sdgathman
commented
4 years ago First, there is no problem with options to extend standard conforming behavior. The library already has support for heuristics to e.g. interpret ip:1.2.3.4 as ip4:1.2.3.4. However, all these extensions return two results: the official standard conforming result (PermErr in the case of ip:1.2.3.4) and the heuristic result (called "best guess"). So in your case, the standard result would still be Pass, but you could return a heuristic result of:
- PermErr: this is a really dumb policy
- Fail: you must be a spammer
or whatever.
The next issue is that simply checking for +all is no good. You can have legit policies that end in +all, and exclude most of the ip space with '-' policies. (And I've seen them.) Now your example implies a heuristic of checking that all mechanisms are '+' - I think that is correct. Ideally, you want to compute an ipset, and check that less that some percentage of ip space is accepted - but that might be too complex. (The libspf2 C library can actually "compile" policies into a byte code that can be cached and evaluated faster - especially by eliminating DNS lookups. The cached bytecode has an expiration based on DNS lifetimes.)
We do already import ipaddress, which includes ipset - but computing the ipset requires evaluating every mechanism. I think. That is certainly faster that evaluation for every possible IP :-), but maybe there is a tricky algorithm I'm not thinking of.
Note that the CLI has an undocumented option to compute an iplist: substitute "list" for the ip address. This implementation is incomplete, I added it as a tool to help debug simple policies. In particular, it doesn't handle the effect of '-' mechanisms. This is tricky because of the short circuiting. It also doesn't handle the all mechanism (since simple policies just end in -all). One project would be to make the iplist implementation more complete, and see if it could be reasonably used to compute an ip space coverage. But, many policies with macros can't be reduced to an ipset without evaluating for every ip. E.g. looking up a DNS record with a name constructed from the IP. So you would still have to recognize such policies and punt (which is what libspf2 does).
So the "all + mechanisms" heuristic is probably simple and effective enough for the present.
gpatel-fr
kitterma
Daniel-Abrecht
Greetings
This is a suggestion/question, not a bug report.
I just wonder if pyspf could not add some special (optional) handling for SPF records like this:
v=spf1 +a +mx +a:vpr60.prodius.be +all
Basically it would just ignore them.
this is the current behaviour,
(mypy3) gerard@q1900:~/pyspf$ python spf.py "v=spf1 +a +mx +a:vpr60.prodius.be +all" 70.184.247.44 billsegat@microsoft.com mail.gathman.org result: ('pass', 250, 'sender SPF authorized') +all
A formally correct result, but a bit of a let down in the spirit of the standard (it's supposed to fight spam, right ? this SPF record is one among many other like that I have seen in my logs)
So the changed output could be - with an additional command switch (corresponding to a class parameter / parameter to check/check2 global functions):
(mypy3) gerard@q1900:~/pyspf$ python spf.py -k "v=spf1 +a +mx +a:vpr60.prodius.be +all" 70.184.247.44 billsegat@microsoft.com mail.gathman.org result: ('fail', 550, 'SPF fail - not authorized') -all](url)
I could do a PR along these lines, but before doing it I prefer to know if it would be rejected out of hand as not standard conformant.
The default behaviour would stay of course standard conformant.
I'm well aware that this could be handled at the mail server level, but it would be easier to do it at the library level.