[Owasp-board] SPF records added for lists.owasp.org

Matt Tesauro matt.tesauro at owasp.org
Sat Feb 22 06:45:54 UTC 2014

After an email conversation with Lucas Ferreira about some complaints he
had from "people" complaining about being force-ably added to an OWASP
list, I went ahead and added SPF records [1] for lists.owasp.org.

Looking into the two address he sent me, both showed a couple email
requests to unsubscribe but neither were a member of any list on our
Mailman install.

On the off chance, someone was spoofing email from lists.owasp.org, I setup
the SPF record and confirmed it is available and passes checks - using a
SPF verification site [2] as well as sending a test post to a list and
looking at the reply headers:

Received-SPF: pass (google.com: domain of
openstack_security_project-bounces at lists.owasp.org designates as permitted sender) client-ip=;


I don't expect any negative impacts on legit users of our lists but wanted
to let you know in case someone has problems, notices the SPF addition or


[1] http://en.wikipedia.org/wiki/Sender_Policy_Framework


-- Matt Tesauro
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140222/db289f97/attachment.html>

More information about the Owasp-board mailing list