Wed, 11 Nov 2020 17:01:21 +0100 > > > >> On 11.11.20 15:41, RW wrote:
> On 11.11.20 19:06, RW wrote: > >These two cases share the same "authenticated" primary reputation: > > > > Return-path: c...@example.com > > From: c...@example.com > > > > Return-path: some...@somewhereelse.com > > From: c...@example.com > > > >The benefit of this could be substantial, particularly with > >txrep_learn_bonus set. All you have to do is make sure the envelope > >sender passes SPF. > > > >To be honest I haven't verified this, but the code looks > >straightforward. $signedby gets set to the tag DKIMDOMAIN or falls > >back to the fixed string 'spf' for an SPF pass. > > sorry, I'm not into txrep much for now. > > Does it mean, that txrep correctly compares Return-Path (or any > header that is filled by envelope from), but incorrectly adds bonus > to address in From: header? When there's a valid DKIM signature TxRep identifies the main reputation with a combination of "header from" and the signing domain. It doesn't require DMARC style alignment, but that's not easily exploitable because signing with a different domain creates a new reputation. With SPF a pass is simply treated as having authenticated the "header from" regardless of the "envelope from" that was used in SPF. This allows an existing good reputation to be exploited easily - even accidentally. An improvement would be to handle SPF like DKIM, using the envelope domain like a signing domain.
