php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69208 SPF Misconfigurations
Submitted: 2015-03-09 17:40 UTC Modified: 2015-07-04 11:45 UTC
From: habte dot yibelo at gmail dot com Assigned: danbrown (profile)
Status: Closed Package: Website problem
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: None
 [2015-03-09 17:40 UTC] habte dot yibelo at gmail dot com
Description:
------------
Hi,

PHP.net's DNS/SPF records are incorrectly configured and can easily be used to cause mail spoofing from/to anyone. This is dangerous as this could be easily used to damage the organization, almost use to impersonate someone or the developers and cause serious of problems.

It is occured because the SPF record says:

v=spf1 ip4:72.52.91.12 ip6:2a02:cb41::8 ip4:140.211.15.143 ?all 

This is a common misconfiguration, the correct fix would have been:

v=spf1 ip4:72.52.91.12 ip6:2a02:cb41::8 ip4:140.211.15.143 -all

The ?all indicates that All records from anywhere will/shall be affected and thus allowing mail spoofing  

Test script:
---------------
use kitterman.com/spf/validate.html

Expected result:
----------------
The expected Result

v=spf1 ip4:72.52.91.12 ip6:2a02:cb41::8 ip4:140.211.15.143 -all 

and fake emails will be marked as Spam

Reality:

v=spf1 ip4:72.52.91.12 ip6:2a02:cb41::8 ip4:140.211.15.143 ?all 

They can pass anything

Actual result:
--------------
v=spf1 ip4:72.52.91.12 ip6:2a02:cb41::8 ip4:140.211.15.143 ?all 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-05-05 10:32 UTC] kalle@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: danbrown
 [2015-05-05 10:32 UTC] kalle@php.net
Daniel, this seems like your area :)
 [2015-05-30 14:13 UTC] d at ja dot vu
The current php.net SPF configuration is perfectly fine.

SPF configured with '... -all' as suggested in the bug report is a common way to get legitimate (eg. forwarded) mail rejected or discarded.

Using '... ?all' as is currently the case, is a way to say that you know mail from the mentioned IP's to be 'authorized' and that you do not know one way or the other regarding mail from other sources. (Could be forged, could be legitimate forwarded mail)

I suggest this bug be closed as not a bug.
 [2015-07-04 11:45 UTC] kalle@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 03:01:29 2024 UTC