pypolicyd-spf returns false result, which may be exploited by attackers
Bug #1838816 reported by
Jianjun
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pypolicyd-spf |
Invalid
|
Undecided
|
Unassigned |
Bug Description
pypolicyd-spf returns 'Pass' results when MAIL FROM check is 'None' and HELO check is 'Pass', which can be exploited by attackers to bypass DMARC.
When an attacker sends the following message,
HELO: attacker.com
MAIL FROM: <email address hidden>
...
From: <email address hidden>
...
he can bypass the SPF and DMARC authentication in mail servers because it can pass both SPF check and DMARC alignment test.
information type: | Private Security → Private |
information type: | Private → Public |
To post a comment you must log in.
On Friday, August 2, 2019 3:41:40 PM EDT you wrote:
> *** This bug is a security vulnerability ***
>
> Private security bug reported:
>
> pypolicyd-spf returns 'Pass' results when MAIL FROM check is 'None' and
> HELO check is 'Pass', which can be exploited by attackers to bypass
> DMARC.
>
> When an attacker sends the following message,
>
> HELO: attacker.com
> MAIL FROM: <email address hidden>
> ...
> From: <email address hidden>
> ...
>
> he can bypass the SPF and DMARC authentication in mail servers because
> it can pass both SPF check and DMARC alignment test.
I think this is a bug in the DMARC processor. For you example, here's the
output the policy-server gives (using the most recent version):
Authentication- Results: mx.example.org; spf=pass (helo) smtp.helo= attacker. com
The DMARC processor should be looking at the smtp property and not using helo
results for DMARC.
Scott K