You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2012/11/05 12:24:36 UTC
[Bug 6860] New: incorrectly treats "Received: from .* by .* with
HTTP;" as authenticated
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6860
Priority: P2
Bug ID: 6860
Assignee: dev@spamassassin.apache.org
Summary: incorrectly treats "Received: from .* by .* with
HTTP;" as authenticated
Severity: minor
Classification: Unclassified
OS: All
Reporter: helmut@subdivi.de
Hardware: All
Status: NEW
Version: SVN Trunk (Latest Devel Version)
Component: Libraries
Product: Spamassassin
Spamassassin incorrectly treats any message received "with HTTP" as
authenticated. See this comment from SpamAssassin/Message/Metadata/Received.pm.
# with HTTP should only be authenticated webmail sessions
While this may have been true in the past, it is technically incorrect. A valid
use case of spamassassin is to put up an unauthenticated web form generating
emails and filtering them with spamassassin. However all those messages are
marked as ALL_TRUSTED, because the logic below the comment fires:
if (/ by / && / with (ESMTPA|ESMTPSA|LMTPA|LMTPSA|ASMTP|HTTPU?)(?: |$)/i) {
$auth = $1;
}
Due to the technically correct "with HTTP" the message is marked as
authenticated and DNS black lists checks are skipped. As a workaround one can
change the header to "with UNAUTHENTICATED-HTTP" in the mail generating
software and evade the above logic.
Ironically spamassassin treats "with HTTPS" as unauthenticated.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6860] incorrectly treats "Received: from .* by .* with HTTP;"
as authenticated
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6860
--- Comment #6 from Helmut Grohne <he...@subdivi.de> ---
(In reply to comment #4)
> Spamassassin is designed for filtering email, not for filtering web forms.
> Breaking correct behaviour on webmail to get more aggressive filtering on
> forms is not sensible.
Maybe I was not clear on this aspect. I am not asking for simply removing HTTP
from the regular expression. Fixing one minor bug and thereby introducing
numbers of new bugs is not a solution. Instead this logic should be refined to
distinguish authenticated web mail from unauthenticated form submission. For
instance SquirrelMail explicitly mentions the user submitting a mail.
The expression likely needs refinement in the HTTPS direction as well. Mail
submitted via an secure web mail service that outputs a technically correct
"with HTTPS" would currently not be detected as submission, but as handover
instead.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6860] incorrectly treats "Received: from .* by .* with HTTP;"
as authenticated
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6860
--- Comment #4 from RW <rw...@googlemail.com> ---
The reason that lists like PSBL have such a low effective FP rate is that when
a listed dynamic IP address is reassigned, it's reassigned to a machine that
shouldn't be delivering to MX anyway. When SA used to run more deep tests it
produced inferior results.
Spamassassin is designed for filtering email, not for filtering web forms.
Breaking correct behaviour on webmail to get more aggressive filtering on forms
is not sensible.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6860] incorrectly treats "Received: from .* by .* with HTTP;"
as authenticated
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6860
RW <rw...@googlemail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rwmaillists@googlemail.com
--- Comment #1 from RW <rw...@googlemail.com> ---
Testing for authentication is done to distinguish between submission and MX
handover on servers that perform both functions. It's not possible for an MX
handover to be done by HTTP so there doesn't appear to be anything wrong here
beyond unfortunate terminology.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6860] incorrectly treats "Received: from .* by .* with HTTP;"
as authenticated
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6860
Kevin A. McGrail <km...@pccc.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kmcgrail@pccc.com
--- Comment #5 from Kevin A. McGrail <km...@pccc.com> ---
(In reply to comment #4)
> The reason that lists like PSBL have such a low effective FP rate is that
> when a listed dynamic IP address is reassigned, it's reassigned to a machine
> that shouldn't be delivering to MX anyway. When SA used to run more deep
> tests it produced inferior results.
>
> Spamassassin is designed for filtering email, not for filtering web forms.
> Breaking correct behaviour on webmail to get more aggressive filtering on
> forms is not sensible.
SA is also an API so I would not pigeon hold it so quickly...
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6860] incorrectly treats "Received: from .* by .* with HTTP;"
as authenticated
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6860
--- Comment #2 from RW <rw...@googlemail.com> ---
I should add that the point of testing for submission is that most DNS
blacklists are unreliable on dynamic IP addresses. There's no difference here
between excluding a machine that runs a mail client and excluding a machine
running a browser.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6860] incorrectly treats "Received: from .* by .* with HTTP;"
as authenticated
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6860
Helmut Grohne <he...@subdivi.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |helmut@subdivi.de
--- Comment #3 from Helmut Grohne <he...@subdivi.de> ---
So $auth tells us that HTTP was used for submission and not for handover. What
does this tell us? That the sender surely is a good guy? That assumption seems
flawed. Fact is that as soon as $auth is defined, DNS tests are skipped and
ALL_TRUSTED matches. Changing terminology is hardly going to fix this behavior.
So you say DNS blacklists would blacklist any user. For starters maybe you
could back your statement with data. A quick query on PSBL for three dynamic
IPs I used today turned that none of them is listed. Typically those lists move
very fast. So maybe they aren't that bad?
--
You are receiving this mail because:
You are the assignee for the bug.