You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by René Berber <r....@computer.org> on 2006/12/05 10:50:37 UTC
Re: Recognizing Sendmail's authentication -- patch included (WAS:
How is LOCAL_AUTH_RCVD used?)
Jo Rhett wrote:
> René Berber wrote:
>> Jo Rhett wrote:
>>
>>> René Berber wrote:
>>>> The change I made works on a test from someone that was on vacation and sending
>>>> a message (to me) using his ISP account, the header includes a lot of extra text
>>>> with the usual dynamic IP stuff and "may be forged" and there was no way it
>>>> would be a match by the original line. With my change, there is a match.
>>> Can you post the line with the hostnames obscured? I'd like to see it.
>>
>> It's the same one I posted before:
>>
>> Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx
>> [189.149.70.163] (may be forged))
>> (authenticated bits=0)
>> by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032
>> for <rb...@cactus-soft.dyndns.org>; Sun, 3 Dec 2006 10:02:16
>> -0600 (CST)
>>
>> The original test is looking for a pair of closing parenthesis ")]" or "])"
>> which is not there (not together, but a fixed IP probably has those), or
>> something followed by colon and there is no colon at all (the test is done
>> starting with "from").
>
> Do you know why the SMTP authenticating server was forging the HELO
> name? Normal mail clients will give their IP address, right? And the
> "may be forged" only appears if they gave a full name and resolution
> succeeded *and* none of the addresses returned matched the helo name.
>
> In short, this may have been a deliberate choice to prevent a match on
> hosts with forged helo names. It would make sense.
I don't agree, there is no HELO forging, the name MARISELA is the laptop's name
(set in Windows), the address is the dynamic IP given by the ISP. The IP does
have a reverse but no name for the IP which is normal for the big pool of
addresses from that ISP and produces the "may be forged" part.
You say "normal clients", well this client is Microsoft Outlook (Office 200x
edition), I don't see anything abnormal in what it is doing. Giving the IP
address is probably useless if they are, most of the time, inside a private
network (no name resolution at all).
The test in question is doing only one thing: check if there was authentication
or not. No attempt is made, and IMO should be made, to check if the HELO is
forged; that is another test done somewhere else. Remember the context, SA only
takes authentication in consideration if it was done with a trusted server, in
this case it was so it counts.
--
René Berber