You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kelly Jones <ke...@gmail.com> on 2006/12/07 05:13:24 UTC
Spamassassin doesn't ding sender for saying "HELO i-am-you"
Spamassassin has lots of tests for fake HELOs. If someone says "HELO
hotmail.com", but aren't connecting from a Hotmail IP address, they
get dinged (spam score is increased).
Recently, someone connected our server, call it mx.xyz.com, and said
"HELO mx.xyz.com". Spamassassin didn't ding it for doing this.
Is there a ruleset that does this? I realize xyz.com couldn't be
hardcoded (otherwise, it'd be a different ruleset for everyone), but
is there a generic ruleset that uses a function call or something to
figure out your MX server (or the name of the machine spamassassin is
running on) and then ding someone HELO'ing as that?
--
We're just a Bunch Of Regular Guys, a collective group that's trying
to understand and assimilate technology. We feel that resistance to
new ideas and technology is unwise and ultimately futile.
Re: Spamassassin doesn't ding sender for saying "HELO i-am-you"
Posted by Bill Landry <bi...@pointshare.com>.
Kelly Jones wrote the following on 12/6/2006 8:13 PM -0800:
> Spamassassin has lots of tests for fake HELOs. If someone says "HELO
> hotmail.com", but aren't connecting from a Hotmail IP address, they
> get dinged (spam score is increased).
>
> Recently, someone connected our server, call it mx.xyz.com, and said
> "HELO mx.xyz.com". Spamassassin didn't ding it for doing this.
>
> Is there a ruleset that does this? I realize xyz.com couldn't be
> hardcoded (otherwise, it'd be a different ruleset for everyone), but
> is there a generic ruleset that uses a function call or something to
> figure out your MX server (or the name of the machine spamassassin is
> running on) and then ding someone HELO'ing as that?
Why even accept their mail deliveries in the first place? Instead,
simply reject them at your MTA. Anyone that connects to my MTA and
announces my hostname or IP address to me is immediately rejected with a
perm fail.
If you cannot or do not want to do that, you could do something like
this is SA:
header HELO_I_AM_YOU1 X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=host\.example\.com /i
describe HELO_I_AM_YOU1 Impostor using my hostname
score HELO_I_AM_YOU1 5.0
header HELO_I_AM_YOU2 X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=111\.222\.111\.222
describe HELO_I_AM_YOU2 Impostor using my IP address
score HELO_I_AM_YOU2 5.0
Bill
Re: Spamassassin doesn't ding sender for saying "HELO i-am-you"
Posted by Ben O'Hara <bo...@gmail.com>.
On 12/7/06, Kelly Jones <ke...@gmail.com> wrote:
> Spamassassin has lots of tests for fake HELOs. If someone says "HELO
> hotmail.com", but aren't connecting from a Hotmail IP address, they
> get dinged (spam score is increased).
>
> Recently, someone connected our server, call it mx.xyz.com, and said
> "HELO mx.xyz.com". Spamassassin didn't ding it for doing this.
>
> Is there a ruleset that does this? I realize xyz.com couldn't be
> hardcoded (otherwise, it'd be a different ruleset for everyone), but
> is there a generic ruleset that uses a function call or something to
> figure out your MX server (or the name of the machine spamassassin is
> running on) and then ding someone HELO'ing as that?
>
Do it at the MTA level, in exim
acl_check_helo:
deny condition = ${if or{ { eq{$sender_helo_name}{$interface_address}} \
{ eq{$sender_helo_name}{$primary_hostname}} \
} {yes}{no}}
message = REJECTED: Fake HELO/EHLO: $sender_helo_name - That's our addre
ss!
accept
> --
> We're just a Bunch Of Regular Guys, a collective group that's trying
> to understand and assimilate technology. We feel that resistance to
> new ideas and technology is unwise and ultimately futile.
>
--
"A Scientist will earn a living by taking a really difficult problem
and spends many years solving it, an engineer earns a living by
finding really difficult problems and side stepping them"
Re: Spamassassin doesn't ding sender for saying "HELO i-am-you"
Posted by Fred T <sp...@freddyt.com>.
Hello Kelly,
Wednesday, December 6, 2006, 11:13:24 PM, you wrote:
> Is there a ruleset that does this? I realize xyz.com couldn't be
> hardcoded (otherwise, it'd be a different ruleset for everyone), but
> is there a generic ruleset that uses a function call or something to
> figure out your MX server (or the name of the machine spamassassin is
> running on) and then ding someone HELO'ing as that?
For all those interested, I opened a ticket for enhancement based on
this idea. See: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5227
--
Best regards,
Fred mailto:spamassassin@freddyt.com
Re: Spamassassin doesn't ding sender for saying "HELO i-am-you"
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fred T wrote:
> As someone else pointed out, the best bet might be the use of a new
> config item / plugin. something like:
>
> ifplugin mxhelo
> mx_helo_name mx.host.tld host.tld d.d.d.d
> header HELO_AS_ME eval:check_for_my_mx()
> score HELO_AS_ME 0.1
> endif
Remember to include some of the more obscure cases I've seen in the past
where spams were HELOing with the name or IP address of one of the other
MXes, ie
example.com mail is handled by 10 mx1.example.net
example.com mail is handled by 20 mx2.example.net
And then the spammer does:
| connect() to mx2.example.net
| HELO mx1.example.net
or
| connect() to mx2.example.net
| HELO i.p.a.d.r-of-mx1
or
| connect() to any of the MXes
| HELO example.net (or example.com)
I have cases where a machine legitimately HELOs as "myself"; in my
situation these cases are covered by trusted_networks or
internal_networks. Maybe eval:check_for_my_mx() should consider these
networks (or skip it's tests altogether if the connection came from one
of these networks); it may also need an actual exception list
('allowed_helo_as_myself').
- -- Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFFeRuWxbHw2nyi/okRAgopAJ9IjfxBqJOrgqYahlGmBtz6tAHkxACfUbGK
ZlM/DipK/IaZRvIl/aJiD/Q=
=xJ52
-----END PGP SIGNATURE-----
Re[2]: Spamassassin doesn't ding sender for saying "HELO i-am-you"
Posted by Fred T <sp...@freddyt.com>.
Hello Justin,
Thursday, December 7, 2006, 10:11:45 AM, you wrote:
> yeah -- there are any number of ways to do this, if requiring admin
> configuration is OK -- I'm asking for ways we can automatically
> figure it out from SpamAssassin code, without help. ;)
As someone else pointed out, the best bet might be the use of a new
config item / plugin. something like:
ifplugin mxhelo
mx_helo_name mx.host.tld host.tld d.d.d.d
header HELO_AS_ME eval:check_for_my_mx()
score HELO_AS_ME 0.1
endif
I'll create a ticket for enhancement.
--
Best regards,
Fred mailto:spamassassin@freddyt.com
Re: Spamassassin doesn't ding sender for saying "HELO i-am-you"
Posted by "Jack L. Stone" <ja...@sage-american.com>.
On 7 Dec 2006 at 13:21, Justin Mason wrote:
>
> Kelly Jones writes:
> > Spamassassin has lots of tests for fake HELOs. If someone says
> > "HELO hotmail.com", but aren't connecting from a Hotmail IP
> > address, they get dinged (spam score is increased).
> >
> > Recently, someone connected our server, call it mx.xyz.com, and
> > said "HELO mx.xyz.com". Spamassassin didn't ding it for doing
> > this.
> >
> > Is there a ruleset that does this? I realize xyz.com couldn't
> > be hardcoded (otherwise, it'd be a different ruleset for
> > everyone), but is there a generic ruleset that uses a function
> > call or something to figure out your MX server (or the name of
> > the machine spamassassin is running on) and then ding someone
> > HELO'ing as that?
>
> This is a great spam-sign alright, but I don't know of a way to
> detect what the local site's HELO is, bar each site writing their
> own rules to do so.
>
> Bayes does a good job of figuring this out, btw.
>
> Any suggestions?
>
> --j.
>
I use milter-regex as the frontline wall and this regex for
catching fakers:
## HELO faking my own IP address
tempfail "Malformed HELO (can't be me)"
helo /^70\.86\.37\.82$/
HTH.....
Regards,
Jack L. Stone
System Admin
RE: Spamassassin doesn't ding sender for saying "HELO i-am-you"
Posted by Larry Rosenman <le...@lerctr.org>.
John D. Hardin wrote:
> On Wed, 6 Dec 2006, Kelly Jones wrote:
>
>> Recently, someone connected our server, call it mx.xyz.com, and said
>> "HELO mx.xyz.com". Spamassassin didn't ding it for doing this.
>
> IMHO this is worthy of a 500 reject at the MTA level. There is NO
> legitimate reason for J. Random User out on the internet to claim his
> MTA is yours.
>
> I've posted milter-regex examples that do this here before.
I have the following in my EXIM Rcpt ACL:
---
# kill off the folks that use OUR ip's in HELO Nice and Early.
drop message = Forged IP detected in HELO: $sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${if \
eq{$sender_helo_name}{$interface_address}{yes}{no}}
# Forged hostname - HELOs as my own hostname or domain (early as well)
drop message = Forged hostname detected in HELO:
$sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${lookup {$sender_helo_name} \
lsearch{/usr/local/etc/exim/checkfiles/our_host_names}
{yes}{no}}
----
If they try and HELO/EHLO as my IP or host name, we unceremoniusly drop the
connection.
Just one other solution to this issue.
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
Re: Spamassassin doesn't ding sender for saying "HELO i-am-you"
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 6 Dec 2006, Kelly Jones wrote:
> Recently, someone connected our server, call it mx.xyz.com, and said
> "HELO mx.xyz.com". Spamassassin didn't ding it for doing this.
IMHO this is worthy of a 500 reject at the MTA level. There is NO
legitimate reason for J. Random User out on the internet to claim his
MTA is yours.
I've posted milter-regex examples that do this here before.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad. -- James Madison, 1799
-----------------------------------------------------------------------
8 days until Bill of Rights day