Serious bug, SPAM getting through
Posted: 14 Nov 2019 08:59
I'm seeing spam that seems to originate from our domain getting through without a problem.
SPF for our domain is set as strict as possible with -all to hardfail on no match.
At closer inspection of the headers and how EFA checks SPF the issue seems clear:
EFA is not checking the domain in the 'From' entry, it's checking the domain in the 'Return-Path' entry.
That's not how it's supposed to work!
The 'Return-Path' entry is easily spoofed. Right now there's a spam run going on using 'return@edition.cnn.com' which is a legitimate domain but doesn't have any SPF records.
SPF for our domain is set as strict as possible with -all to hardfail on no match.
At closer inspection of the headers and how EFA checks SPF the issue seems clear:
EFA is not checking the domain in the 'From' entry, it's checking the domain in the 'Return-Path' entry.
That's not how it's supposed to work!
The 'Return-Path' entry is easily spoofed. Right now there's a spam run going on using 'return@edition.cnn.com' which is a legitimate domain but doesn't have any SPF records.