SPF not correctly checked on multiple from addresses
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postfix-policyd-spf-perl |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I recently received SPAM a mail that claimed to be from one of my own domains. Since I have SPF activated I believed this to not be possible. After analyzing the e-mail, I found out, that the sender used a trick to circumvent the SPF protection:
He simply put multiple from addresses in the e-mail like so:
From: <email address hidden>, <email address hidden>, =?UTF-8?
After looking in the RFC (https:/
It seems like the SPF was only checked for the last email with the mail address in '<>' and for none of the previous e-mail addresses.
I would think, that the SPF would need to be checked for all From addresses, as it is otherwise easy to circumvent SPF partially by simply adding another email address at the end of the list.
SPF does not check the From identity in the body of the message. It checks the Mail From in the envelope of the message (and there can be only one of those). See the introduction to RFC 7208 [1].
[1] https:/ /tools. ietf.org/ html/rfc7208# page-5