Skip Menu |

This queue is for tickets about the Mail-SPF CPAN distribution.

Report information
The Basics
Id: 132486
Status: new
Priority: 0/
Queue: Mail-SPF

Owner: Nobody in particular
Requestors: nsczyx [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Subject: Find a bug in mail-spf
Date: Sun, 3 May 2020 12:37:50 +0800
To: bug-Mail-SPF [...]
From: 赵宇轩 <nsczyx [...]>
Download (untitled) / with headers
text/plain 1007b
Hi, I found a bug in Mail-SPF. The details are as follows: When I structure an abnormal mail-from address such as “” and I input the correct ip of txt record.Mail-SPF will give the pass result. # perl spfquery --mfrom "" --ip-address pass I have read the relevant code of regular expression(/lib/Mail/SPF/, and I have found it has a mistake.This way of writing will only match the character after the last ‘@’ character as a domain name. What's worse, when a hacker use character truncation bug of email system(actually in many web-mail providers and clinet-mail providers) and structure mail-from like “” which domain is under the control of hacker. In this time, spf procotol will pass and victim will have in visible. For example: in outlook-client. By the way,the version of Mail-SPF is v2.9.0 and the version of Perl is v5.18.4.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to