You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2009/06/05 12:15:48 UTC

[Bug 6124] New: Too many companies using domain.lan for MS AD

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124

           Summary: Too many companies using domain.lan for MS AD
           Product: Spamassassin
           Version: 3.2.5
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Plugins
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: scheidell@secnap.net


Way too many people are using .lan (local area network) as their internal,
local lan.

I agree if FIRST untrusted does a 'helo *.lan' you should score it high, but if
they have an internal server that does a helo *.lan to their external (bastian
or smart host) and it uses a valid FQDN, you should not score it so high.

header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home|lan)
/i

3.714 points is pretty high.

score HELO_LH_HOME 2.602 3.169 2.689 3.714 

in this case client used the 'default' FQDN on their exchange server (yes,
stupid, not RFC compliant)  they have a real FQDN that matches their ip, but
for some reason, microsoft does not make it abundantly clear how important the
FQDN setting in exchange is.

Score a little lower, or maybe score *.lan and *.home a little different


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6124] Too many companies using domain.lan for MS AD

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124





--- Comment #3 from AXB <al...@gmail.com>  2009-06-05 06:00:08 PST ---
(In reply to comment #2)
> I don't see it's a problem as it's only looking at the last hop.
> 

it could be anywhere in the chain... It would be way safer to mantain a rule
with the "bad guys" :

speedtouch.lan
dsldevice.lan
etc...


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6124] Too many companies using domain.lan for MS AD

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124





--- Comment #4 from Karsten Bräckelmann <gu...@rudersport.de>  2009-06-05 06:17:39 PST ---
No, it could not. The rule is anchored at the beginning of the internal header,
and excludes the closing square bracket in his matching. Thus it only matches
the last untrusted relay.


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6124] Too many companies using domain.lan for MS AD

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124





--- Comment #1 from AXB <al...@gmail.com>  2009-06-05 05:33:05 PST ---
Agreed 100% 
Pls remove this.
Potential for FPs is way too large, no matter what score.


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6124] Too many companies using domain.lan for MS AD

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124





--- Comment #5 from Justin Mason <jm...@jmason.org>  2009-06-05 06:32:54 PST ---
if anyone has actual FPs, please attach samples (and the "trusted_networks" /
"internal_networks" config) that reproduce it.


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6124] Too many companies using domain.lan for MS AD

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124





--- Comment #6 from AXB <al...@gmail.com>  2009-06-05 07:58:08 PST ---
(In reply to comment #5)
> if anyone has actual FPs, please attach samples (and the "trusted_networks" /
> "internal_networks" config) that reproduce it.
> 

Sadly, I'm using Mailscanner which can't add the headers to the msg but does
"process" them.

Deployed the rule in production with a 0.001 score and it started hitting on
those corporate Exchange HELOs.

I cannot disclose log snippets in bugzilla but could send to JM privately.


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6124] Too many companies using domain.lan for MS AD

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124





--- Comment #2 from RW <rw...@googlemail.com>  2009-06-05 05:40:25 PST ---
I don't see it's a problem as it's only looking at the last hop.


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6124] Too many companies using domain.lan for MS AD

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124





--- Comment #7 from AXB <al...@gmail.com>  2009-06-05 08:10:47 PST ---
(In reply to comment #6)
> (In reply to comment #5)
> > if anyone has actual FPs, please attach samples (and the "trusted_networks" /
> > "internal_networks" config) that reproduce it.
> > 
> 
> Sadly, I'm using Mailscanner which can't add the headers to the msg but does
> "process" them.
> 
> Deployed the rule in production with a 0.001 score and it started hitting on
> those corporate Exchange HELOs.
> 
> I cannot disclose log snippets in bugzilla but could send to JM privately.
> 

legit HELOs since rule deployment:

helo=<CMAGS001.CovraMetallAG.lan>
helo=<heb-mainsrv.HEBLATTER.lan>

\w+\.\w+\.lan
is yet another .local, .internal variation used by many corps (MSCE training
?).
Its obviously bad but how much worse than Telefonica's .correo can it get?

\w+\.(lan|home) would probably be safe.


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.