You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Clunk Werclick <ma...@googlemail.com> on 2009/09/03 07:19:35 UTC
Rule PTR != localhost
Howdie;
I'm starting to see plenty of these and they are new to us:
zgrep "address not listed" /var/log/mail.info
Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
hostname localhost
dig -x 222.252.239.56
...
;; QUESTION SECTION:
;56.239.252.222.in-addr.arpa. IN PTR
;; ANSWER SECTION:
56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
...
Taking to one side the various RBL's which are catching these, and not
going the whole 'PTR must match' route - would it be practical to craft
a 10 point rule based on PTR = localhost? Is it even possible to build a
rule based upon DNS returns?
Forgive the stupidity of the question, but I'm not sure how to, or even
if it can be implemented?
--
-----------------------------------------------------------
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
Re: Rule PTR != localhost
Posted by Clunk Werclick <ma...@googlemail.com>.
On Thu, 2009-09-03 at 16:00 +0200, Benny Pedersen wrote:
> On Thu 03 Sep 2009 03:05:50 PM CEST, Justin Mason wrote
> > On Thu, Sep 3, 2009 at 12:18, Benny Pedersen<me...@junc.org> wrote:
> >> On Thu 03 Sep 2009 07:19:35 AM CEST, Clunk Werclick wrote
> >>> Forgive the stupidity of the question, but I'm not sure how to, or even
> >>> if it can be implemented?
> >> forgive me, why do you want all that crap into your spamassassin when
> >> postfix can solve it for you without a hick ?
> > Obvious answer: not everyone who uses SA uses postfix.
>
> correct, but i only know postfix can fight this spam on its own, if
> qmail, exim, sendmail or other mta can do this aswell, show me :)
>
Forgive Benny, he is a bit odd. The ability to sift connecting host by
actual *hostname* (e.g. ptr = LOCALHOST) is native to Postfix 2.6. I
believe it is entirely worthless in the 2.5 production servers many are
running ?
Naturally if Benny is able to demonstrate how PTR != 'localhost' in
Postfix 2.5 (with no side effects - just on that one meta) I would be
delighted for him to share it.
--
-----------------------------------------------------------
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
Re: Rule PTR != localhost
Posted by Rick Macdougall <ri...@ummm-beer.com>.
Benny Pedersen wrote:
> On Thu 03 Sep 2009 03:05:50 PM CEST, Justin Mason wrote
>> On Thu, Sep 3, 2009 at 12:18, Benny Pedersen<me...@junc.org> wrote:
>>> On Thu 03 Sep 2009 07:19:35 AM CEST, Clunk Werclick wrote
>>>> Forgive the stupidity of the question, but I'm not sure how to, or even
>>>> if it can be implemented?
>>> forgive me, why do you want all that crap into your spamassassin when
>>> postfix can solve it for you without a hick ?
>> Obvious answer: not everyone who uses SA uses postfix.
>
> correct, but i only know postfix can fight this spam on its own, if
> qmail, exim, sendmail or other mta can do this aswell, show me :)
>
in tcp.smtp (for qmail)
=localhost.:allow,RBLSMTPD="-Reject - resolves to only localhost"
Regards,
Rick
Re: Rule PTR != localhost
Posted by Benny Pedersen <me...@junc.org>.
On Thu 03 Sep 2009 03:05:50 PM CEST, Justin Mason wrote
> On Thu, Sep 3, 2009 at 12:18, Benny Pedersen<me...@junc.org> wrote:
>> On Thu 03 Sep 2009 07:19:35 AM CEST, Clunk Werclick wrote
>>> Forgive the stupidity of the question, but I'm not sure how to, or even
>>> if it can be implemented?
>> forgive me, why do you want all that crap into your spamassassin when
>> postfix can solve it for you without a hick ?
> Obvious answer: not everyone who uses SA uses postfix.
correct, but i only know postfix can fight this spam on its own, if
qmail, exim, sendmail or other mta can do this aswell, show me :)
--
xpoint
Re: Rule PTR != localhost
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > On Thu 03 Sep 2009 07:19:35 AM CEST, Clunk Werclick wrote
> >> Forgive the stupidity of the question, but I'm not sure how to, or even
> >> if it can be implemented?
> On Thu, Sep 3, 2009 at 12:18, Benny Pedersen<me...@junc.org> wrote:
> > forgive me, why do you want all that crap into your spamassassin when
> > postfix can solve it for you without a hick ?
On 03.09.09 14:05, Justin Mason wrote:
> Obvious answer: not everyone who uses SA uses postfix.
well, this is imho really a MTA business. and other MTAs do support that
too...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them
Re: Rule PTR != localhost
Posted by Mark Martinec <Ma...@ijs.si>.
> > forgive me, why do you want all that crap into your spamassassin when
> > postfix can solve it for you without a hick ?
>
> Obvious answer: not everyone who uses SA uses postfix.
Another slightly less obvious: to let autolearning see what new
crap it has to learn, and/or to check rules effectiveness.
Mark
Re: Rule PTR != localhost
Posted by Justin Mason <jm...@jmason.org>.
On Thu, Sep 3, 2009 at 12:18, Benny Pedersen<me...@junc.org> wrote:
> On Thu 03 Sep 2009 07:19:35 AM CEST, Clunk Werclick wrote
>
>> Forgive the stupidity of the question, but I'm not sure how to, or even
>> if it can be implemented?
>
> forgive me, why do you want all that crap into your spamassassin when
> postfix can solve it for you without a hick ?
Obvious answer: not everyone who uses SA uses postfix.
--
--j.
Re: Rule PTR != localhost
Posted by Benny Pedersen <me...@junc.org>.
On Thu 03 Sep 2009 07:19:35 AM CEST, Clunk Werclick wrote
> Forgive the stupidity of the question, but I'm not sure how to, or even
> if it can be implemented?
forgive me, why do you want all that crap into your spamassassin when
postfix can solve it for you without a hick ?
--
xpoint
Re: Rule PTR != localhost
Posted by Matt Kettler <mk...@verizon.net>.
Clunk Werclick wrote:
> On Thu, 2009-09-03 at 05:23 -0400, Matt Kettler wrote:
>
>> Clunk Werclick wrote:
>>
>>> Howdie;
>>>
>>> I'm starting to see plenty of these and they are new to us:
>>>
>>> zgrep "address not listed" /var/log/mail.info
>>> Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
>>> hostname localhost
>>> dig -x 222.252.239.56
>>>
>>> ...
>>> ;; QUESTION SECTION:
>>> ;56.239.252.222.in-addr.arpa. IN PTR
>>>
>>> ;; ANSWER SECTION:
>>> 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
>>> ...
>>>
>>> Taking to one side the various RBL's which are catching these, and not
>>> going the whole 'PTR must match' route - would it be practical to craft
>>> a 10 point rule based on PTR = localhost? Is it even possible to build a
>>> rule based upon DNS returns?
>>>
>>> Forgive the stupidity of the question, but I'm not sure how to, or even
>>> if it can be implemented?
>>>
>> Not without writing a plugin. Although if your MTA inserts a "may be
>> forged" note into the Received: headers, SA will pick up on this.
>>
>> Generally speaking, SA does not perform A record lookups of anything
>> that could be spammer-provided, neither hosts in URLs nor Received:
>> hosts. Doing so posses a potential security risk. (NS record queries are
>> performed, but not A).
>>
>> Attack vectors include:
>>
>> 1) malicious insertion of hosts that are slow-to-resolve, forcing a DNS
>> timeout, thus slowing down mail processing. A small flood of such
>> messages (each with different hostnames) could readily occupy all your
>> spamd children. Spamd does not have sufficient cross child co-ordination
>> to implement countermeasures, and anyone using the API or "spamassassin"
>> script would have to roll their own.
>>
>> 2) there is the potential to abuse chosen queries to facilitate DNS
>> cache poisoning attacks, on servers that are vulnerable.
>>
>
> Thank you Matt. That is a fine quality of answer and makes total sense.
> I had never thought to consider this attack vector. On an SA install
> running hundreds of thousands of messages I could see a significant
> issue if DNS returns ran much past 300ms or so. I am guessing (and I
> have not at all examined the code, nor shall I pretend that I would
> understand it) that there is some kind of sanity check for DNS timeout
> there someplace? Again, potentially a stupid question - but I'm curious
> as to how we would say 'that query has taken too long, I'm out of
> here'.
>
AFAIK, all the DNS lookups for a message are subject to the rbl_timeout
code.
See to conf docs:
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
Re: Rule PTR != localhost
Posted by Clunk Werclick <ma...@googlemail.com>.
On Thu, 2009-09-03 at 05:23 -0400, Matt Kettler wrote:
> Clunk Werclick wrote:
> > Howdie;
> >
> > I'm starting to see plenty of these and they are new to us:
> >
> > zgrep "address not listed" /var/log/mail.info
> > Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
> > hostname localhost
> > dig -x 222.252.239.56
> >
> > ...
> > ;; QUESTION SECTION:
> > ;56.239.252.222.in-addr.arpa. IN PTR
> >
> > ;; ANSWER SECTION:
> > 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
> > ...
> >
> > Taking to one side the various RBL's which are catching these, and not
> > going the whole 'PTR must match' route - would it be practical to craft
> > a 10 point rule based on PTR = localhost? Is it even possible to build a
> > rule based upon DNS returns?
> >
> > Forgive the stupidity of the question, but I'm not sure how to, or even
> > if it can be implemented?
> Not without writing a plugin. Although if your MTA inserts a "may be
> forged" note into the Received: headers, SA will pick up on this.
>
> Generally speaking, SA does not perform A record lookups of anything
> that could be spammer-provided, neither hosts in URLs nor Received:
> hosts. Doing so posses a potential security risk. (NS record queries are
> performed, but not A).
>
> Attack vectors include:
>
> 1) malicious insertion of hosts that are slow-to-resolve, forcing a DNS
> timeout, thus slowing down mail processing. A small flood of such
> messages (each with different hostnames) could readily occupy all your
> spamd children. Spamd does not have sufficient cross child co-ordination
> to implement countermeasures, and anyone using the API or "spamassassin"
> script would have to roll their own.
>
> 2) there is the potential to abuse chosen queries to facilitate DNS
> cache poisoning attacks, on servers that are vulnerable.
Thank you Matt. That is a fine quality of answer and makes total sense.
I had never thought to consider this attack vector. On an SA install
running hundreds of thousands of messages I could see a significant
issue if DNS returns ran much past 300ms or so. I am guessing (and I
have not at all examined the code, nor shall I pretend that I would
understand it) that there is some kind of sanity check for DNS timeout
there someplace? Again, potentially a stupid question - but I'm curious
as to how we would say 'that query has taken too long, I'm out of
here'.
Re: Rule PTR != localhost
Posted by Matt Kettler <mk...@verizon.net>.
Matt Kettler wrote:
> Clunk Werclick wrote:
>
>> Howdie;
>>
>> I'm starting to see plenty of these and they are new to us:
>>
>> zgrep "address not listed" /var/log/mail.info
>> Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
>> hostname localhost
>> dig -x 222.252.239.56
>>
>> ...
>> ;; QUESTION SECTION:
>> ;56.239.252.222.in-addr.arpa. IN PTR
>>
>> ;; ANSWER SECTION:
>> 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
>> ...
>>
>> Taking to one side the various RBL's which are catching these, and not
>> going the whole 'PTR must match' route - would it be practical to craft
>> a 10 point rule based on PTR = localhost? Is it even possible to build a
>> rule based upon DNS returns?
>>
>> Forgive the stupidity of the question, but I'm not sure how to, or even
>> if it can be implemented?
>>
> Not without writing a plugin. Although if your MTA inserts a "may be
> forged" note into the Received: headers, SA will pick up on this.
>
Correction, SA dropped this rule a LONG time ago in the 2.5x series due
to wild false positives.
The legacy rule from 2.4x
header MAY_BE_FORGED Received =~ /\(may be forged\)/i
describe MAY_BE_FORGED 'Received:' has 'may be forged' warning
score MAY_BE_FORGED 0.038
OVERALL% SPAM% NONSPAM% S/O RANK SCORE NAME
2.530 3.757 2.290 0.62 0.34 0.04 MAY_BE_FORGED
0.62 S/O is not so good (ie: 62% of the email matched was spam, but 38%
was nonspam)
>
>
>
Re: Rule PTR != localhost
Posted by Matt Kettler <mk...@verizon.net>.
Clunk Werclick wrote:
> Howdie;
>
> I'm starting to see plenty of these and they are new to us:
>
> zgrep "address not listed" /var/log/mail.info
> Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
> hostname localhost
> dig -x 222.252.239.56
>
> ...
> ;; QUESTION SECTION:
> ;56.239.252.222.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
> ...
>
> Taking to one side the various RBL's which are catching these, and not
> going the whole 'PTR must match' route - would it be practical to craft
> a 10 point rule based on PTR = localhost? Is it even possible to build a
> rule based upon DNS returns?
>
> Forgive the stupidity of the question, but I'm not sure how to, or even
> if it can be implemented?
Not without writing a plugin. Although if your MTA inserts a "may be
forged" note into the Received: headers, SA will pick up on this.
Generally speaking, SA does not perform A record lookups of anything
that could be spammer-provided, neither hosts in URLs nor Received:
hosts. Doing so posses a potential security risk. (NS record queries are
performed, but not A).
Attack vectors include:
1) malicious insertion of hosts that are slow-to-resolve, forcing a DNS
timeout, thus slowing down mail processing. A small flood of such
messages (each with different hostnames) could readily occupy all your
spamd children. Spamd does not have sufficient cross child co-ordination
to implement countermeasures, and anyone using the API or "spamassassin"
script would have to roll their own.
2) there is the potential to abuse chosen queries to facilitate DNS
cache poisoning attacks, on servers that are vulnerable.
Re: Rule PTR != localhost
Posted by Clunk Werclick <ma...@googlemail.com>.
On Thu, 2009-09-03 at 23:33 +0200, mouss wrote:
> Clunk Werclick a écrit :
> > On Thu, 2009-09-03 at 01:36 -0400, Sahil Tandon wrote:
> >> On Thu, 03 Sep 2009, Clunk Werclick wrote:
> >>
> >>> I'm starting to see plenty of these and they are new to us:
> >>>
> >>> zgrep "address not listed" /var/log/mail.info
> >>> Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
> >>> hostname localhost
> >>> dig -x 222.252.239.56
> >>>
> >>> ...
> >>> ;; QUESTION SECTION:
> >>> ;56.239.252.222.in-addr.arpa. IN PTR
> >>>
> >>> ;; ANSWER SECTION:
> >>> 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
> >>> ...
> >>>
> >>> Taking to one side the various RBL's which are catching these, and not
> >>> going the whole 'PTR must match' route - would it be practical to craft
> >>> a 10 point rule based on PTR = localhost? Is it even possible to build a
> >>> rule based upon DNS returns?
> >>>
> >>> Forgive the stupidity of the question, but I'm not sure how to, or even
> >>> if it can be implemented?
> >> If you reject mail that scores >= 10, then you could accomplish this before
> >> mail even gets to SA. Since you appear to be using Postfix, you could
> >> experiment with check_reverse_client_hostname_access, which is available in
> >> Postfix 2.6 and later.
> > Thank you Sahil. It's a job for Postfix (when I get around to 2.6)
> > because......
> >> For a general primer on what you can (and cannot) do
> >> with respect to SA rules, the following page might be useful:
> >>
> >> http://wiki.apache.org/spamassassin/WritingRules
> > .... this gives no hint to crafting rules on DNS status - which is as I
> > thought, hence the question in the first instance.
> >> --
>
> I think I have posted something on this not too long ago on the postfix
> list.
>
>
> check_helo_hostname_access hash:/etc/postfix/access_host
> check_reverse_client_hostname_access hash:/etc/postfix/access_host
>
>
> == access_host:
> localhost REJECT Bogus PTR
> localdomain REJECT Bogus PTR
> .localdomain REJECT Bogus PTR
> .lan REJECT Bogus PTR
>
> ....
>
>
>
Thanks. This is the prefered mode of operation. In hindsight I would
rather reject at the MTA level before wasting any clock cycles scanning
it with Spamassassin. I just don't want it picking on all 'bent' ptr
records.
--
-----------------------------------------------------------
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
Re: Rule PTR != localhost
Posted by mouss <mo...@ml.netoyen.net>.
LuKreme a écrit :
> On 3-Sep-2009, at 15:33, mouss wrote:
>> check_helo_hostname_access hash:/etc/postfix/access_host
>
> If but this in my smtpd_helo_restrictions (with a warn_if_reject for
> right now), but where in the smtpd_recipient_restrictions do you
> recommend putting this?
>
>> check_reverse_client_hostname_access hash:/etc/postfix/access_host
>
> I was thinking about right after premit_sasl_authenticated?
>
to avoid annoying others, it is preferable to move postfix questions to
the postfix-users list.
anyway:
- many people (including $self) put all anti-spam checks under
smtpd_recipient_restrictions.
- put your restrictions after reject_unauth_destination. there is no
point checking helo or other if it is a relay attempt.
Re: Rule PTR != localhost
Posted by LuKreme <kr...@kreme.com>.
On 3-Sep-2009, at 15:33, mouss wrote:
> check_helo_hostname_access hash:/etc/postfix/access_host
If but this in my smtpd_helo_restrictions (with a warn_if_reject for
right now), but where in the smtpd_recipient_restrictions do you
recommend putting this?
> check_reverse_client_hostname_access hash:/etc/postfix/access_host
I was thinking about right after premit_sasl_authenticated?
--
The Germans wore gray, you wore blue.
Re: Rule PTR != localhost
Posted by mouss <mo...@ml.netoyen.net>.
Clunk Werclick a écrit :
> On Thu, 2009-09-03 at 01:36 -0400, Sahil Tandon wrote:
>> On Thu, 03 Sep 2009, Clunk Werclick wrote:
>>
>>> I'm starting to see plenty of these and they are new to us:
>>>
>>> zgrep "address not listed" /var/log/mail.info
>>> Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
>>> hostname localhost
>>> dig -x 222.252.239.56
>>>
>>> ...
>>> ;; QUESTION SECTION:
>>> ;56.239.252.222.in-addr.arpa. IN PTR
>>>
>>> ;; ANSWER SECTION:
>>> 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
>>> ...
>>>
>>> Taking to one side the various RBL's which are catching these, and not
>>> going the whole 'PTR must match' route - would it be practical to craft
>>> a 10 point rule based on PTR = localhost? Is it even possible to build a
>>> rule based upon DNS returns?
>>>
>>> Forgive the stupidity of the question, but I'm not sure how to, or even
>>> if it can be implemented?
>> If you reject mail that scores >= 10, then you could accomplish this before
>> mail even gets to SA. Since you appear to be using Postfix, you could
>> experiment with check_reverse_client_hostname_access, which is available in
>> Postfix 2.6 and later.
> Thank you Sahil. It's a job for Postfix (when I get around to 2.6)
> because......
>> For a general primer on what you can (and cannot) do
>> with respect to SA rules, the following page might be useful:
>>
>> http://wiki.apache.org/spamassassin/WritingRules
> .... this gives no hint to crafting rules on DNS status - which is as I
> thought, hence the question in the first instance.
>> --
I think I have posted something on this not too long ago on the postfix
list.
check_helo_hostname_access hash:/etc/postfix/access_host
check_reverse_client_hostname_access hash:/etc/postfix/access_host
== access_host:
localhost REJECT Bogus PTR
localdomain REJECT Bogus PTR
.localdomain REJECT Bogus PTR
.lan REJECT Bogus PTR
....
Re: Rule PTR != localhost
Posted by Clunk Werclick <ma...@googlemail.com>.
On Thu, 2009-09-03 at 01:36 -0400, Sahil Tandon wrote:
> On Thu, 03 Sep 2009, Clunk Werclick wrote:
>
> > I'm starting to see plenty of these and they are new to us:
> >
> > zgrep "address not listed" /var/log/mail.info
> > Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
> > hostname localhost
> > dig -x 222.252.239.56
> >
> > ...
> > ;; QUESTION SECTION:
> > ;56.239.252.222.in-addr.arpa. IN PTR
> >
> > ;; ANSWER SECTION:
> > 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
> > ...
> >
> > Taking to one side the various RBL's which are catching these, and not
> > going the whole 'PTR must match' route - would it be practical to craft
> > a 10 point rule based on PTR = localhost? Is it even possible to build a
> > rule based upon DNS returns?
> >
> > Forgive the stupidity of the question, but I'm not sure how to, or even
> > if it can be implemented?
>
> If you reject mail that scores >= 10, then you could accomplish this before
> mail even gets to SA. Since you appear to be using Postfix, you could
> experiment with check_reverse_client_hostname_access, which is available in
> Postfix 2.6 and later.
Thank you Sahil. It's a job for Postfix (when I get around to 2.6)
because......
> For a general primer on what you can (and cannot) do
> with respect to SA rules, the following page might be useful:
>
> http://wiki.apache.org/spamassassin/WritingRules
.... this gives no hint to crafting rules on DNS status - which is as I
thought, hence the question in the first instance.
>
> --
> Sahil Tandon <sa...@tandon.net>
--
-----------------------------------------------------------
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
Re: Rule PTR != localhost
Posted by Sahil Tandon <sa...@tandon.net>.
On Thu, 03 Sep 2009, Clunk Werclick wrote:
> I'm starting to see plenty of these and they are new to us:
>
> zgrep "address not listed" /var/log/mail.info
> Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
> hostname localhost
> dig -x 222.252.239.56
>
> ...
> ;; QUESTION SECTION:
> ;56.239.252.222.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
> ...
>
> Taking to one side the various RBL's which are catching these, and not
> going the whole 'PTR must match' route - would it be practical to craft
> a 10 point rule based on PTR = localhost? Is it even possible to build a
> rule based upon DNS returns?
>
> Forgive the stupidity of the question, but I'm not sure how to, or even
> if it can be implemented?
If you reject mail that scores >= 10, then you could accomplish this before
mail even gets to SA. Since you appear to be using Postfix, you could
experiment with check_reverse_client_hostname_access, which is available in
Postfix 2.6 and later. For a general primer on what you can (and cannot) do
with respect to SA rules, the following page might be useful:
http://wiki.apache.org/spamassassin/WritingRules
--
Sahil Tandon <sa...@tandon.net>
Re: Rule PTR != localhost
Posted by LuKreme <kr...@kreme.com>.
On 3-Sep-2009, at 10:00, Clunk Werclick wrote:
> On Thu, 2009-09-03 at 09:46 -0600, LuKreme wrote:
>> I believe the directive in postfix is reject_unknown_client_hostname.
> As I understand it, this will not implicitly block PTR = 'localhost'
> whilst leaving others alone. It may be possible in 2.6?? but I'm not
> sure.
Well, it will block PTRs that are unknown too. that's a good thing, I
think.
But I am still not positive that's the right directive for the
localhost issue, so don't quote me on that.
--
Strange things are afoot at the Circle K
Re: Rule PTR != localhost
Posted by Sahil Tandon <sa...@tandon.net>.
On Thu, 03 Sep 2009, John Hardin wrote:
> On Thu, 3 Sep 2009, John Hardin wrote:
>
>> header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[
>> ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
>> describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
>>
>> It should be in the 3.3.0 release if I understand the autopublication
>> process.
>
> ...or at least it was making the cut a week or so back. :(
s/(/)/ :-)
--
Sahil Tandon <sa...@tandon.net>
Re: Rule PTR != localhost
Posted by John Hardin <jh...@impsec.org>.
On Thu, 3 Sep 2009, John Hardin wrote:
> header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[
> ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
> describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
>
> It should be in the 3.3.0 release if I understand the autopublication
> process.
...or at least it was making the cut a week or so back. :(
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
End users want eye candy and the "ooo's and aaaahhh's" experience
when reading mail. To them email isn't a tool, but an entertainment
form. -- Steve Lake
-----------------------------------------------------------------------
14 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: Rule PTR != localhost
Posted by John Hardin <jh...@impsec.org>.
On Thu, 3 Sep 2009, Sahil Tandon wrote:
> # Warning: UNTESTED!
> header LOCAL_RDNS X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=localhost /i
> describe LOCAL_RDNS bogus localhost rDNS
> score LOCAL_RDNS 10.0
Already in the sandbox at
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?view=log
header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
It should be in the 3.3.0 release if I understand the autopublication
process.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
End users want eye candy and the "ooo's and aaaahhh's" experience
when reading mail. To them email isn't a tool, but an entertainment
form. -- Steve Lake
-----------------------------------------------------------------------
14 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: Rule PTR != localhost
Posted by Sahil Tandon <sa...@tandon.net>.
On Thu, 03 Sep 2009, Clunk Werclick wrote:
> On Thu, 2009-09-03 at 09:46 -0600, LuKreme wrote:
> > On 2-Sep-2009, at 23:19, Clunk Werclick wrote:
> > > zgrep "address not listed" /var/log/mail.info
> > > Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
> > > hostname localhost
> > > dig -x 222.252.239.56
> > >
> > > ...
> > > ;; QUESTION SECTION:
> > > ;56.239.252.222.in-addr.arpa. IN PTR
> > >
> > > ;; ANSWER SECTION:
> > > 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
> > > ...
> >
> > This sort of BS is best dealt with in your MTA, not in SpamAssasin.
> >
> Sure, I just posed the question out of curiosity -not to start a war.
No war! Your question is completely legitimate. I simply noticed you were
using Postfix and offered an MTA solution in case you were using 2.6.
Nothing in my message suggested that Postfix "is the only MTA out there".
> > I believe the directive in postfix is reject_unknown_client_hostname.
> As I understand it, this will not implicitly block PTR = 'localhost'
> whilst leaving others alone. It may be possible in 2.6?? but I'm not
> sure.
reject_unknown_client_hostname will reject when rDNS = localhost, but that
restriction also has other implications. Make sure they are right for you;
don't feel you have to use something just because of LuKreme's advocacy.
As for doing this in SA, I hope one of the gurus can offer a solution. But
from a quick scan of these[1][2] pages, some variant of the following might
suffice:
# Warning: UNTESTED!
header LOCAL_RDNS X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=localhost /i
describe LOCAL_RDNS bogus localhost rDNS
score LOCAL_RDNS 10.0
[1] http://wiki.apache.org/spamassassin/WritingRules
[2] http://wiki.apache.org/spamassassin/TrustedRelays
--
Sahil Tandon <sa...@tandon.net>
Re: Rule PTR != localhost
Posted by Clunk Werclick <ma...@googlemail.com>.
On Thu, 2009-09-03 at 09:46 -0600, LuKreme wrote:
> On 2-Sep-2009, at 23:19, Clunk Werclick wrote:
> > zgrep "address not listed" /var/log/mail.info
> > Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
> > hostname localhost
> > dig -x 222.252.239.56
> >
> > ...
> > ;; QUESTION SECTION:
> > ;56.239.252.222.in-addr.arpa. IN PTR
> >
> > ;; ANSWER SECTION:
> > 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
> > ...
>
> This sort of BS is best dealt with in your MTA, not in SpamAssasin.
>
Sure, I just posed the question out of curiosity -not to start a war.
> I believe the directive in postfix is reject_unknown_client_hostname.
As I understand it, this will not implicitly block PTR = 'localhost'
whilst leaving others alone. It may be possible in 2.6?? but I'm not
sure.
--
-----------------------------------------------------------
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
Re: Rule PTR != localhost
Posted by LuKreme <kr...@kreme.com>.
On 2-Sep-2009, at 23:19, Clunk Werclick wrote:
> zgrep "address not listed" /var/log/mail.info
> Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
> hostname localhost
> dig -x 222.252.239.56
>
> ...
> ;; QUESTION SECTION:
> ;56.239.252.222.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
> ...
This sort of BS is best dealt with in your MTA, not in SpamAssasin.
I believe the directive in postfix is reject_unknown_client_hostname.
--
Nothing gold can stay -- Robert Frost
Stay gold -- Johnny Cade
Re: Rule PTR != localhost
Posted by John Hardin <jh...@impsec.org>.
On Thu, 3 Sep 2009, Clunk Werclick wrote:
> zgrep "address not listed" /var/log/mail.info
> Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for
> hostname localhost
> dig -x 222.252.239.56
>
> ...
> ;; QUESTION SECTION:
> ;56.239.252.222.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost.
> ...
>
> Taking to one side the various RBL's which are catching these, and not
> going the whole 'PTR must match' route - would it be practical to craft
> a 10 point rule based on PTR = localhost? Is it even possible to build a
> rule based upon DNS returns?
I have a rule like that in my sandbox. It's doing fairly well.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...to announce there must be no criticism of the President or to
stand by the President right or wrong is not only unpatriotic and
servile, but is morally treasonous to the American public.
-- Theodore Roosevelt, 1918
-----------------------------------------------------------------------
14 days until the 222nd anniversary of the signing of the U.S. Constitution