You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Cedric Knight <ce...@gn.apc.org> on 2010/12/09 21:18:45 UTC
HELO_DYNAMIC false positives on a UK web host
I noticed some bad false positives on email sent from certain web
servers that haven't (yet) been properly configured. For example, a
trusted header line starting:
Received: from 94.229.160.4.srvlist.ukfast.net
(94.229.160.4.srvlist.ukfast.net [94.229.160.4])
looks to SpamAssassin like the dynamic IP address of a botnet, when it's
actually a perfectly valid mailout or form submission. It hits
HELO_DYNAMIC_IPADDR2, HELO_DYNAMIC_SPLIT_IP, RCVD_NUMERIC_HELO and
TVD_RCVD_IP.
On the Bayes+network scores for SpamAssassin 3.3, this totals 8.948, and
on 3.2.5 it's 11.886.
IP addresses have been changed to protect the innocent, but the netblock
affected is 94.229.160.0/20, excluding some servers where the hostname
has been set to something descriptive.
I've emailed UKFast, but don't know when or if they will fix the
problem, so here are some workaround rules for anyone who might be affected:
header __HELO_DYNAMIC_UKFAST X-Spam-Relays-Untrusted=~/^[^\]]+
helo=\d+\.\S+\d+[^\d\s]\d+[^\d\s]\d+\.srvlist\.ukfast\.net /
meta COMPENSATE_BAD_HELO (HELO_DYNAMIC_IPADDR2 &&
HELO_DYNAMIC_SPLIT_IP && __HELO_DYNAMIC_UKFAST)
describe COMPENSATE_BAD_HELO HELO_DYNAMIC_* hit hard on
poorly-chosen static rDNS/hostname
score COMPENSATE_BAD_HELO -5.0
and also RDNS_DYNAMIC triggers on the reverse DNS, which in these cases
is identical with the hostname, so I've rewritten one subrule:
header __RDNS_STATIC X-Spam-Relays-Untrusted =~
/^[^\]]+ rdns=\S*(?:static|fixip|srvlist\.ukfast\.net)/i
--
All best wishes,
Cedric Knight
GreenNet
GreenNet supports and promotes groups and individuals working for
peace, human rights and the environment through the use of
information and communication technologies.
GreenNet, Development House, 56-64 Leonard Street, London EC2A 4LT
Tel: UK 0845 055 4011 (Intl +44) 20 7065 0935 Fax: 020 7253 0936
Registered in England No. 02070438 VAT Reg GB 473 0262 65
Re: HELO_DYNAMIC false positives on a UK web host
Posted by Anthony Cartmell <li...@fonant.com>.
> Anyway, why are *web* servers sending out mail at all?
My web servers are sending out mail all the time. From website contact
forms, Forum notifications, pothole reports to local authorities, as well
as sysadmin messages.
In fact I'd be more surprised to find web servers *not* sending out mail :)
Anthony
--
www.fonant.com - Quality web sites
Re: HELO_DYNAMIC false positives on a UK web host
Posted by Benny Pedersen <me...@junc.org>.
On tor 09 dec 2010 21:30:39 CET, Karsten Bräckelmann wrote
>> Received: from 94.229.160.4.srvlist.ukfast.net
>> (94.229.160.4.srvlist.ukfast.net [94.229.160.4])
> Looks like a dynamic hostname indeed.
but static ip range according to
http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=94.229.160.4&do_search=Search
>> I've emailed UKFast, but don't know when or if they will fix the
>> problem, so here are some workaround rules for anyone who might be affected:
problem is just to "fix" reverse dns to not be a dynamic hostname, its
already static ip
> Constructive. I like that. :)
me2 :)
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: HELO_DYNAMIC false positives on a UK web host
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2010-12-09 at 23:02 +0100, Matus UHLAR - fantomas wrote:
> > Ah, so they are operational, just poorly configured. That's what you
> > just said in other words, right? :)
> >
> > Anyway, why are *web* servers sending out mail at all? Other than maybe
> > cron junk and friends, which would warrant bypassing SA or extending
> > your internal network. If they are indeed intended to send out mail to
> > third-parties, they better be configured properly first.
>
> web servers are often sending mail from web forms. If client can't choose the
> recipient address, it's safe.
*nod* The "and friends" part I was referring to, worth extending your
internal network for. Those web-forms only send mail to the service's
owner, I hope.
> If the client can't choose the message text it's at least a bit safe.
That would be to third-parties. Regardless how hard abuse of that
service would be, proper mail environment is crucial. Which includes the
hostname.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: HELO_DYNAMIC false positives on a UK web host
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Thu, 2010-12-09 at 20:18 +0000, Cedric Knight wrote:
> > I noticed some bad false positives on email sent from certain web
> > servers that haven't (yet) been properly configured. For example, a
> > trusted header line starting:
>
> Ah, so they are operational, just poorly configured. That's what you
> just said in other words, right? :)
>
> Anyway, why are *web* servers sending out mail at all? Other than maybe
> cron junk and friends, which would warrant bypassing SA or extending
> your internal network. If they are indeed intended to send out mail to
> third-parties, they better be configured properly first.
web servers are often sending mail from web forms. If client can't choose the
recipient address, it's safe. If the client can't choose the message text
it's at least a bit safe.
> > Received: from 94.229.160.4.srvlist.ukfast.net
> > (94.229.160.4.srvlist.ukfast.net [94.229.160.4])
On 09.12.10 21:30, Karsten Bräckelmann wrote:
> Looks like a dynamic hostname indeed.
it contains the IP in hostname and no evidence of being a static hostname. I
think this is correctly assumed to be dynamic.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
Re: HELO_DYNAMIC false positives on a UK web host
Posted by John Hardin <jh...@impsec.org>.
On Thu, 9 Dec 2010, Karsten Br�ckelmann wrote:
> On Thu, 2010-12-09 at 14:43 -0800, John Hardin wrote:
>>> It appears that a client can easily set up hosting using cPanel or
>>> something without ever setting the rDNS or hostname to anything other
>>> than the numeric default.
>>
>> Is there anything in the headers that indicates cpanel is in use? Perhaps
>> a meta on cpanel
>
> Proof a mail system has been set up and is being maintained by clicking
> through a simple UI system. Strong hint the operator doesn't know much
> about such systems, and likely not about properly securing auth either.
>
>> + dynamic-looking-rDNS would be worth a negative point or two...
>
> Plus proof the operator indeed doesn't know, or doesn't care. You think
> that's worth a negative score?
Probably not. Just throwing ideas out.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You cannot bring about prosperity by discouraging thrift. You
cannot help small men by tearing down big men. You cannot
strengthen the weak by weakening the strong. You cannot lift the
wage-earner by pulling down the wage-payer. You cannot help the
poor man by destroying the rich. You cannot keep out of trouble by
spending more than your income. You cannot further the brotherhood
of man by inciting class hatred. You cannot establish security on
borrowed money. You cannot build character and courage by taking
away men's initiative and independence. You cannot help men
permanently by doing for them what they could and should do for
themselves. -- William J. H. Boetcker
-----------------------------------------------------------------------
6 days until Bill of Rights day
Re: HELO_DYNAMIC false positives on a UK web host
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Thu, 9 Dec 2010, Karsten Bräckelmann wrote:
> On Thu, 2010-12-09 at 14:43 -0800, John Hardin wrote:
> > > It appears that a client can easily set up hosting using cPanel or
> > > something without ever setting the rDNS or hostname to anything other
> > > than the numeric default.
> >
> > Is there anything in the headers that indicates cpanel is in use? Perhaps
> > a meta on cpanel
>
> Proof a mail system has been set up and is being maintained by clicking
> through a simple UI system. Strong hint the operator doesn't know much
> about such systems, and likely not about properly securing auth either.
>
> > + dynamic-looking-rDNS would be worth a negative point or two...
>
> Plus proof the operator indeed doesn't know, or doesn't care. You think
> that's worth a negative score?
>
Maybe not a true negative score but null out the HELO_DYNAMIC rules
score penalty. IE if it's running cpanel then strong probability that
it has a static IP address. (what's the point of running a server
with a dynamic address.)
The poor operator may be totally clueless about how his actual IP address
appears on the net.
he's some smuck who bought a cheap hosting service for his business and
just did the point-and-click monkey dance to get his store on-line.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: HELO_DYNAMIC false positives on a UK web host
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2010-12-09 at 14:43 -0800, John Hardin wrote:
> > It appears that a client can easily set up hosting using cPanel or
> > something without ever setting the rDNS or hostname to anything other
> > than the numeric default.
>
> Is there anything in the headers that indicates cpanel is in use? Perhaps
> a meta on cpanel
Proof a mail system has been set up and is being maintained by clicking
through a simple UI system. Strong hint the operator doesn't know much
about such systems, and likely not about properly securing auth either.
> + dynamic-looking-rDNS would be worth a negative point or two...
Plus proof the operator indeed doesn't know, or doesn't care. You think
that's worth a negative score?
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: HELO_DYNAMIC false positives on a UK web host
Posted by John Hardin <jh...@impsec.org>.
On Thu, 9 Dec 2010, Cedric Knight wrote:
> It appears that a client can easily set up hosting using cPanel or
> something without ever setting the rDNS or hostname to anything other
> than the numeric default.
Is there anything in the headers that indicates cpanel is in use? Perhaps
a meta on cpanel + dynamic-looking-rDNS would be worth a negative point or
two...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men by their constitutions are naturally divided in to two parties:
1. Those who fear and distrust the people and wish to draw all
powers from them into the hands of the higher classes. 2. Those who
identify themselves with the people, have confidence in them,
cherish and consider them as the most honest and safe, although not
the most wise, depository of the public interests.
-- Thomas Jefferson
-----------------------------------------------------------------------
6 days until Bill of Rights day
Re: HELO_DYNAMIC false positives on a UK web host
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2010-12-09 at 21:59 +0000, Cedric Knight wrote:
> On 09/12/10 20:30, Karsten Bräckelmann wrote:
> > Anyway, why are *web* servers sending out mail at all? Other than maybe
> > cron junk and friends, which would warrant bypassing SA or extending
> > your internal network. If they are indeed intended to send out mail to
> > third-parties, they better be configured properly first.
>
> In the case that actually caused me to write, orders from a shop. Or it
> might be running PHPList or CiviCRM or any CMS that authenticates users
> by email.
Transactional order confirmation mail? Well, mail *is* part of their
business then, and they really should take a moment to think about their
mail infrastructure.
(Just like they should take a moment to think about online advertising,
and how valid some of the offers might be. There are a lot of traps, not
only in traditional businesses. But I digress.)
> > Looks like a dynamic hostname indeed.
>
> The "srv" might raise suspicions. In fact, I suppose it's not a totally
> unreasonable form of rDNS for a large server farm, but personally I give
> all the cows on my farm names.
Not unreasonable for a server farm, but a mail delivery cluster is a
different species.
And from the shop owner's POV, it's not a farm anyway, or is it? I
wouldn't assume they are using more than one machine...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: HELO_DYNAMIC false positives on a UK web host
Posted by Cedric Knight <ce...@gn.apc.org>.
On 09/12/10 22:43, John Hardin wrote:
> On Thu, 9 Dec 2010, Cedric Knight wrote:
>
>> It appears that a client can easily set up hosting using cPanel or
>> something without ever setting the rDNS or hostname to anything other
>> than the numeric default.
>
> Is there anything in the headers that indicates cpanel is in use?
Not really, unfortunately. The only way I know is that the host's
public webpages mention both cPanel and Plesk as available features. To
clarify a little more, both the false positive samples I have are from
small organisations, with apparently just one dedicated or virtual
server apiece at UKFast, used primarily as a web server. One sample is from
X-Mailer: Drupal
and the other is
X-Mailer: PHPMailer [version 1.72]
The only commonality is that the last Received line is of the form:
Received: (qmail \d+ invoked by uid \d+); [$DATE]
which might also hit anything that had been through Yahoo or Messagelabs.
> Perhaps a meta on cpanel + dynamic-looking-rDNS would be worth a
> negative point or two...
This is about 9-11 points to offset, though. Maybe there's no way of
doing a negative rule that spammers couldn't abuse. The exclusion could
be generalised by having certain HELO strings stop the HELO_DYNAMIC_*
firing: HELO_STATIC_HOST currently only has provision for "rogers.com"
and only neutralises HELO_DYNAMIC_IPADDR, HELO_DYNAMIC_DHCP,
HELO_DYNAMIC_HCC. That could be extended to the rules involved in this
case, and certain strings like "static|fixip|\bse?rv|mx" (and not
"pool|dsl", although some people even unwisely run their office exchange
server on something with "dsl" and a string of numbers in the rDNS).
These are valuable rules, and hosts should indeed ensure they or their
users set authentic-looking HELOs. How about scanning through mail or
logs for messages that hit at least 2 of the HELO_DYNAMIC rules and
RCVD_NUMERIC_HELO, but are otherwise hammy?
Looking at HELO_DYNAMIC_SPLIT_IP closely, I'm pretty sure it was never
intended to overlap with RCVD_NUMERIC_HELO. I'll file a bug.
CK
Re: HELO_DYNAMIC false positives on a UK web host
Posted by Cedric Knight <ce...@gn.apc.org>.
On 09/12/10 20:30, Karsten Bräckelmann wrote:
> On Thu, 2010-12-09 at 20:18 +0000, Cedric Knight wrote:
>> I noticed some bad false positives on email sent from certain web
>> servers that haven't (yet) been properly configured. For example, a
>> trusted header line starting:
>
> Ah, so they are operational, just poorly configured. That's what you
> just said in other words, right? :)
Yes, I was trying to think of a tactful way of putting it without
showing exasperation :). It appears that a client can easily set up
hosting using cPanel or something without ever setting the rDNS or
hostname to anything other than the numeric default.
I don't actually know if rDNS or hostname are directly under client
control, but I've advised senders to ask their hosting company to deal
with it.
>
> Anyway, why are *web* servers sending out mail at all? Other than maybe
> cron junk and friends, which would warrant bypassing SA or extending
> your internal network. If they are indeed intended to send out mail to
> third-parties, they better be configured properly first.
In the case that actually caused me to write, orders from a shop. Or it
might be running PHPList or CiviCRM or any CMS that authenticates users
by email.
>
>> Received: from 94.229.160.4.srvlist.ukfast.net
>> (94.229.160.4.srvlist.ukfast.net [94.229.160.4])
>
> Looks like a dynamic hostname indeed.
The "srv" might raise suspicions. In fact, I suppose it's not a totally
unreasonable form of rDNS for a large server farm, but personally I give
all the cows on my farm names.
--
All best wishes,
Cedric Knight
GreenNet
GreenNet supports and promotes groups and individuals working for
peace, human rights and the environment through the use of
information and communication technologies.
GreenNet, Development House, 56-64 Leonard Street, London EC2A 4LT
Tel: UK 0845 055 4011 (Intl +44) 20 7065 0935 Fax: 020 7253 0936
Registered in England No. 02070438 VAT Reg GB 473 0262 65
Re: HELO_DYNAMIC false positives on a UK web host
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2010-12-09 at 20:18 +0000, Cedric Knight wrote:
> I noticed some bad false positives on email sent from certain web
> servers that haven't (yet) been properly configured. For example, a
> trusted header line starting:
Ah, so they are operational, just poorly configured. That's what you
just said in other words, right? :)
Anyway, why are *web* servers sending out mail at all? Other than maybe
cron junk and friends, which would warrant bypassing SA or extending
your internal network. If they are indeed intended to send out mail to
third-parties, they better be configured properly first.
> Received: from 94.229.160.4.srvlist.ukfast.net
> (94.229.160.4.srvlist.ukfast.net [94.229.160.4])
Looks like a dynamic hostname indeed.
> I've emailed UKFast, but don't know when or if they will fix the
> problem, so here are some workaround rules for anyone who might be affected:
Constructive. I like that. :)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: HELO_DYNAMIC false positives on a UK web host
Posted by "corpus.defero" <co...@idnet.com>.
On Thu, 2010-12-09 at 20:18 +0000, Cedric Knight wrote:
> I noticed some bad false positives on email sent...
>
> Received: from 94.229.160.4.srvlist.ukfast.net
> (94.229.160.4.srvlist.ukfast.net [94.229.160.4])
ukfast == firewall on site. IME a major source of little more than spam
in the UK. Thanks for the extra /20