Guest

Preview Tool

Cisco Bug: CSCvt44551 - Request for ESA to check the mail header 'Sender:' and 'From:' to evaluate a SPF/SIDF: pra violation

Last Modified

May 15, 2020

Products (1)

  • Cisco Email Security Appliance

Known Affected Releases

12.5.1-036

Description (partial)

Symptom:
E.g:

1. Our domain is @example.com
2. The allowed SMTP IPs for this domain are: X.X.X.X and X.X.Y.Y
3. the envelope sender is abc@other.com
4. the mail header Sender: --- not present ---
5. the mail header From: is user@example.com
6. the mail was sent from Y.Y.Y.Y
7. The ESA does run the SPF/SIDF: pra check

result: FAIL,  Y.Y.Y.Y is not allowed to send mail for @example.com

The problem is, that Outlook does use the From: field to display the purported sender.
So you can _very_ easily bypass the SPF/SIDF: pra check!!!!!

Conditions:
Mail containing a mail header field 'Sender:' _and_ a mail header field 'From:' then the mail header field 'Sender:' does take precedence from the 'From:' field.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.