You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jason Haar <Ja...@trimble.co.nz> on 2011/03/25 01:44:54 UTC
Amazon S3 triggering FPs with SPOOF_COM* rules
Hi there
Apparently when you use sharethis.com (who use S3 for hosting services)
to send out links, the links look like
hXXp://img.sharethis.com *DOT* s3.amazonaws.com
I imagine from this that ANY .com domain using Amazon S3 services would
create similar URLs?
This causes SPOOF_COM* rules to trigger
* 3.0 SPOOF_COM2OTH URI: URI contains ".com" in middle
* 1.6 SPOOF_COM2COM URI: URI contains ".com" in middle and end
Owch. So there's a big class of FPs happening there, and I'd say there's
redundancy in those rules? i.e. is 4.6 really an appropriate score for
*one* img link?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Amazon S3 triggering FPs with SPOOF_COM* rules
Posted by Michael Scheidell <mi...@secnap.com>.
On 3/24/11 8:44 PM, Jason Haar wrote:
> Hi there
>
> Apparently when you use sharethis.com (who use S3 for hosting services)
> to send out links, the links look like
>
> hXXp://img.sharethis.com*DOT* s3.amazonaws.com
>
> I imagine from this that ANY .com domain using Amazon S3 services would
> create similar URLs?
>
> This causes SPOOF_COM* rules to trigger
I agree, thats a pretty hefty score. internally, for our hosted
clients, we use domain (dot) com ionspam net which looks like it would
trigger the 3.0 'oth' score.
not sure if this is new.. I have had no reports of any issues when we
communicate with our clients about setups on their virtual serers.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010 Network Products Guide
* King of Spam Filters, SC Magazine
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Amazon S3 triggering FPs with SPOOF_COM* rules
Posted by Adam Katz <an...@khopis.com>.
On 03/24/2011 05:44 PM, Jason Haar wrote:
> Apparently when you use sharethis.com (who use S3 for hosting services)
> to send out links, the links look like
>
> hXXp://img.sharethis.com *DOT* s3.amazonaws.com
>
> I imagine from this that ANY .com domain using Amazon S3 services would
> create similar URLs?
>
> This causes SPOOF_COM* rules to trigger
>
> * 3.0 SPOOF_COM2OTH URI: URI contains ".com" in middle
> * 1.6 SPOOF_COM2COM URI: URI contains ".com" in middle and end
>
> Owch. So there's a big class of FPs happening there, and I'd say there's
> redundancy in those rules? i.e. is 4.6 really an appropriate score for
> *one* img link?
Not necessarily a perfect fix, but I've checked in r1096851 which
specifically excludes S3 from these rules. Note that most CDNs are .net
(like Coral CDN, e.g. www.spamassassin.org.nyud.net) and therefore won't
hit _COM2COM. Coral doesn't tack on enough subdomain levels to trigger
COM2OTH.
There's still the issue of perhaps wanting these rules to be mutually
exclusive. Maybe SPOOF_COM2OTH, which is currently (with my edit):
m{^https?://(?:\w+\.)+?com\.(?!s3\.amazonaws\.com)(?:\w+\.){2}}i
Should become this:
m{^https?://(?:\w+\.)+?com\.(?:\w+\.){2,}?(?!com\b)}i
(oops, the other rules should be com\b too. checked in as r1096857.)