You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by up...@3.am on 2005/07/19 01:59:30 UTC

False positives "received from localhost"

I've had a couple of these since upgrading to 3.0.4.  Headers with NO IP
address in it, just this:

Received: from localhost by (our server)

I assume that if it's not a bug on my end, some users and/or servers are
sending out from 127.0.0.1, which in turn sets off:

RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL

Strange that qmail would not put an IP address in the received from:
headrs, though...

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up@3.am							    http://3.am
=========================================================================

Re: False positives "received from localhost"

Posted by Kelson <ke...@speed.net>.

Matt Kettler wrote:
> SA should ignore 127.0.0.1. However, you might want to double-check to 
> see if your SA box resolves "localhost" as 127.0.0.1 or as some other 
> IP. (I have seen boxes configured to do this...)

There are also some older versions of NSCD that were vulnerable to a 
sort of reverse cache poisoning.  We saw this happen with a Red Hat 7.3 
server a while back.

Sendmail would receive a connection from a server with IP address 
1.2.3.4.  It would then do a reverse DNS lookup.  But whoever set up 
rDNS for 1.2.3.4 had set it to resolve to "localhost".  For some reason 
NSCD would not only cache that result, but it would reverse it on the 
assumption that the resolution was symmetric.  From then on, connections 
to localhost would go to 1.2.3.4 instead of 127.0.0.1.

Unfortunately the last version of NSCD released for Red Hat 7.3 was 
still vulnerable, though Fedora Legacy is preparing an updated package.

May or may not be relevant, but thought I'd pass along the info just in 
case.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>

Re: False positives "received from localhost"

Posted by Matt Kettler <mk...@evi-inc.com>.

up@3.am wrote:
> I've had a couple of these since upgrading to 3.0.4.  Headers with NO IP
> address in it, just this:
> 
> Received: from localhost by (our server)
> 
> I assume that if it's not a bug on my end, some users and/or servers are
> sending out from 127.0.0.1, which in turn sets off:
> 
> RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL
> 
> Strange that qmail would not put an IP address in the received from:
> headrs, though...

SA should ignore 127.0.0.1. However, you might want to double-check to see if 
your SA box resolves "localhost" as 127.0.0.1 or as some other IP. (I have seen 
boxes configured to do this...)