You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2009/06/05 12:15:48 UTC
[Bug 6124] New: Too many companies using domain.lan for MS AD
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124
Summary: Too many companies using domain.lan for MS AD
Product: Spamassassin
Version: 3.2.5
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: Plugins
AssignedTo: dev@spamassassin.apache.org
ReportedBy: scheidell@secnap.net
Way too many people are using .lan (local area network) as their internal,
local lan.
I agree if FIRST untrusted does a 'helo *.lan' you should score it high, but if
they have an internal server that does a helo *.lan to their external (bastian
or smart host) and it uses a valid FQDN, you should not score it so high.
header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home|lan)
/i
3.714 points is pretty high.
score HELO_LH_HOME 2.602 3.169 2.689 3.714
in this case client used the 'default' FQDN on their exchange server (yes,
stupid, not RFC compliant) they have a real FQDN that matches their ip, but
for some reason, microsoft does not make it abundantly clear how important the
FQDN setting in exchange is.
Score a little lower, or maybe score *.lan and *.home a little different
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6124] Too many companies using domain.lan for MS AD
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124
--- Comment #3 from AXB <al...@gmail.com> 2009-06-05 06:00:08 PST ---
(In reply to comment #2)
> I don't see it's a problem as it's only looking at the last hop.
>
it could be anywhere in the chain... It would be way safer to mantain a rule
with the "bad guys" :
speedtouch.lan
dsldevice.lan
etc...
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6124] Too many companies using domain.lan for MS AD
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124
--- Comment #4 from Karsten Bräckelmann <gu...@rudersport.de> 2009-06-05 06:17:39 PST ---
No, it could not. The rule is anchored at the beginning of the internal header,
and excludes the closing square bracket in his matching. Thus it only matches
the last untrusted relay.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6124] Too many companies using domain.lan for MS AD
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124
--- Comment #1 from AXB <al...@gmail.com> 2009-06-05 05:33:05 PST ---
Agreed 100%
Pls remove this.
Potential for FPs is way too large, no matter what score.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6124] Too many companies using domain.lan for MS AD
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124
--- Comment #5 from Justin Mason <jm...@jmason.org> 2009-06-05 06:32:54 PST ---
if anyone has actual FPs, please attach samples (and the "trusted_networks" /
"internal_networks" config) that reproduce it.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6124] Too many companies using domain.lan for MS AD
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124
--- Comment #6 from AXB <al...@gmail.com> 2009-06-05 07:58:08 PST ---
(In reply to comment #5)
> if anyone has actual FPs, please attach samples (and the "trusted_networks" /
> "internal_networks" config) that reproduce it.
>
Sadly, I'm using Mailscanner which can't add the headers to the msg but does
"process" them.
Deployed the rule in production with a 0.001 score and it started hitting on
those corporate Exchange HELOs.
I cannot disclose log snippets in bugzilla but could send to JM privately.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6124] Too many companies using domain.lan for MS AD
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124
--- Comment #2 from RW <rw...@googlemail.com> 2009-06-05 05:40:25 PST ---
I don't see it's a problem as it's only looking at the last hop.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6124] Too many companies using domain.lan for MS AD
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124
--- Comment #7 from AXB <al...@gmail.com> 2009-06-05 08:10:47 PST ---
(In reply to comment #6)
> (In reply to comment #5)
> > if anyone has actual FPs, please attach samples (and the "trusted_networks" /
> > "internal_networks" config) that reproduce it.
> >
>
> Sadly, I'm using Mailscanner which can't add the headers to the msg but does
> "process" them.
>
> Deployed the rule in production with a 0.001 score and it started hitting on
> those corporate Exchange HELOs.
>
> I cannot disclose log snippets in bugzilla but could send to JM privately.
>
legit HELOs since rule deployment:
helo=<CMAGS001.CovraMetallAG.lan>
helo=<heb-mainsrv.HEBLATTER.lan>
\w+\.\w+\.lan
is yet another .local, .internal variation used by many corps (MSCE training
?).
Its obviously bad but how much worse than Telefonica's .correo can it get?
\w+\.(lan|home) would probably be safe.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.