[clamav-users] *****SPAM [by spamassassin on mail.affinityvision.com.au]***** Re: clamav list spf problem

Andrew McGlashan andrew.mcglashan at affinityvision.com.au
Tue Jun 19 13:08:40 UTC 2018 

Hi,

On 19/06/18 20:19, G.W. Haywood wrote:
> On Tue, 19 Jun 2018, Andrew McGlashan wrote:
> 
>> SPF RECORDS: "v=spf1 mx ip4:173.37.93.145/32 include:cisco.com
>> a:lists.clamav.net"
> 
> I've been in touch with Joel privately about this already, but now
> it's out in the open the problem is that the record for cisco.com
> includes the record for sco.cisco.com which includes the record for
> cisco.com which includes...
> 
> Kinda surprising that an organization like Cisco could get this so
> very badly wrong, and then ignore people who tell them about it:


Yes, this is why I distrust using includes with SPF records.

I have my own way of dealing with these problems; most people ignore the
problem and there are so many broken SPF records.

I have a script that checks for SPF record changes and I build my SPF
entries myself for those domain names that I am responsible for.  When
there are errors, I can "fix them" as best I can and make sure that my
own SPF records are valid.

The clamav SPF record also doesn't have an "all" value, which should be
the last entry for each record.  Most people put in soft fail in there
too, which is just like saying, it may be broken and if it is, ignore
the result -- which defeats the whole reason for spf.  Therefore, I fail
with "-all" .... a hard fail, every time.

My spamassassin result will be heavily increased if the SPF fails.

# cat spf.cf
header _Received_SPF Received-SPF =~ /permerror/
score  _Received_SPF 100

And due to how many SPF records are just plain wrong, or how many have
more than 1 entry (having only 1 is valid, more than 1 is a fail), I
have another script that parses the SApermreject emails to find me some
entries to follow up for legitimate emails that have bad records in play.

So, I say, best to build your own SPF record from all the necessary
inputs and make sure your SPF record is 100% valid.  And check your
sources regularly if you must rely upon the values that would come via
an include.

Kind Regards
AndrewM

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180619/ec02e6e2/attachment.sig>

More information about the clamav-users mailing list