You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Niamh Holding <ni...@fullbore.co.uk> on 2019/06/07 13:19:39 UTC
Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Hello
Since 27/05/19 I've been getting loads of FPs caused by this rule scoring
over 3, earlier in May and before it was scoring 0.0
Anyone know why the score has suddenly rocketed for A rule that doesn't
even have a description?
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by Niamh Holding <ni...@fullbore.co.uk>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello John,
Friday, June 7, 2019, 7:48:57 PM, you wrote:
JH> X-Spam-Relays-External, not Untrusted.
Yes and it will always be the first external Received IP address,
X-Originating-IP: should net be in the chain of external IP addresses.
- --
Best regards,
Niamh mailto:niamh@fullbore.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iEYEARECAAYFAlz7XAEACgkQjFUB2JvnEPnjKQCgvJxfg+Vrmwssf/YZU3SjugTy
GywAmQFXg2QFHYpvwtddgEqnwL7o49S/
=eL5h
-----END PGP SIGNATURE-----
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by RW <rw...@googlemail.com>.
On Fri, 7 Jun 2019 11:48:57 -0700 (PDT)
John Hardin wrote:
> On Fri, 7 Jun 2019, Niamh Holding wrote:
>
> >
> > Hello John,
> >
> > Friday, June 7, 2019, 3:56:03 PM, you wrote:
> >
> > JH> If you're getting FPs on this, I suggest you review your
> > JH> internal hosts. It looks for reserved IP ranges in external
> > JH> Received headers.
> >
> > This?
> >
> > * 3.3 FORGED_RELAY_MUA_TO_MX No description available.
> > .
> > X-Spam-Relays-Untrusted: [ ip=162.208.32.167
> > rdns=sv07.members.wayfair.com helo=sv07.members.wayfair.com
> > by=nitrogen.huntingdon.holtain.net ident= envfrom= intl=0 id= auth=
> > msa=0 ] [ ip=162.208.32.167 rdns= helo= by= ident= envfrom= intl=0
> > id= auth= msa=0 ]
>
> X-Spam-Relays-External, not Untrusted.
It doesn't make any difference in this case.
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by John Hardin <jh...@impsec.org>.
On Fri, 7 Jun 2019, Niamh Holding wrote:
>
> Hello John,
>
> Friday, June 7, 2019, 3:56:03 PM, you wrote:
>
> JH> If you're getting FPs on this, I suggest you review your internal hosts.
> JH> It looks for reserved IP ranges in external Received headers.
>
> This?
>
> * 3.3 FORGED_RELAY_MUA_TO_MX No description available.
> .
> X-Spam-Relays-Untrusted: [ ip=162.208.32.167 rdns=sv07.members.wayfair.com
> helo=sv07.members.wayfair.com by=nitrogen.huntingdon.holtain.net ident=
> envfrom= intl=0 id= auth= msa=0 ] [ ip=162.208.32.167 rdns= helo= by= ident=
> envfrom= intl=0 id= auth= msa=0 ]
X-Spam-Relays-External, not Untrusted.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The ["assault weapons"] ban is the moral equivalent of banning red
cars because they look too fast. -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
3 days until the 52nd anniversary of Israel's victory in the Six-Day War
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Bill,
Friday, June 7, 2019, 8:17:56 PM, you wrote:
BC> You are free to change this locally. See the documentation of
BC> originating_ip_headers (perldoc Mail::SpamAssassin::Conf)
I've added-
originating_ip_headers X-Yahoo-Post-IP X-Apparently-From X-SenderIP
to local.cf
However I still think that if X-Originating-IP matches last external then
it should not be added to the received chain.
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by RW <rw...@googlemail.com>.
On Fri, 07 Jun 2019 15:17:56 -0400
Bill Cole wrote:
> On 7 Jun 2019, at 12:52, Niamh Holding wrote:
>
> > Hello RW,
> >
> > Friday, June 7, 2019, 5:21:01 PM, you wrote:
> >
> > R> This is the reason:
> > R>
> >>> X-Originating-IP: 162.208.32.167
> >
> >
> > R> Perhaps the rule should be modified to test for by=\S
> >
> > It's certainly not a Received: header so should not be checked.
>
> You are free to change this locally. See the documentation of
> originating_ip_headers (perldoc Mail::SpamAssassin::Conf)
>
> SA uses X-Originating-IP and the other headers specified in
> originating_ip_headers to synthesize a logical relay event because in
> many cases that can be an accurate representation of how a message
> was initially submitted to the Internet mail system.
But when a rule is trying to detect a forged received header, it should
take reasonable steps to avoid matching such a relay, which is what I
think she was trying to say.
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 7 Jun 2019, at 12:52, Niamh Holding wrote:
> Hello RW,
>
> Friday, June 7, 2019, 5:21:01 PM, you wrote:
>
> R> This is the reason:
> R>
>>> X-Originating-IP: 162.208.32.167
>
>
> R> Perhaps the rule should be modified to test for by=\S
>
> It's certainly not a Received: header so should not be checked.
You are free to change this locally. See the documentation of
originating_ip_headers (perldoc Mail::SpamAssassin::Conf)
SA uses X-Originating-IP and the other headers specified in
originating_ip_headers to synthesize a logical relay event because in
many cases that can be an accurate representation of how a message was
initially submitted to the Internet mail system. Unfortunately, there's
no specification that defines what exactly X-Originating-IP *means* so
when it is used in a manner that isn't consistent with the usage in
common webmail systems, there is a risk of SA misinterpreting it. It
looks like your own mail server is adding it in this case (because it is
amidst other headers added during local delivery) so it would make sense
to remove it from originating_ip_headers locally.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello RW,
Friday, June 7, 2019, 5:21:01 PM, you wrote:
R> This is the reason:
R>
>> X-Originating-IP: 162.208.32.167
R> Perhaps the rule should be modified to test for by=\S
It's certainly not a Received: header so should not be checked.
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by RW <rw...@googlemail.com>.
On Fri, 7 Jun 2019 17:00:00 +0100
Niamh Holding wrote:
> Hello RW,
>
> Friday, June 7, 2019, 4:43:13 PM, you wrote:
>
> R> This provides the first section of X-Spam-Relays-Untrusted.
>
> And there is no other received header with that IP address, so where
> is the second entry coming from?
This is the reason:
> X-Originating-IP: 162.208.32.167
Perhaps the rule should be modified to test for by=\S
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello RW,
Friday, June 7, 2019, 4:43:13 PM, you wrote:
R> This provides the first section of X-Spam-Relays-Untrusted.
And there is no other received header with that IP address, so where is
the second entry coming from?
Return-Path: <bo...@members.wayfair.co.uk>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
nitrogen.huntingdon.holtain.net
X-Spam-Level:
X-Spam-Status: No, score=-3.7 required=4.5 autolearn=ham autolearn_force=no
X-Spam-Report:
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no
* trust
* [162.208.32.167 listed in list.dnswl.org]
* -3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact
* cert-sa@returnpath.net
* [Return Path SenderScore Certified {formerly]
[Bonded Sender} - <http://www.senderscorecertified.com>]
* -2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact
* safe-sa@returnpath.net
* [Return Path SenderScore Safe List (formerly]
[Habeas Safelist) - <http://www.senderscorecertified.com>]
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 3.3 FORGED_RELAY_MUA_TO_MX No description available.
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* 0.0 HTML_IMAGE_RATIO_06 BODY: HTML has a low ratio of text to image area
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
* background
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.0 T_DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender
X-Spam-Relays-Untrusted: [ ip=162.208.32.167 rdns=sv07.members.wayfair.com
helo=sv07.members.wayfair.com by=nitrogen.huntingdon.holtain.net ident=
envfrom= intl=0 id= auth= msa=0 ] [ ip=162.208.32.167 rdns= helo= by= ident=
envfrom= intl=0 id= auth= msa=0 ]
X-Spam-Language: en
X-Spam-DKIM-i: editor@members.wayfair.co.uk
X-Spam-DKIM-d: members.wayfair.co.uk
X-Spam-Bayes: bayes=0.0000, Tokens: new, 61; hammy, 150; neutral, 868; spammy,
0., ham=(2Fhome, customerservice, wholly, I*:Sale, Methods), spam=()
Delivered-To: niamh.fullbore@nitrogen.huntingdon.holtain.net
Received: (qmail 3836 invoked by uid 1023); 7 Jun 2019 14:05:51 +0100
Delivered-To: niamh.fullbore-niamh@fullbore.co.uk
Received: (qmail 3828 invoked from network); 7 Jun 2019 14:05:51 +0100
DomainKey-Status: no signature
X-DKIM-Originator: editor@members.wayfair.co.uk
X-DKIM-Policy-Detail: dk_sender=accept; dkim_author=accept;
dkim_ADSP=accept
X-Originating-IP: 162.208.32.167
Received: from sv07.members.wayfair.com (162.208.32.167)
by nitrogen.huntingdon.holtain.net with AES256-SHA encrypted SMTP; 7 Jun 2019 14:05:51 +0100
Received-SPF: pass (nitrogen.huntingdon.holtain.net: SPF record at members.wayfair.co.uk designates 162.208.32.167 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=pm; d=members.wayfair.co.uk;
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:
List-Unsubscribe; i=editor@members.wayfair.co.uk;
bh=eMGRm3GGD3sMFIP/u3ayv/EgbgLJE6xDWVdAT5UjLEw=;
b=RJ4qXMF/yGjmLt0RVV0cQcCw2YQLJg3Uxpl8xbHrgj85oqfkLrxbOuKU98qaaucMgNNX9W0NU0iB
2wjaU8K5o1rys4qYO12n973EgU2WNAO5Je8rLYW4c/s8WnFJmSt8u4cre8675DuiUdAm9RnhWU+7
RstRDdw0NUC9eI+YUDM=
Received: by sv07.members.wayfair.com id hv9giu2gvtc7 for <ni...@fullbore.co.uk>; Fri, 7 Jun 2019 09:05:44 -0400 (envelope-from <bo...@members.wayfair.co.uk>)
Date: Fri, 7 Jun 2019 09:05:44 -0400 (EDT)
From: Wayfair <ed...@members.wayfair.co.uk>
Reply-To: editor@members.wayfair.co.uk
To: Niamh Holding <ni...@fullbore.co.uk>
Message-ID: <e5...@wayfair.com>
Subject: =?UTF-8?Q?GARDEN_DINING_SET_*sale*._Inst?=
=?UTF-8?Q?ant_savings,_endless_options_=F0=9F=92=B0?=
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_2342279_1799557509.1559912744620"
List-Unsubscribe: https://www.wayfair.co.uk/v/account/email_subscriptions/unsubscribe?csnid=7F979CAB-578D-47F9-93BD-6C9F815F878C&_emr=e5f7a667-a805-48d7-8eee-47b2475deaf4&wfdc=fra&refid=MKTEML_19050
x-storeid: 321
x-emailservicetimestamp: 1559912744621
x-mailid: 2568
x-elid: 102
x-job: 2568-102
x-batchid: 2
x-msgid: e5f7a667-a805-48d7-8eee-47b2475deaf4
x-rpcampaign: WF_102_2568_2
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by RW <rw...@googlemail.com>.
On Fri, 7 Jun 2019 16:30:58 +0100
Niamh Holding wrote:
> Hello John,
>
> Friday, June 7, 2019, 3:56:03 PM, you wrote:
>
> JH> If you're getting FPs on this, I suggest you review your internal
> JH> hosts. It looks for reserved IP ranges in external Received
> JH> headers.
>
> This?
>
> * 3.3 FORGED_RELAY_MUA_TO_MX No description available.
> .
> .
> .
> X-Spam-Relays-Untrusted: [ ip=162.208.32.167
> rdns=sv07.members.wayfair.com helo=sv07.members.wayfair.com
> by=nitrogen.huntingdon.holtain.net ident= envfrom= intl=0 id= auth=
> msa=0 ] [ ip=162.208.32.167 rdns= helo= by= ident= envfrom= intl=0
> id= auth= msa=0 ] .
See my previous description of what the rule does
we have
[ ip=162.208.32.167 ... ] [ ip=162.208.32.167 ... helo= ]
> Received: from sv07.members.wayfair.com (162.208.32.167)
> by nitrogen.huntingdon.holtain.net with AES256-SHA encrypted SMTP;
> 7 Jun 2019 14:05:51 +0100 .
This provides the first section of X-Spam-Relays-Untrusted.
> Received: by sv07.members.wayfair.com id hv9giu2gvtc7 for
> <ni...@fullbore.co.uk>; Fri, 7 Jun 2019 09:05:44 -0400 (envelope-from
> <bo...@members.wayfair.co.uk>)
This is not the second section, the parser will have skipped it.
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello John,
Friday, June 7, 2019, 3:56:03 PM, you wrote:
JH> If you're getting FPs on this, I suggest you review your internal hosts.
JH> It looks for reserved IP ranges in external Received headers.
This?
* 3.3 FORGED_RELAY_MUA_TO_MX No description available.
.
.
.
X-Spam-Relays-Untrusted: [ ip=162.208.32.167 rdns=sv07.members.wayfair.com
helo=sv07.members.wayfair.com by=nitrogen.huntingdon.holtain.net ident=
envfrom= intl=0 id= auth= msa=0 ] [ ip=162.208.32.167 rdns= helo= by= ident=
envfrom= intl=0 id= auth= msa=0 ]
.
.
.
Received: from sv07.members.wayfair.com (162.208.32.167)
by nitrogen.huntingdon.holtain.net with AES256-SHA encrypted SMTP; 7 Jun 2019 14:05:51 +0100
.
.
.
Received: by sv07.members.wayfair.com id hv9giu2gvtc7 for <ni...@fullbore.co.uk>; Fri, 7 Jun 2019 09:05:44 -0400 (envelope-from <bo...@members.wayfair.co.uk>)
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by RW <rw...@googlemail.com>.
On Fri, 7 Jun 2019 07:56:03 -0700 (PDT)
John Hardin wrote:
> On Fri, 7 Jun 2019, Niamh Holding wrote:
>
> >
> > Hello
> >
> > Since 27/05/19 I've been getting loads of FPs caused by this rule
> > scoring over 3, earlier in May and before it was scoring 0.0
> >
> > Anyone know why the score has suddenly rocketed for A rule that
> > doesn't even have a description?
>
> The standard answer: the masscheck corpus now has spam that hits that
> rule, and ham that doesn't.
>
> https://ruleqa.spamassassin.org/20190606-r1860706-n/FORGED_RELAY_MUA_TO_MX/detail
>
> S/O 0.980, 6k spam hits, 79 ham hits
>
> If you're getting FPs on this, I suggest you review your internal
> hosts. It looks for reserved IP ranges in external Received headers.
I looks for
- the first two sections of relays external have the same
ip=<address> (other than IPv4 localhost)
- The helo in the second section is missing or a bracketed IP address
(other than IPv4 localhost or an IPv4 private address)
Re: Loads of FPs caused by FORGED_RELAY_MUA_TO_MX
Posted by John Hardin <jh...@impsec.org>.
On Fri, 7 Jun 2019, Niamh Holding wrote:
>
> Hello
>
> Since 27/05/19 I've been getting loads of FPs caused by this rule scoring
> over 3, earlier in May and before it was scoring 0.0
>
> Anyone know why the score has suddenly rocketed for A rule that doesn't
> even have a description?
The standard answer: the masscheck corpus now has spam that hits that
rule, and ham that doesn't.
https://ruleqa.spamassassin.org/20190606-r1860706-n/FORGED_RELAY_MUA_TO_MX/detail
S/O 0.980, 6k spam hits, 79 ham hits
If you're getting FPs on this, I suggest you review your internal hosts.
It looks for reserved IP ranges in external Received headers.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
News flash: Lowest Common Denominator down 50 points
-----------------------------------------------------------------------
3 days until the 52nd anniversary of Israel's victory in the Six-Day War