I cannot find a private address for reporting security bugs, so I have to post it here.
If a mail server uses both OpenDMARC and pypolicyd-spf, its SPF and DMARC authentication can be bypassed with the following message:
HELO: attacker.com
MAIL FROM: <[email protected]>
...
From: <[email protected]>
...
- pypolicyd-spf uses the HELO identifier and generates the following message:
Received-SPF: Pass (helo) identity=helo; client-ip=1.2.3.4; helo=attack.com; [email protected];
- OpenDMARC uses the MAIL FROM identifier to check alignment with the From header.
Given the popularity of OpenDMARC and pypolicyd-spf, this bug may affect many online services. Hope you can fix it soon.
Detailed reproduce steps at:
https://sourceforge.net/p/opendmarc/tickets/235/
I have also reported it to pypolicyd-spf:
https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816
I cannot find a private address for reporting security bugs, so I have to post it here.
If a mail server uses both OpenDMARC and pypolicyd-spf, its SPF and DMARC authentication can be bypassed with the following message:
Received-SPF: Pass (helo) identity=helo; client-ip=1.2.3.4; helo=attack.com; [email protected];Given the popularity of OpenDMARC and pypolicyd-spf, this bug may affect many online services. Hope you can fix it soon.
Detailed reproduce steps at:
https://sourceforge.net/p/opendmarc/tickets/235/
I have also reported it to pypolicyd-spf:
https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816