You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Sebastian Arcus <s....@open-t.co.uk> on 2018/07/29 10:17:07 UTC
Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
I've been having a number of emails recently from Yahoo and AOL senders
hitting the RCVD_NUMERIC_HELO rule. I'm trying to understand what is
going on:
1. First off, the rule hits on the EHLO line - which means the it is an
authenticated SMTP submission. Is the correct HELO format important when
the client actually does authenticated SMTP? After all, if it is EHLO,
it probably is an MUA, which can't be expected to have proper DNS etc.
2. Or maybe this is caused by Yahoo's end - in which case would some
sort of exception be a good idea?
Or maybe I am misunderstanding completely what is going on? I've
uploaded a set of headers here: https://pastebin.com/KDV1f0wW
Thank you for any useful hints.
Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
Posted by Sebastian Arcus <s....@open-t.co.uk>.
On 29/07/18 14:36, Matus UHLAR - fantomas wrote:
>>> On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote:
>>>> I've been having a number of emails recently from Yahoo and AOL senders
>>>> hitting the RCVD_NUMERIC_HELO rule. I'm trying to understand what is
>>>> going on:
>>>>
>>>> 1. First off, the rule hits on the EHLO line - which means the it is an
>>>> authenticated SMTP submission.
>
>> On 29/07/18 11:28, Antony Stone wrote:
>>> Er, what?
>>>
>>> No, EHLO simply means "Hello, I'm capable of doing ESMTP".
>
> On 29.07.18 12:29, Sebastian Arcus wrote:
>> Looking again at it - the 82.132.242.82 is registered as O2/Telefonica
>> wireless broadband. I wonder if this is a 3G/4G connection - which in
>> UK always has a private IP address - at the mobile phone level. Maybe
>> that's why the confusion - the MUA on the mobile phone thinks it is
>> 10.7.54.227 (which it is), but the Yahoo server can only see the
>> public IP 80.132.242.82, which belongs to the O2 gateway. Could that
>> explain that particular header?
>
> it does.
> Received: from 82.132.242.82 (EHLO [10.7.54.227]) ([82.132.242.82])
> by smtp409.mail.ir2.yahoo.com (Oath Hermes SMTP Server) with
> ESMTPA ID 84be422cfd662692400891131b957bd8
> for <de...@mydomain.co.uk>;
> Mon, 23 Jul 2018 13:59:41 +0000 (UTC)
>
> Looking at /usr/share/perl5/Mail/SpamAssassin/Plugin/RelayEval.pm
> I guess it should not match:
>
> my $rcvd = $pms->{relays_untrusted_str};
>
> if ($rcvd) {
> my $IP_ADDRESS = IPV4_ADDRESS;
> my $IP_PRIVATE = IP_PRIVATE;
> local $1;
> if ($rcvd =~ /\bhelo=($IP_ADDRESS)(?=[\000-\040,;\[()<>]|\z)/i #
> Bug 5878
> && $1 !~ /$IP_PRIVATE/) {
> return 1;
> }
>
> but maybe I read wrong. Which SA version do you have?
I have:
# spamassassin --version
SpamAssassin version 4.0.0-r1823176
running on Perl version 5.26.2
Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote:
>>>I've been having a number of emails recently from Yahoo and AOL senders
>>>hitting the RCVD_NUMERIC_HELO rule. I'm trying to understand what is
>>>going on:
>>>
>>>1. First off, the rule hits on the EHLO line - which means the it is an
>>>authenticated SMTP submission.
>On 29/07/18 11:28, Antony Stone wrote:
>>Er, what?
>>
>>No, EHLO simply means "Hello, I'm capable of doing ESMTP".
On 29.07.18 12:29, Sebastian Arcus wrote:
>Looking again at it - the 82.132.242.82 is registered as O2/Telefonica
>wireless broadband. I wonder if this is a 3G/4G connection - which in
>UK always has a private IP address - at the mobile phone level. Maybe
>that's why the confusion - the MUA on the mobile phone thinks it is
>10.7.54.227 (which it is), but the Yahoo server can only see the
>public IP 80.132.242.82, which belongs to the O2 gateway. Could that
>explain that particular header?
it does.
Received: from 82.132.242.82 (EHLO [10.7.54.227]) ([82.132.242.82])
by smtp409.mail.ir2.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 84be422cfd662692400891131b957bd8
for <de...@mydomain.co.uk>;
Mon, 23 Jul 2018 13:59:41 +0000 (UTC)
Looking at /usr/share/perl5/Mail/SpamAssassin/Plugin/RelayEval.pm
I guess it should not match:
my $rcvd = $pms->{relays_untrusted_str};
if ($rcvd) {
my $IP_ADDRESS = IPV4_ADDRESS;
my $IP_PRIVATE = IP_PRIVATE;
local $1;
if ($rcvd =~ /\bhelo=($IP_ADDRESS)(?=[\000-\040,;\[()<>]|\z)/i # Bug 5878
&& $1 !~ /$IP_PRIVATE/) {
return 1;
}
but maybe I read wrong. Which SA version do you have?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
Posted by Sebastian Arcus <s....@open-t.co.uk>.
On 29/07/18 11:28, Antony Stone wrote:
> On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote:
>
>> I've been having a number of emails recently from Yahoo and AOL senders
>> hitting the RCVD_NUMERIC_HELO rule. I'm trying to understand what is
>> going on:
>>
>> 1. First off, the rule hits on the EHLO line - which means the it is an
>> authenticated SMTP submission.
>
> Er, what?
>
> No, EHLO simply means "Hello, I'm capable of doing ESMTP".
Thank you - I clearly got that one wrong.
Looking again at it - the 82.132.242.82 is registered as O2/Telefonica
wireless broadband. I wonder if this is a 3G/4G connection - which in UK
always has a private IP address - at the mobile phone level. Maybe
that's why the confusion - the MUA on the mobile phone thinks it is
10.7.54.227 (which it is), but the Yahoo server can only see the public
IP 80.132.242.82, which belongs to the O2 gateway. Could that explain
that particular header?
>> After all, if it is EHLO, it probably is an MUA,
>
> No; MTAs also speak E/SMTP to each other, and some of those Received
headers
> indicating handover of the mail from one server to another will
contain the
> HELO or EHLO greetings.
>
>> 2. Or maybe this is caused by Yahoo's end - in which case would some
>> sort of exception be a good idea?
>
> Yes, I would do that.
>
>> Or maybe I am misunderstanding completely what is going on? I've
>> uploaded a set of headers here: https://pastebin.com/KDV1f0wW
>
> Given that the example you've posted is from a machine with a public IP
> 82.132.242.82, but thinks it has a private IP 10.7.54.227, I'm not
entirely
> surprised there is no rDNS set up for the private address.
Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Sun, 29 Jul 2018 12:28:08 +0200
>Antony Stone wrote:
>
>> On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote yet another
>> email that's guaranteed to fail DMARC with a reject when posted
>> through a mailing list, and consequently I didn't receive:
>
>
>> > Or maybe I am misunderstanding completely what is going on? I've
>> > uploaded a set of headers here: https://pastebin.com/KDV1f0wW
>>
>> Given that the example you've posted is from a machine with a public
>> IP 82.132.242.82, but thinks it has a private IP 10.7.54.227, I'm not
>> entirely surprised there is no rDNS set up for the private address.
On 29.07.18 18:33, RW wrote:
>This is the header:
>
>Received: from 82.132.242.82 (EHLO [10.7.54.227]) ([82.132.242.82])
> by smtp409.mail.ir2.yahoo.com (Oath Hermes SMTP Server) with
> ESMTPA ID 84be422cfd662692400891131b957bd8 for
> <de...@mydomain.co.uk>; Mon, 23 Jul 2018
> 13:59:41 +0000 (UTC)
>
>I'm not completely certain what this received header format is
>supposed to represent, but SA parses the first field, 82.132.242.82, as
>the EHLO/HELO.
Is this is true, this should be the problem. The ehlo here is clearly
[10.7.54.227] and 82.132.242.82 is the (missing) rdns, seen when you compare
to another header you have posted. That would indicate bug in header parsing
code.
>Received: from ip70-189-131-151.lv.lv.cox.net (EHLO [192.168.0.105])
> ([70.189.131.151]) ...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
Posted by Sebastian Arcus <s....@open-t.co.uk>.
On 29/07/18 19:21, RW wrote:
> On Sun, 29 Jul 2018 19:00:56 +0100
> Dominic Raferd wrote:
>
>> On Sun, 29 Jul 2018 at 18:33, RW <rw...@googlemail.com> wrote:
>>
>>> On Sun, 29 Jul 2018 12:28:08 +0200
>>> Antony Stone wrote:
>>>
>>>> On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote yet
>>>> another email that's guaranteed to fail DMARC with a reject when
>>>> posted through a mailing list, and consequently I didn't
>>>> receive:
>>> ...
>>>
>>
>> Ditto, and I haven't received (and won't receive) any of his
>> subsequent postings either (opendmarc is - quite rightly - blocking
>> them). More strangely, I didn't receive this message (above) except
>> apparently when quoted in reply by RW. Note to OP: when posting to
>> mailing lists, use a domain that does not have DMARC with p=reject
>> (and preferably not p=quarantine either).
>
> Actually it's worse than that, the main problem (the last I looked) is
> that his DKIM signs some List-* headers which guarantees a DKIM fail
> when he posts through a mailing list.
I had no idea that DKIM signing can be such a nightmare. I have disabled
all DKIM for the time being until I can get my head around on how to
configure it properly - if that is even possible. Thank you for pointing
it out - I wasn't aware of the issue.
Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
Posted by RW <rw...@googlemail.com>.
On Sun, 29 Jul 2018 19:00:56 +0100
Dominic Raferd wrote:
> On Sun, 29 Jul 2018 at 18:33, RW <rw...@googlemail.com> wrote:
>
> > On Sun, 29 Jul 2018 12:28:08 +0200
> > Antony Stone wrote:
> >
> > > On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote yet
> > > another email that's guaranteed to fail DMARC with a reject when
> > > posted through a mailing list, and consequently I didn't
> > > receive:
> > ...
> >
>
> Ditto, and I haven't received (and won't receive) any of his
> subsequent postings either (opendmarc is - quite rightly - blocking
> them). More strangely, I didn't receive this message (above) except
> apparently when quoted in reply by RW. Note to OP: when posting to
> mailing lists, use a domain that does not have DMARC with p=reject
> (and preferably not p=quarantine either).
Actually it's worse than that, the main problem (the last I looked) is
that his DKIM signs some List-* headers which guarantees a DKIM fail
when he posts through a mailing list.
Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
Posted by Sebastian Arcus <s....@open-t.co.uk>.
On 29/07/18 19:00, Dominic Raferd wrote:
>
>
> On Sun, 29 Jul 2018 at 18:33, RW <rwmaillists@googlemail.com
> <ma...@googlemail.com>> wrote:
>
> On Sun, 29 Jul 2018 12:28:08 +0200
> Antony Stone wrote:
>
> > On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote yet another
> > email that's guaranteed to fail DMARC with a reject when posted
> > through a mailing list, and consequently I didn't receive:
> ...
>
>
> Ditto, and I haven't received (and won't receive) any of his subsequent
> postings either (opendmarc is - quite rightly - blocking them). More
> strangely, I didn't receive this message (above) except apparently when
> quoted in reply by RW. Note to OP: when posting to mailing lists, use a
> domain that does not have DMARC with p=reject (and preferably not
> p=quarantine either).
Thank you for highlighting this - I wasn't aware of the problem. I had
no idea that enabling DMARC fixes one set of problems while creating a
whole different one! I've disabled DMARC for the time, until I find a
workable solution.
Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
Posted by Dominic Raferd <do...@timedicer.co.uk>.
On Sun, 29 Jul 2018 at 18:33, RW <rw...@googlemail.com> wrote:
> On Sun, 29 Jul 2018 12:28:08 +0200
> Antony Stone wrote:
>
> > On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote yet another
> > email that's guaranteed to fail DMARC with a reject when posted
> > through a mailing list, and consequently I didn't receive:
> ...
>
Ditto, and I haven't received (and won't receive) any of his subsequent
postings either (opendmarc is - quite rightly - blocking them). More
strangely, I didn't receive this message (above) except apparently when
quoted in reply by RW. Note to OP: when posting to mailing lists, use a
domain that does not have DMARC with p=reject (and preferably not
p=quarantine either).
Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
Posted by RW <rw...@googlemail.com>.
On Sun, 29 Jul 2018 18:33:23 +0100
RW wrote:
> On Sun, 29 Jul 2018 12:28:08 +0200
> Antony Stone wrote:
>
> > On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote yet
> > another email that's guaranteed to fail DMARC with a reject when
> > posted through a mailing list, and consequently I didn't receive:
>
>
> > > Or maybe I am misunderstanding completely what is going on? I've
> > > uploaded a set of headers here: https://pastebin.com/KDV1f0wW
> >
> > Given that the example you've posted is from a machine with a public
> > IP 82.132.242.82, but thinks it has a private IP 10.7.54.227, I'm
> > not entirely surprised there is no rDNS set up for the private
> > address.
>
> This is the header:
>
> Received: from 82.132.242.82 (EHLO [10.7.54.227]) ([82.132.242.82])
> by smtp409.mail.ir2.yahoo.com (Oath Hermes SMTP Server) with
> ESMTPA ID 84be422cfd662692400891131b957bd8 for
> <de...@mydomain.co.uk>; Mon, 23 Jul 2018
> 13:59:41 +0000 (UTC)
>
...
> Received: from ip70-189-131-151.lv.lv.cox.net (EHLO [192.168.0.105])
> ([70.189.131.151]) ...
>
> It's hard to say for sure, but either the sender is using a bare IP
> address (would iPhone Mail allow that?) or Yahoo is doing something
> strange.
What looks to be happening is that the first field is the rDNS, but if
there is no rDNS (and possibly if it's not full-circle) Yahoo
substitutes a bare IP address.
I see in some older headers it has "JAMES SMTP Server" instead of "Oath
Hermes SMTP Server". I wondering if this is an Apache James format.
Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
Posted by RW <rw...@googlemail.com>.
On Sun, 29 Jul 2018 12:28:08 +0200
Antony Stone wrote:
> On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote yet another
> email that's guaranteed to fail DMARC with a reject when posted
> through a mailing list, and consequently I didn't receive:
> > Or maybe I am misunderstanding completely what is going on? I've
> > uploaded a set of headers here: https://pastebin.com/KDV1f0wW
>
> Given that the example you've posted is from a machine with a public
> IP 82.132.242.82, but thinks it has a private IP 10.7.54.227, I'm not
> entirely surprised there is no rDNS set up for the private address.
This is the header:
Received: from 82.132.242.82 (EHLO [10.7.54.227]) ([82.132.242.82])
by smtp409.mail.ir2.yahoo.com (Oath Hermes SMTP Server) with
ESMTPA ID 84be422cfd662692400891131b957bd8 for
<de...@mydomain.co.uk>; Mon, 23 Jul 2018
13:59:41 +0000 (UTC)
I'm not completely certain what this received header format is
supposed to represent, but SA parses the first field, 82.132.242.82, as
the EHLO/HELO. If that's correct then it's not RFC compliant as it's not
enclosed in '[]'. That's what RCVD_NUMERIC_HELO checks for, the name is
a little confusing.
I had a look at some others which look like this:
Received: from ip70-189-131-151.lv.lv.cox.net (EHLO [192.168.0.105])
([70.189.131.151]) ...
It's hard to say for sure, but either the sender is using a bare IP
address (would iPhone Mail allow that?) or Yahoo is doing something
strange.
Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO
Posted by Antony Stone <An...@spamassassin.open.source.it>.
On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote:
> I've been having a number of emails recently from Yahoo and AOL senders
> hitting the RCVD_NUMERIC_HELO rule. I'm trying to understand what is
> going on:
>
> 1. First off, the rule hits on the EHLO line - which means the it is an
> authenticated SMTP submission.
Er, what?
No, EHLO simply means "Hello, I'm capable of doing ESMTP".
"HELO" means "Hello, I can talk SMTP".
> After all, if it is EHLO, it probably is an MUA,
No; MTAs also speak E/SMTP to each other, and some of those Received headers
indicating handover of the mail from one server to another will contain the
HELO or EHLO greetings.
> 2. Or maybe this is caused by Yahoo's end - in which case would some
> sort of exception be a good idea?
Yes, I would do that.
> Or maybe I am misunderstanding completely what is going on? I've
> uploaded a set of headers here: https://pastebin.com/KDV1f0wW
Given that the example you've posted is from a machine with a public IP
82.132.242.82, but thinks it has a private IP 10.7.54.227, I'm not entirely
surprised there is no rDNS set up for the private address.
Antony.
--
"Black holes are where God divided by zero."
- Steven Wright
Please reply to the list;
please *don't* CC me.