spamass-milter and avoiding PBL-type scores on authenticated senders

[Greg Troxel <gd...@ir.bbn.com>]

(Let me know if this is wrong on dev@ and should be on users.)

I have a machine running

  NetBSD 5
  spamassassin 3.3.1
  spamass-milter 0.3.1, rejecting at 8 points.
  milter-greylist 4.2.3
  postfix 2.7.0

and have up-to-date rules for sa proper, plus sought and khop_bl.  This
setup is basically running very well, wtih very low FP even in the 1-5
range, and low FN.

I send mail by connecting to submission/TLS and authenticating.  SA is
still running via milter on these submitted mails.  Until recently, I
didn't have any problems.  Then, mail from my phone started being
rejected, and also mail from a computer at home (VZ fios).
Looking at the logs, it's hitting on tests like:

  RCVD_IN_PBL,RCVD_IN_RP_RNBL,RDNS_DYNAMIC,S25R_1
  (AT&T iphone, 7 points)

and

  FH_HOST_EQ_VERIZON_P,KHOP_DNSBL_BUMP,RCVD_IN_PBL,
  RCVD_IN_SEMBLACK,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,S25R_1
  (vz, 9 points, more or less public acces point)

I can certainly understand that direct-from-dsl mail is in general
suspect.  But in this case, it's authenticated from me, so it really
shouldn't get scored up because of PBL, being from verizon etc.  And I'd
like to give it some negative points for being authenticated.

Trying to figure this out, I'm obviously missing something.  I set
scores artificially low:

        score   FH_HOST_EQ_VERIZON_P    0.1
        score   RCVD_IN_PBL             0.1
        score   RCVD_IN_SORBS_DUL       0.1

and then sent a test message.  The test message hits ALL_TRUSTED and
none of the DUL rules when it is scanned before delivery to me.  Here
are the two spamd summaries:

  BAYES_20,FH_HOST_EQ_VERIZON_P,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,
  RDNS_DYNAMIC,TO_NO_BRKTS_DYNIP (1 point, via milter)

  ALL_TRUSTED,BAYES_00 (-23, via spamc from procmail)

So it seems SA is parsing the received header that says it was
authenticated (I have "smtpd_sasl_authenticated_header = yes" set):

Received: from [[rfc1918-addr]] (pool-redacted.bstnma.fios.verizon.net [96.redacted])
        (using TLSv1 with cipher AES128-SHA (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: gdt@[redacted])
        by [redacted-my-box] (Postfix) with ESMTPSA id 9C29117CCC
        for <gdt@[redacted]>; Wed,  2 Jun 2010 20:10:32 -0400 (EDT)

and scoring sensibly:

X-Spam-Status: No, score=-23.9 required=1.0 tests=ALL_TRUSTED,BAYES_00 autolearn=no version=3.3.1

When spamass-milter processes a message, postfix has not yet added a
Received line.  So it fakes up one based on the milter variables for the
benefit of SA to know about the previous hop.

I can't find where the code is that recognizes authenticated sender - I
think understanding that is key to making sure the postfix/milter path
to make the synthetic received header for SA works right.  I've looked
in the installed perl and in the rules.

None of these links seem to address interaction with spamass-milter:

http://wiki.zimbra.com/wiki/Spamassassin_postfix_authenticated_users
http://madduck.net/blog/2006.06.30:postfix-auth-anonymisation/
http://adam.shand.net/iki/2008/getting_spamassassin_to_trust_authenticated_smtp_clients/

Do people think I just need to have spamass-milter fake up an
authenticated sender line?  Is this bothering others?  Is this happening
now because the scores for PBL/DUL/etc have become bigger recently, and
the message is getting dinged multiple times for being a customer/dialup
address, when perhaps it should only be dinged once?

Re: spamass-milter and avoiding PBL-type scores on authenticated senders

[Karsten Bräckelmann <gu...@rudersport.de>]

On Thu, 2010-06-03 at 02:58 +0200, Karsten Bräckelmann wrote:
> The problem with spamass-milter and postfix not providing the necessary
> variables the milter expects by default, again? Check some recent bugs
> in bugzilla.

Bug 6403 comment 19.
  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6403#c19

> (Getting late here, but I remember discussing this just the other day.)


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: spamass-milter and avoiding PBL-type scores on authenticated senders

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2010-06-02 at 20:28 -0400, Greg Troxel wrote:
> (Let me know if this is wrong on dev@ and should be on users.)

IMHO, yes. Unless you can tell me why this would not belong to users.

>   spamass-milter 0.3.1, rejecting at 8 points.
>   postfix 2.7.0

> I send mail by connecting to submission/TLS and authenticating.  SA is
> still running via milter on these submitted mails.  Until recently, I
> didn't have any problems.  Then, mail from my phone started being
> rejected, and also mail from a computer at home (VZ fios).
> Looking at the logs, it's hitting on tests like:
> 
>   RCVD_IN_PBL,RCVD_IN_RP_RNBL,RDNS_DYNAMIC,S25R_1
>   (AT&T iphone, 7 points)

Submission, authenticated you said. It should hit ALL_TRUSTED. And no,
no PBL style blacklists at all.

> and then sent a test message.  The test message hits ALL_TRUSTED and
> none of the DUL rules when it is scanned before delivery to me.  Here
> are the two spamd summaries:
> 
>   BAYES_20,FH_HOST_EQ_VERIZON_P,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,
>   RDNS_DYNAMIC,TO_NO_BRKTS_DYNIP (1 point, via milter)
> 
>   ALL_TRUSTED,BAYES_00 (-23, via spamc from procmail)

The problem with spamass-milter and postfix not providing the necessary
variables the milter expects by default, again? Check some recent bugs
in bugzilla.

(Getting late here, but I remember discussing this just the other day.)

> So it seems SA is parsing the received header that says it was
> authenticated (I have "smtpd_sasl_authenticated_header = yes" set):

> and scoring sensibly:
> 
> X-Spam-Status: No, score=-23.9 required=1.0 tests=ALL_TRUSTED,BAYES_00 autolearn=no version=3.3.1
> 
> When spamass-milter processes a message, postfix has not yet added a
> Received line.  So it fakes up one based on the milter variables for the
> benefit of SA to know about the previous hop.

Same as above.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}