You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2009/07/30 17:11:25 UTC
[Bug 6169] New: whitelist_from_rcvd is fooled by forged rdns
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
Summary: whitelist_from_rcvd is fooled by forged rdns
Product: Spamassassin
Version: 3.2.5
Platform: Other
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Libraries
AssignedTo: dev@spamassassin.apache.org
ReportedBy: spamassassin-bugzilla@tracker.fire-world.de
Hi,
whitelist_from_rcvd fails to recognize a forged rnds entry. More precisely the
following entry:
whitelist_from_rcvd *@alita.karotte.org localhost
Is matched by this mail:
>From ntchel@accuridecorp.com Thu Jul 30 13:49:11 2009
Return-Path: <nt...@accuridecorp.com>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on alita.karotte.org
X-Spam-Level:
X-Spam-Status: No, score=-77.7 required=5.0 tests=BAYES_60=1,
HTML_IMAGE_ONLY_04=2.041,HTML_MESSAGE=0.001,HTML_SHORT_LINK_IMG_1=0.001,
MIME_HTML_ONLY=1.457,RAZOR2_CF_RANGE_51_100=0.5,RAZOR2_CF_RANGE_E8_51_100=1.5,
RAZOR2_CHECK=0.5,RCVD_IN_BL_SPAMCOP_NET=1.96,RCVD_IN_PBL=0.905,
RCVD_IN_SORBS_WEB=0.619,RCVD_IN_XBL=3.033,SARE_HTML_A_BODY=0.742,
SARE_HTML_IMG_ONLY=1.666,SPF_FAIL=0.693,TVD_SPACE_RATIO=2.219,
URIBL_BLACK=1.955,URIBL_JP_SURBL=1.501,USER_IN_WHITELIST=-100
autolearn=no
bayes=0.7770 version=3.2.5
Received: from alside.com (localhost [220.231.127.15] (may be forged))
by alita.karotte.org (8.14.3/8.14.3/Debian-5) with SMTP id
n6UBn1BJ021997
for <we...@alita.karotte.org>; Thu, 30 Jul 2009 13:49:05 +0200
X-DKIM: Sendmail DKIM Filter v2.8.2 alita.karotte.org n6UBn1BJ021997
Date: Thu, 30 Jul 2009 13:49:01 +0200
Message-Id: <20...@alita.karotte.org>
To: <we...@alita.karotte.org>
Subject: Delivery Status Notification
From: <we...@alita.karotte.org>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
Status: RO
Content-Length: 324
Lines: 6
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
--- Comment #4 from Sidney Markowitz <si...@sidney.com> 2009-07-30 14:04:01 PST ---
As an additional note on this:
As Justin pointed out the "may be forged" is a common situation that
whitelist_from_rcvd does handle. In this case whitelist_from_rcvd is looking at
the rdns result "localhost" instead of the possibly forged result "alside.com".
That doesn't help you because you are telling whiltelist_from_rcvd to look for
"localhost" and that is what it sees. If this is a spammer, it is a spammer who
has configured the rdns for the mail server's ip address to return the name
"localhost".
I'm assuming that karotte.org is a domain you have some control over, hence the
"localhost" in the whitelist entry.
You should look at why you need to have whitelist_from_rcvd specifiying
"localhost" instead of "karotte.org". The SPF records for alita.karotte.org and
karotte.org say that mail should be coming through mx.karotte.org. If you have
the mail set up for local origin mail going into the mail box with a Received
header that shows 127.0.0.1 and not the external ip address of the mx mail
server, then you need to fix that or change the rdns result for 127.0.0.1 or
you won't be able to use whitelist_from_rcvd for that address in a useful way.
The whitelist_from_rcvd entry you have now will be fooled by any spammer who
configures their rdns to return "localhost". Bottom line is that localhost is
not that useful as the domain name in a whitelist_from_rcvd entry.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
--- Comment #7 from Sebastian <sp...@tracker.fire-world.de> 2009-07-31 02:26:00 PST ---
The possibility to enter an IP-Address (or CIDR notation) for
whitelist_from_rcvd would be much appreciated by me. That would help in this
case (127.0.0.1 is in the non-forged header from my machine).
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
--- Comment #14 from Sidney Markowitz <si...@sidney.com> 2009-08-04 14:06:50 PST ---
(reply to comment #12)
Ok, I can see that in some setups you can trust any mail that was sent locally
as much as you can a whitelist and you could increase the default negative
score of ALL_TRUSTED to act as a whitelist. That's even more likely to be true
in an
environment where local mail shows up as being received by localhost rather
than an external ip address. For example, if I get mail on my ISP account sent
by someone else who uses the same ISP, then it hits ALL_TRUSTED. I would not
want to whitelist it, but the helo shows an ip address other than localhost
because it still goes through an smtp server out and an mx server in.
But that's a workaround that will not apply everywhere. It may be reason enough
to not try to fix this, i.e., perhaps we tell the person who files this report
that they should either set up separate smtp out and mx in ip addresses or use
a beefed up score in ALL_TRUSTED instead of whitelist_from_rcvd to deal with
those addresses.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
Sebastian <sp...@tracker.fire-world.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
Severity|normal |enhancement
--- Comment #2 from Sebastian <sp...@tracker.fire-world.de> 2009-07-30 13:43:00 PST ---
My MTA is sendmail and it notes "may be forged", so it has detected that there
is something wrong.
I think this is something that should be recognized and in this case
whitelist_from_received should NOT match.
I'm changing this to enhancement, if you still think this is something that
shouldn't be implemented feel free to close this bug again.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
--- Comment #6 from Sidney Markowitz <si...@sidney.com> 2009-07-30 15:12:36 PST ---
(reply to comment #5)
Whoops, I had bad information on the meaning of "may be forged", your quote
from the sendmail documentation is more authoritative.
On the other hand, I don't think that "may be forged" as described there should
be a reason to not match whitelist_from_rcvd. Some ISPs have multiple ip
addresses for a host name as a form of load balancing. If mx.example.com
returns different addresses at different times for a DNS query, all of those
addresses should return mx.example.com for rdns, but the forward query may not
match. In that case, you have a good chance of getting a "may be forged". Your
whitelist_from_rcvd entry must look for whatever is returned by the rdns query
for the ip address that the mail comes from, but there is no guarantee that
will be the only or the primary ip address for that host name.
So I was wrong about the details of why it was happening, but not about the
rest of it: Under normal circumstances a spammer uses different From addresses,
so they can not practically use a bogus rdns entry on their mail server to make
it look like the correct server is sending the mail for that From address.
whitelist_from_rcvd doesn't really have to care about the "may be forged" as
there isn't a practical way to get a useful forgery in the general case.
However. "localhost" may be a useful forgery for the spammer just because of
situations like this.
I suppose that if Spamassassin could handle an ip address in a
whitelist_from_rcvd, then you could specify 127.0.0.1 just for this situation.
Is that what your non-forged Received headers have when you really do send mail
to yourself on your machine? Perhaps that would be a useful enhancement if it
isn't handled already (I haven't looked it up or tried it yet).
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
--- Comment #9 from Sidney Markowitz <si...@sidney.com> 2009-08-03 15:46:19 PST ---
(in reply to comment #8)
I don't see how trusted_networks would make a difference here. The sender path
is being correctly extracted from the lowest Received header that was added on
the trusted network. If you mean that 127.0.0.1 should be on the trusted
network, I believe that is automatic, but in any case 127.0.0.1 doesn't appear
in these headers, only the name localhost. Am I missing something about how
trusted_network can help here?
(in reply to comment #7)
Looking at the source code, it appears problematic to try to get
whitelist_from_rcvd to work with an IP address or CIDR notation.
PerMsgStatus.pm has a routine that gets and caches the host name of the
envelope sender. That routine handles finding the name from a number of
alternate formats from different MTAs, only one of which is the Received header
as done by sendmail, which is the one than has the ip address and "may be
forged". Other things besides whitelist_from_rcvd use that same cached result.
So what we have is a public API that is defined as specifying the host name in
the envelope sender.
I think what we would have to do is add something to PerMsgStatus to try to get
the ip address as well as the host name when it is available. I'm not sure if
that makes sense to do.
Would it be possible to have your local mail delivery access your sendmail
server using its external ip address instead of 127.0.0.1?
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
--- Comment #11 from Sidney Markowitz <si...@sidney.com> 2009-08-03 16:51:56 PST ---
(reply to comment #10)
Yes, ALL_TRUSTED would fire, but I don't see how whitelist_from_rcvd could be
made to work from that. Unless we modify whitelist_from_received to be able to
take some special token instead of domain_name that means "all_trusted only",
for example,
whitelist_from_rcvd foobar@example.com ALL_TRUSTED_ONLY
which would not check the host name but would check that ALL_TRUSTED is hit.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
Karsten Bräckelmann <gu...@rudersport.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Karsten Bräckelmann <gu...@rudersport.de> 2009-07-30 12:12:16 PST ---
(In reply to comment #0)
> whitelist_from_rcvd fails to recognize a forged rnds entry.
It is not forged, it is inserted by your own MTA.
> Received: from alside.com (localhost [220.231.127.15] (may be forged))
> by alita.karotte.org (8.14.3/8.14.3/Debian-5) with SMTP id
$ host 220.231.127.15
15.127.231.220.in-addr.arpa domain name pointer localhost.
SA doesn't do the DNS lookup, but relies on the MTA. I believe this works
exactly as advertised. Not a bug.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
--- Comment #8 from Tom Schulz <sc...@adi.com> 2009-08-03 07:45:17 PST ---
Wouldn't setting up trusted_networks work for this situation?
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
--- Comment #12 from Tom Schulz <sc...@adi.com> 2009-08-04 12:29:36 PST ---
I was thinking that if all_trusted fired that it would add enough negative
points
so that the whitelist would not be needed.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
Sebastian <sp...@tracker.fire-world.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|enhancement |normal
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
--- Comment #5 from Sebastian <sp...@tracker.fire-world.de> 2009-07-30 14:38:03 PST ---
According to
http://www.sendmail.org/faq/section3#3.38
What does "may be forged" mean?
"After sendmail does a hostname look-up on the IP address of the connecting
client, the IP addresses of that hostname are looked up. If the client IP
address does not appear in that list, then the may be forged tag is added."
So it's NOT comparing the HELO, but actually doing a IP->hostname->IP lookup.
Which in my opinion is a reason to NOT let whitelist_from_rcvd match.
But seeing that I'm alone with that, I'll think about something procmail-ish to
replace the localhost whitelist entry.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
Justin Mason <jm...@jmason.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |INVALID
--- Comment #3 from Justin Mason <jm...@jmason.org> 2009-07-30 13:55:37 PST ---
(In reply to comment #2)
> My MTA is sendmail and it notes "may be forged", so it has detected that there
> is something wrong.
>
> I think this is something that should be recognized and in this case
> whitelist_from_received should NOT match.
this is something sendmail does routinely, for any host that doesn't HELO with
its exact reverse DNS. it's extremely common.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
--- Comment #13 from Sebastian <sp...@tracker.fire-world.de> 2009-08-04 14:00:46 PST ---
No, it only adds -1.8 per default: tests=ALL_TRUSTED=-1.8
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6169] whitelist_from_rcvd is fooled by forged rdns
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169
--- Comment #10 from Karsten Bräckelmann <gu...@rudersport.de> 2009-08-03 15:54:52 PST ---
> (in reply to comment #8)
> I don't see how trusted_networks would make a difference here.
I understand it that's more like a comment on-list previously. ALL_TRUSTED
should fire on the mail that the whitelist_from_rcvd tries to protect. It would
not with this borked DNS data.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.