You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2005/06/24 13:52:19 UTC
[Bug 4425] New: numeric hello in Received headers fools spamassassin
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
Summary: numeric hello in Received headers fools spamassassin
Product: Spamassassin
Version: 3.0.3
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P5
Component: spamassassin
AssignedTo: dev@spamassassin.apache.org
ReportedBy: sliwa@blue.cft.edu.pl
The whitelist_from_rcvd can be fooled by a numeric hello response with an IP of
a whitelisted host.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From sliwa@blue.cft.edu.pl 2005-06-26 04:47 -------
Created an attachment (id=2958)
--> (http://bugzilla.spamassassin.org/attachment.cgi?id=2958&action=view)
local.cf
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From sliwa@blue.cft.edu.pl 2005-06-25 11:57 -------
Created an attachment (id=2957)
--> (http://bugzilla.spamassassin.org/attachment.cgi?id=2957&action=view)
sample message spamassassin debug output
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From sliwa@blue.cft.edu.pl 2005-06-26 04:47 -------
Created an attachment (id=2959)
--> (http://bugzilla.spamassassin.org/attachment.cgi?id=2959&action=view)
user_prefs
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From sliwa@blue.cft.edu.pl 2005-06-25 11:56 -------
Created an attachment (id=2956)
--> (http://bugzilla.spamassassin.org/attachment.cgi?id=2956&action=view)
sample message spamassassin output
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] [review] whitelist_from_rcvd shouldn't look at trusted headers if untrusted ones exist
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From jm@jmason.org 2005-09-20 23:22 -------
aaaah, I get it now! Yes, Bob's patch is correct. +1
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From Bob@Menschel.net 2005-07-16 18:08 -------
Created an attachment (id=3025)
--> (http://bugzilla.spamassassin.org/attachment.cgi?id=3025&action=view)
proposed patch
This proposed patch causes the "check whitelist_from_rcvd against trusted
nodes" to be skipped if there are any untrusted nodes. It seems to work on my
system. I don't know whether it covers default rules as well as non-default.
Needs to be very carefully checked for ripple effect.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From Bob@Menschel.net 2005-06-25 17:22 -------
In your debug output, I read
> debug: metadata: X-Spam-Relays-Trusted: [ ip=148.81.44.1
rdns=sigma.ifpan.edu.pl helo=sigma.ifpan.edu.pl by=theta1.cft.edu.pl ident=
envfrom= intl=1 id=j5OBfH110924 auth= ]
> debug: metadata: X-Spam-Relays-Untrusted: [ ip=219.159.45.125 rdns=148.81.44.1
helo=148.81.44.1 by=sigma.ifpan.edu.pl ident= envfrom= intl=0 id=j5OBi5Va024353
auth= ] [ ip=95.168.208.178 rdns=dns7paypal.com helo=dns7paypal.com
by=sx02-o89.paypal.com ident= envfrom= intl=0 id= auth= ] [ ip=127.0.0.1
rdns=paypal.com helo=paypal.com by=dns ident= envfrom= intl=0 id=W11L986 auth= ]
to mean that your last received header,
> Received: from sigma.ifpan.edu.pl (sigma.ifpan.edu.pl [148.81.44.1]) by
theta1.cft.edu.pl (8.11.6/8.11.6) with ESMTP id j5OBfH110924 for
<sl...@theta1.cft.edu.pl>; Fri, 24 Jun 2005 13:41:25 +0200
is the only one trusted.
The system also correctly sees
> debug: forged-HELO: from=148.81.44.1 helo=148.81.44.1 by=ifpan.edu.pl
> debug: forged-HELO: massive mismatch on IP-addr HELO: '148.81.44.1' !=
'219.159.45.125'
> debug: forged-HELO: from=dns7paypal.com helo=dns7paypal.com by=paypal.com
> debug: forged-HELO: mismatch on from: '148.81.44.1' != 'paypal.com'
Scanning to the bottom of your debug output, I see
> debug: is spam? score=-76.942 required=6
> debug: tests=BAYES_95, DCC_CHECK, DIGEST_MULTIPLE, HTML_00_10, HTML_MESSAGE,
MIME_HEADER_CTYPE_ONLY, NO_REAL_NAME, RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK,
RCVD_HELO_IP_MISMATCH, RCVD_NUMERIC_HELO, SUBJ_YOUR_DEBT, URIBL_AB_SURBL,
URIBL_OB_SURBL, URIBL_SBL, URIBL_SC_SURBL, URIBL_WS_SURBL, USER_IN_WHITELIST
It does not indicate which entry matches the whitelist. Therefore, we need to
rule out matches against "From: Gene.kumar@ifpan.edu.pl" from a local *.cf file
on your system. Can you check/post your files:
/home/sliwa/etc/mail/spamassassin/local.cf
/home/sliwa/.spamassassin/user_prefs
for "whitelist_from" rules that might match this forged Sender line?
Thanks.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] [review] whitelist_from_rcvd shouldn't look at trusted headers if untrusted ones exist
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4425
------- Additional Comments From sliwa@blue.cft.edu.pl 2006-01-10 08:54 -------
Created an attachment (id=3319)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3319&action=view)
another sample message
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] [review] whitelist_from_rcvd shouldn't look at trusted headers if untrusted ones exist
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4425
spamassassin@dostech.ca changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
------- Additional Comments From spamassassin@dostech.ca 2006-01-10 10:13 -------
I'm not sure why you'd think that a version (3.0.4) released in June would
include a patch generated in September.
The upcoming release of 3.1.1 will include the patch, as does the current
development version.
Until then, feel free to use Bob's patch against your local installation.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From kbarr216@yahoo.com 2005-07-18 16:19 -------
Created an attachment (id=3031)
--> (http://bugzilla.spamassassin.org/attachment.cgi?id=3031&action=view)
triggers 4425
Generated using 3.1.0-pre4-r208823 including the proposed patch.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
Bob@Menschel.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kbarr216@yahoo.com
------- Additional Comments From Bob@Menschel.net 2005-07-16 18:33 -------
*** Bug 4334 has been marked as a duplicate of this bug. ***
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
duncf@debian.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|3.1.0 |3.1.1
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From sliwa@blue.cft.edu.pl 2005-08-14 11:31 -------
Created an attachment (id=3075)
--> (http://bugzilla.spamassassin.org/attachment.cgi?id=3075&action=view)
another message that possibly triggers this bug
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From sliwa@blue.cft.edu.pl 2005-06-24 04:54 -------
Created an attachment (id=2953)
--> (http://bugzilla.spamassassin.org/attachment.cgi?id=2953&action=view)
sample message that triggers the bug
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
duncf@debian.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2953|application/octet-stream |text/plain
mime type| |
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] [review] whitelist_from_rcvd shouldn't look at trusted headers if untrusted ones exist
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4425
------- Additional Comments From sliwa@blue.cft.edu.pl 2006-01-10 08:53 -------
Created an attachment (id=3318)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3318&action=view)
sample message
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From kbarr216@yahoo.com 2005-07-18 16:17 -------
I'm not sure if it's a duplicate or not, but it's a related issue. I'm going to
send along attachments that trigger the bug even when the proposed patch is
applied.
The patch DOES work when internal/trusted networks is correctly specified. When
I don't specify them, however, the internal networks are not trusted and
whitelist_from_rcvd should fail. The attachment includes a local.cf,
user_prefs, sample mail, and two outputs: one using internal_networks in
user_prefs, and one without.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
Bob@Menschel.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |Bob@Menschel.net
Severity|normal |critical
Component|spamassassin |Rules (Eval Tests)
Keywords|triage |
Target Milestone|Undefined |3.1.0
Version|3.0.3 |SVN Trunk (Latest Devel
| |Version)
------- Additional Comments From Bob@Menschel.net 2005-07-16 17:40 -------
When I run your message against your user_prefs, I get
X-Spam-Status: No, score=-89.9 required=6.0 tests=HTML_00_10,HTML_MESSAGE,
MIME_HEADER_CTYPE_ONLY,NO_REAL_NAME,RCVD_HELO_IP_MISMATCH,
RCVD_IN_WHOIS_BOGONS,RCVD_IN_WHOIS_INVALID,RCVD_NUMERIC_HELO,
SUBJ_YOUR_DEBT,URIBL_OB_SURBL,URIBL_WS_SURBL,USER_IN_WHITELIST
autolearn=no version=3.1.0-pre4-r208823
so yes, USER_IN_WHITELIST hits, in pre4 yet. Setting "version" flag to svn.
I don't know whether it's the numeric hello that's confusing SpamAssassin, or
the fact that your whitelist directive
> whitelist_from_rcvd *.edu.pl edu.pl
does match the one and only trusted Received header in your email, ignoring the
forged headers in the email. If the latter, then a
> whitelist_from_rcvd addr@domain.tld domain.tld
that matches the trusted header set should be ignored if there are any untrusted
headers after, indicating that the email comes from a different server.
Since I agree this provides a means whereby whitelist_from_rcvd can be fooled,
I'm uping the severity to critical, and wouldn't complain if a dev upped it to
"block".
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] [review] whitelist_from_rcvd shouldn't look at trusted headers if untrusted ones exist
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From kbarr216@yahoo.com 2005-09-21 10:23 -------
(In reply to comment #15)
> +1 to Bob's patch -- it fixes the bug.
>
> Ken's issue can't be avoided and is a side effect of not setting his
> trusted_networks manually (which I wish was mandatory).
>
> Retitling since the bug has nothing to do with the helo IP. The bug is that
> _check_whitelist_rcvd shouldn't look at trusted hosts if untrusted ones are
> present since forged mail "from" your domain will always match
> whitelist_from_rcvd entries for your own domain.
That sounds like a good description. But shouldn't it go a little further and
require _check_whitelist_rcvd also return "no match" if there are *no* trusted
hosts? IE, if one doesn't specify trusted_networks and mail reports itself to
be "from" my domain, it should never be able to reduce its score via a
whitelist_from_rcvd rule because there's no trusted header for which to attempt
a match.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] [review] whitelist_from_rcvd shouldn't look at trusted headers if untrusted ones exist
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
spamassassin@dostech.ca changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From spamassassin@dostech.ca 2005-09-22 00:38 -------
Justin, myself and Bob makes three.
[dos@silver trunk]$ svn commit -m "bug 4425: ...
Sending lib/Mail/SpamAssassin/EvalTests.pm
Transmitting file data .
Committed revision 290904.
[dos@silver 3.1]$ svn commit -m "bug 4425: ...
Sending lib/Mail/SpamAssassin/EvalTests.pm
Transmitting file data .
Committed revision 290905.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] [review] whitelist_from_rcvd shouldn't look at trusted headers if untrusted ones exist
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
------- Additional Comments From spamassassin@dostech.ca 2005-09-21 13:36 -------
Subject: Re: [review] whitelist_from_rcvd shouldn't look at trusted
headers if untrusted ones exist
Nope. We can always trust the info from the first untrusted relay since
our own host would have written it.
Further, in the manually set case, _check_whitelist_rcvd will always be
correct. In the auto-detect case there will always be a relay (we
think) we can trust, so requiring such isn't necessary.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|critical |normal
------- Additional Comments From jm@jmason.org 2005-07-23 15:15 -------
this is not critical and not a release blocker
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] numeric hello in Received headers fools spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
Bob@Menschel.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |triage
------- Additional Comments From Bob@Menschel.net 2005-06-24 18:28 -------
Can you also attach a debug output? (spamassassin -D <testmessage >testout
2>debugout)
I run SA (3.1 devel copy) against your message, and get
X-Spam-Status: Yes, score=16.6 required=5.0 tests=HTML_00_10,HTML_MESSAGE,
MIME_HEADER_CTYPE_ONLY,NO_REAL_NAME,RCVD_HELO_IP_MISMATCH,
RCVD_IN_WHOIS_BOGONS,RCVD_IN_WHOIS_INVALID,RCVD_NUMERIC_HELO,
SUBJ_YOUR_DEBT,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,
URIBL_WS_SURBL autolearn=spam version=3.1.0-pre2-r191258
The whitelist rule does not hit here.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] [review] whitelist_from_rcvd shouldn't look at trusted headers if untrusted ones exist
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4425
------- Additional Comments From sliwa@blue.cft.edu.pl 2006-01-10 08:58 -------
Created an attachment (id=3320)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3320&action=view)
spamassassin output
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] [review] whitelist_from_rcvd shouldn't look at trusted headers if untrusted ones exist
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4425
sliwa@blue.cft.edu.pl changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
------- Additional Comments From sliwa@blue.cft.edu.pl 2006-01-10 08:56 -------
It seems that the whitelisting is still fooled by forged Received headers. I
have attached to sample messages that are passed by the filter.
SpamAssassin version 3.0.4
running on Perl version 5.8.5
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] [review] whitelist_from_rcvd shouldn't look at trusted headers if untrusted ones exist
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4425
------- Additional Comments From sliwa@blue.cft.edu.pl 2006-01-10 08:59 -------
Created an attachment (id=3321)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3321&action=view)
spamassassin debug output
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4425] [review] whitelist_from_rcvd shouldn't look at trusted headers if untrusted ones exist
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4425
spamassassin@dostech.ca changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |spamassassin@dostech.ca
Summary|numeric hello in Received |[review] whitelist_from_rcvd
|headers fools spamassassin |shouldn't look at trusted
| |headers if untrusted ones
| |exist
------- Additional Comments From spamassassin@dostech.ca 2005-09-20 23:00 -------
+1 to Bob's patch -- it fixes the bug.
Ken's issue can't be avoided and is a side effect of not setting his
trusted_networks manually (which I wish was mandatory).
Retitling since the bug has nothing to do with the helo IP. The bug is that
_check_whitelist_rcvd shouldn't look at trusted hosts if untrusted ones are
present since forged mail "from" your domain will always match
whitelist_from_rcvd entries for your own domain.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.