[Owasp-board] SPF records added for lists.owasp.org

Matt Tesauro matt.tesauro at owasp.org
Sat Feb 22 06:45:54 UTC 2014


After an email conversation with Lucas Ferreira about some complaints he
had from "people" complaining about being force-ably added to an OWASP
list, I went ahead and added SPF records [1] for lists.owasp.org.

Looking into the two address he sent me, both showed a couple email
requests to unsubscribe but neither were a member of any list on our
Mailman install.

On the off chance, someone was spoofing email from lists.owasp.org, I setup
the SPF record and confirmed it is available and passes checks - using a
SPF verification site [2] as well as sending a test post to a list and
looking at the reply headers:
[snip]

Received-SPF: pass (google.com: domain of
openstack_security_project-bounces at lists.owasp.org designates
162.209.12.188 as permitted sender) client-ip=162.209.12.188;

[snip]

I don't expect any negative impacts on legit users of our lists but wanted
to let you know in case someone has problems, notices the SPF addition or
asks.

Cheers!

[1] http://en.wikipedia.org/wiki/Sender_Policy_Framework

[2]
http://mxtoolbox.com/SuperTool.aspx?action=spf%3alists.owasp.org&run=toolpage

--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140222/db289f97/attachment.html>


More information about the Owasp-board mailing list