You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Res <re...@ausics.net> on 2010/01/20 01:19:14 UTC

RCVD_ILLEGAL_IP Question

Greetings,

Can anyone tell me how the bogon list in this rule is updated?
Does it query a live bogon DNS server? The wiki does not explain or say 
much at all about it.

Thanks

--
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!

Re: RCVD_ILLEGAL_IP Question

Posted by Res <re...@ausics.net>.
On Wed, 20 Jan 2010, Henrik K wrote:

> DNS checks would be overkill for a list that doesn't change that often.
>
> http://www.team-cymru.org/Services/Bogons/ has good info,

Yes agreed, we have used Robs templates for a long time :)


--
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!

Re: RCVD_ILLEGAL_IP Question

Posted by Res <re...@ausics.net>.
On Thu, 21 Jan 2010, Mike Cardwell wrote:

> RCVD_ILLEGAL_IP is currently ranking 289th in my SpamAssassin rule statistics 
> having triggered on only 79 out of the last 66657 emails. Is such an 
> infrequently triggering rule worth having a dedicated DNS based lookup 
> system?

This is likely because it only looks a tiny subset of all bogon ranges, if 
it covered all of them, you might find it a bit higher, maybe not, who 
knows since it doesn't look at 90% of them.

But I agree with Henrik in that a ruleset updatable by updates.spamas...
would be a beter way to go.

--
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!

Re: RCVD_ILLEGAL_IP Question

Posted by Mike Cardwell <sp...@lists.grepular.com>.
On 21/01/2010 11:59, Per Jessen wrote:

>>>> DNS checks would be overkill for a list that doesn't change that
>>>> often.
>>>
>>> Overkill yes, but "affordable", especially with results being cached.
>>> Personally I would favor DNS for data that _does_ change, even if
>>> only very rarely.
>>
>> It just doesn't make sense. Do you know how many requests they would
>> be flooded with if it was default SA option? It would query _all_
>> untrusted ip and by -clauses in Received path? How is that
>> "affordable"?
>
> Well, it obviously depends on your setup, but even if you don't have
> your own DNS, the results can be cached locally (nscd), so the overhead
> is still not a lot (IMHO).

For individual mail servers doing DNS lookups, the overhead isn't a lot. 
But the overhead for the person running the DNS system which serves the 
data, is extremely large. Multiply the number of spamassassin 
installations by the number of IPs they each look up per day. What is 
that? Hundreds of millions of lookups? More? How many servers would be 
needed to supply that sort of traffic with minimal downtime?

RCVD_ILLEGAL_IP is currently ranking 289th in my SpamAssassin rule 
statistics having triggered on only 79 out of the last 66657 emails. Is 
such an infrequently triggering rule worth having a dedicated DNS based 
lookup system?

It's *much* more sensible to just push out the changes with sa-update.

-- 
Mike Cardwell    : UK based IT Consultant, LAMP developer, Linux admin
Cardwell IT Ltd. : UK Company - http://cardwellit.com/       #06920226
Technical Blog   : Tech Blog  - https://secure.grepular.com/
Spamalyser       : Spam Tool  - http://spamalyser.com/

Re: RCVD_ILLEGAL_IP Question

Posted by Henrik K <he...@hege.li>.
On Thu, Jan 21, 2010 at 12:59:49PM +0100, Per Jessen wrote:
> Henrik K wrote:
> 
> > On Thu, Jan 21, 2010 at 11:59:25AM +0100, Per Jessen wrote:
> >> Henrik K wrote:
> >> 
> >> > On Wed, Jan 20, 2010 at 04:16:29PM +1000, Res wrote:
> >> >> On Wed, 20 Jan 2010, Henrik K wrote:
> >> >>
> >> >>>>>>         (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}
> >> [3-9]\d\d+)\.\d+\.\d+\.\d+
> >> >>>>>
> >> >>>>> Thats crazy!  It's wrong since 1/8 is now allocated, it also
> >> >>>>> does not detect most other bogon ranges, What is the point of
> >> >>>>> this... Another rule I now need to disable.
> >> >>>>
> >> >>>> Please open a bug...
> >> >>>
> >> >>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6295
> >> >>
> >> >> Thanks for logging that.
> >> >>
> >> >> I do think we need a better way to catch them, including the other
> >> >> 20 or so plus bogon ranges it currently ignores. I can see where
> >> >> DNS checks would be better suited (bogons.cymru.com), or, at the
> >> >> very least, a ruleset, which can be updated in the "daily updates
> >> >> run" when new ranges are allocated.
> >> > 
> >> > DNS checks would be overkill for a list that doesn't change that
> >> > often.
> >> 
> >> Overkill yes, but "affordable", especially with results being cached.
> >> Personally I would favor DNS for data that _does_ change, even if
> >> only very rarely.
> > 
> > It just doesn't make sense. Do you know how many requests they would
> > be flooded with if it was default SA option? It would query _all_
> > untrusted ip and by -clauses in Received path? How is that
> > "affordable"?
> 
> Well, it obviously depends on your setup, but even if you don't have
> your own DNS, the results can be cached locally (nscd), so the overhead
> is still not a lot (IMHO).
> Anyway, like I said, it's just my personal preference.

If it's your preference, you are free to use it such way and code a plugin
for it (it can't be made to work without mods/plugin currently). They do
offer free zone transfers, so it's not that bad. But disregarding personal
preferences, it makes no sense to use DNS generally for this list.

Re: RCVD_ILLEGAL_IP Question

Posted by Per Jessen <pe...@computer.org>.
Henrik K wrote:

> On Thu, Jan 21, 2010 at 11:59:25AM +0100, Per Jessen wrote:
>> Henrik K wrote:
>> 
>> > On Wed, Jan 20, 2010 at 04:16:29PM +1000, Res wrote:
>> >> On Wed, 20 Jan 2010, Henrik K wrote:
>> >>
>> >>>>>>         (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}
>> [3-9]\d\d+)\.\d+\.\d+\.\d+
>> >>>>>
>> >>>>> Thats crazy!  It's wrong since 1/8 is now allocated, it also
>> >>>>> does not detect most other bogon ranges, What is the point of
>> >>>>> this... Another rule I now need to disable.
>> >>>>
>> >>>> Please open a bug...
>> >>>
>> >>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6295
>> >>
>> >> Thanks for logging that.
>> >>
>> >> I do think we need a better way to catch them, including the other
>> >> 20 or so plus bogon ranges it currently ignores. I can see where
>> >> DNS checks would be better suited (bogons.cymru.com), or, at the
>> >> very least, a ruleset, which can be updated in the "daily updates
>> >> run" when new ranges are allocated.
>> > 
>> > DNS checks would be overkill for a list that doesn't change that
>> > often.
>> 
>> Overkill yes, but "affordable", especially with results being cached.
>> Personally I would favor DNS for data that _does_ change, even if
>> only very rarely.
> 
> It just doesn't make sense. Do you know how many requests they would
> be flooded with if it was default SA option? It would query _all_
> untrusted ip and by -clauses in Received path? How is that
> "affordable"?

Well, it obviously depends on your setup, but even if you don't have
your own DNS, the results can be cached locally (nscd), so the overhead
is still not a lot (IMHO).
Anyway, like I said, it's just my personal preference.


/Per Jessen, Zürich

Re: RCVD_ILLEGAL_IP Question

Posted by Henrik K <he...@hege.li>.
On Thu, Jan 21, 2010 at 11:59:25AM +0100, Per Jessen wrote:
> Henrik K wrote:
> 
> > On Wed, Jan 20, 2010 at 04:16:29PM +1000, Res wrote:
> >> On Wed, 20 Jan 2010, Henrik K wrote:
> >>
> >>>>>>         (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}
> [3-9]\d\d+)\.\d+\.\d+\.\d+
> >>>>>
> >>>>> Thats crazy!  It's wrong since 1/8 is now allocated, it also does
> >>>>> not detect most other bogon ranges, What is the point of this...
> >>>>> Another rule I now need to disable.
> >>>>
> >>>> Please open a bug...
> >>>
> >>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6295
> >>
> >> Thanks for logging that.
> >>
> >> I do think we need a better way to catch them, including the other
> >> 20 or so plus bogon ranges it currently ignores. I can see where DNS
> >> checks would be better suited (bogons.cymru.com), or, at the very
> >> least, a ruleset, which can be updated in the "daily updates run"
> >> when new ranges are allocated.
> > 
> > DNS checks would be overkill for a list that doesn't change that
> > often.
> 
> Overkill yes, but "affordable", especially with results being cached. 
> Personally I would favor DNS for data that _does_ change, even if only
> very rarely.

It just doesn't make sense. Do you know how many requests they would be
flooded with if it was default SA option? It would query _all_ untrusted ip
and by -clauses in Received path? How is that "affordable"?

There is even a mailing list for updates in the list (which happen only
every few months). It's hardly a problem for few SA devs to subscribe and
update as needed. It's common expectation to sa-update daily.

Re: RCVD_ILLEGAL_IP Question

Posted by Per Jessen <pe...@computer.org>.
Henrik K wrote:

> On Wed, Jan 20, 2010 at 04:16:29PM +1000, Res wrote:
>> On Wed, 20 Jan 2010, Henrik K wrote:
>>
>>>>>>         (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}
[3-9]\d\d+)\.\d+\.\d+\.\d+
>>>>>
>>>>> Thats crazy!  It's wrong since 1/8 is now allocated, it also does
>>>>> not detect most other bogon ranges, What is the point of this...
>>>>> Another rule I now need to disable.
>>>>
>>>> Please open a bug...
>>>
>>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6295
>>
>> Thanks for logging that.
>>
>> I do think we need a better way to catch them, including the other
>> 20 or so plus bogon ranges it currently ignores. I can see where DNS
>> checks would be better suited (bogons.cymru.com), or, at the very
>> least, a ruleset, which can be updated in the "daily updates run"
>> when new ranges are allocated.
> 
> DNS checks would be overkill for a list that doesn't change that
> often.

Overkill yes, but "affordable", especially with results being cached. 
Personally I would favor DNS for data that _does_ change, even if only
very rarely.


/Per Jessen, Zürich

Re: RCVD_ILLEGAL_IP Question

Posted by Henrik K <he...@hege.li>.
On Wed, Jan 20, 2010 at 04:16:29PM +1000, Res wrote:
> On Wed, 20 Jan 2010, Henrik K wrote:
>
>>>>>         (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}|[3-9]\d\d+)\.\d+\.\d+\.\d+
>>>>
>>>> Thats crazy!  It's wrong since 1/8 is now allocated, it also does not
>>>> detect most other bogon ranges, What is the point of this...
>>>> Another rule I now need to disable.
>>>
>>> Please open a bug...
>>
>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6295
>
> Thanks for logging that.
>
> I do think we need a better way to catch them, including the other
> 20 or so plus bogon ranges it currently ignores. I can see where DNS  
> checks would be better suited (bogons.cymru.com), or, at the very least,
> a ruleset, which can be updated in the "daily updates run" when new
> ranges are allocated.

DNS checks would be overkill for a list that doesn't change that often.

http://www.team-cymru.org/Services/Bogons/ has good info, I'll probably open
up a new bug for improving RCVD_ILLEGAL_IP after it isn't hardcoded
anymore..

Re: RCVD_ILLEGAL_IP Question

Posted by Res <re...@ausics.net>.
On Wed, 20 Jan 2010, Henrik K wrote:

>>>>         (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}|[3-9]\d\d+)\.\d+\.\d+\.\d+
>>>
>>> Thats crazy!  It's wrong since 1/8 is now allocated, it also does not
>>> detect most other bogon ranges, What is the point of this...
>>> Another rule I now need to disable.
>>
>> Please open a bug...
>
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6295

Thanks for logging that.

I do think we need a better way to catch them, including the other
20 or so plus bogon ranges it currently ignores. I can see where DNS 
checks would be better suited (bogons.cymru.com), or, at the very least,
a ruleset, which can be updated in the "daily updates run" when new
ranges are allocated.



--
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!

Re: RCVD_ILLEGAL_IP Question

Posted by Henrik K <he...@hege.li>.
On Tue, Jan 19, 2010 at 08:00:46PM -0800, John Hardin wrote:
> On Wed, 20 Jan 2010, Res wrote:
>
>> On Wed, 20 Jan 2010, RW wrote:
>>
>>>  It appears to be just a regular expression:
>>
>>>  sub check_for_illegal_ip {
>>>   my ($self, $pms) = @_;
>>>
>>>   foreach my $rcvd ( @{$pms->{relays_untrusted}} ) {
>>>     # (note this might miss some hits if the Received.pm skips any
>>>   invalid IPs) foreach my $check ( $rcvd->{ip}, $rcvd->{by} ) {
>>>       return 1 if ($check =~ /^
>>>         (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}|[3-9]\d\d+)\.\d+\.\d+\.\d+
>>
>> Thats crazy!  It's wrong since 1/8 is now allocated, it also does not 
>> detect most other bogon ranges, What is the point of this...
>> Another rule I now need to disable.
>
> Please open a bug...

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6295

Re: RCVD_ILLEGAL_IP Question

Posted by John Hardin <jh...@impsec.org>.
On Wed, 20 Jan 2010, Res wrote:

> On Wed, 20 Jan 2010, RW wrote:
>
>>  It appears to be just a regular expression:
>
>>  sub check_for_illegal_ip {
>>   my ($self, $pms) = @_;
>>
>>   foreach my $rcvd ( @{$pms->{relays_untrusted}} ) {
>>     # (note this might miss some hits if the Received.pm skips any
>>   invalid IPs) foreach my $check ( $rcvd->{ip}, $rcvd->{by} ) {
>>       return 1 if ($check =~ /^
>>         (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}|[3-9]\d\d+)\.\d+\.\d+\.\d+
>
> Thats crazy!  It's wrong since 1/8 is now allocated, it also does not detect 
> most other bogon ranges, What is the point of this...
> Another rule I now need to disable.

Please open a bug...

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Where are my space habitats? Where is my flying car?
   It's 2010 and all I got from the SF books of my youth is
   the lousy dystopian government.                         -- perlhaqr
-----------------------------------------------------------------------
  4 days until John Moses Browning's 155th Birthday

Re: RCVD_ILLEGAL_IP Question

Posted by Res <re...@ausics.net>.
On Wed, 20 Jan 2010, RW wrote:


> It appears to be just a regular expression:

>
> sub check_for_illegal_ip {
>  my ($self, $pms) = @_;
>
>  foreach my $rcvd ( @{$pms->{relays_untrusted}} ) {
>    # (note this might miss some hits if the Received.pm skips any
>  invalid IPs) foreach my $check ( $rcvd->{ip}, $rcvd->{by} ) {
>      return 1 if ($check =~ /^
>        (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}|[3-9]\d\d+)\.\d+\.\d+\.\d+

Thats crazy!  It's wrong since 1/8 is now allocated, it also does not 
detect most other bogon ranges, What is the point of this...
Another rule I now need to disable.


--
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!

Re: RCVD_ILLEGAL_IP Question

Posted by RW <rw...@googlemail.com>.
On Wed, 20 Jan 2010 10:19:14 +1000 (EST)
Res <re...@ausics.net> wrote:

> Greetings,
> 
> Can anyone tell me how the bogon list in this rule is updated?
> Does it query a live bogon DNS server? The wiki does not explain or
> say much at all about it.
> 
> Thanks
> 

It appears to be just a regular expression:

sub check_for_illegal_ip {
  my ($self, $pms) = @_;

  foreach my $rcvd ( @{$pms->{relays_untrusted}} ) {
    # (note this might miss some hits if the Received.pm skips any
  invalid IPs) foreach my $check ( $rcvd->{ip}, $rcvd->{by} ) {
      return 1 if ($check =~ /^
        (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}|[3-9]\d\d+)\.\d+\.\d+\.\d+
        $/x);
    }
  }
  return 0;
}