|Subject:||Find a bug in mail-spf|
|Date:||Sun, 3 May 2020 12:37:50 +0800|
|To:||bug-Mail-SPF [...] rt.cpan.org|
|From:||赵宇轩 <nsczyx [...] gmail.com>|
Hi, I found a bug in Mail-SPF. The details are as follows: When I structure an abnormal mail-from address such as “email@example.com@ 163.com” and I input the correct ip of domain:163.com txt record.Mail-SPF will give the pass result. # perl spfquery --mfrom "firstname.lastname@example.org@163.com" --ip-address 220.127.116.11 pass I have read the relevant code of regular expression(/lib/Mail/SPF/Request.pm:line265), and I have found it has a mistake.This way of writing will only match the character after the last ‘@’ character as a domain name. What's worse, when a hacker use character truncation bug of email system(actually in many web-mail providers and clinet-mail providers) and structure mail-from like “email@example.comfirstname.lastname@example.org” which hacer.com domain is under the control of hacker. In this time, spf procotol will pass and victim will have email@example.com in visible. For example: in outlook-client. By the way,the version of Mail-SPF is v2.9.0 and the version of Perl is v5.18.4.