You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by ka...@ourldsfamily.com on 2005/11/11 02:04:19 UTC

Apparently Recieved by my server...

The following email to me gets through by their spoofing my IP even though
it clearly comes from somewhere else. I remember someone mentioning a
trusted_networks-like setting that used something like a
apparently_received_from name or something similar. How do I set it up?
Just a pointer to a DOC will suffice, unless you've had trouble setting it
up...

I've searched google and have found some cryptic stuff but am new enough
to this to ask for help. I hope this isn't so elementary that I'm
annoying.

<<< start email header >>>

Return-Path: <ka...@ourldsfamily.com>
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
     moroni.ourldsfamily.com
X-Spam-Status: No, score=-89.8 required=0.8 tests=AWL,INVALID_TZ_EST,
     MIME_BOUND_DD_DIGITS,MSGID_DOLLARS_RANDOM,RCVD_HELO_IP_MISMATCH,
     RCVD_IN_SORBS_SOCKS,RCVD_IN_WHOIS_BOGONS,RCVD_NUMERIC_HELO,
     UNPARSEABLE_RELAY,USER_IN_WHITELIST,X_MESSAGE_INFO autolearn=no
     version=3.1.0
X-Spam-Level:
Received: from 198.60.114.90 ([200.167.92.14])
     by moroni.ourldsfamily.com (8.12.5/8.12.5) with SMTP id jAAHFTBO030068
     for <ka...@ourldsfamily.com>; Thu, 10 Nov 2005 10:15:31 -0700
X-Message-Info: 467kOHoSGZ7SWRqwaLFZ320K2GKVdkqDSbpxbWUyjJe4W
Received: from werbe-rusch.de (186.64.94.117) by xcy30-zj88.larslc.dk with
Microsoft SMTPSVC(5.9.3473.6402);
     Thu, 10 Nov 2005 15:06:46 -0200
Received: from waitakere.govt.nz (racqi.com.au 192.8.84.72)
     by tmtinternational.de (8.12.10/8.12.9) with ESMTP id i3POG667
     for <ka...@ourldsfamily.com>; Thu, 10 Nov 2005 22:10:46 +0500 (EST)
     (envelope-from karlp@ourldsfamily.com)
Received: from SS67603 (modemcable295.49140-018.jaw.waitakere.govt.nz
164.203.120.36)
     (authenticated bits=8)
     by netbank.com.br (8.12.10/8.12.9) with ESMTP id p420JVB337jkd666
     for <ka...@ourldsfamily.com>; Thu, 10 Nov 2005 18:09:46 +0100 (EST)
     (envelope-from karlp@ourldsfamily.com)
Message-ID: <35...@R99651050373180>
From: "karlp@ourldsfamily.com" <ka...@ourldsfamily.com>
To: <ka...@ourldsfamily.com>
Subject: karlp@ourldsfamily.com
Date: Thu, 10 Nov 2005 10:10:46 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="--637301109548042328"
X-Virus-Scanned: ClamAV 0.87/1167/Thu Nov 10 04:02:18 2005 on
moroni.ourldsfamily.com
X-Virus-Status: Clean

<<< end email header >>>

Thanks for your help most esteemed ones...

Karl Pearson
KarlP@ourldsfamily.com
---
Senior Consulting Sys/DB Analyst
http://consulting.ourldsfamily.com
---

Re: Apparently Recieved by my server...

Posted by Sandy S <sa...@boreal.org>.

> karlp@ourldsfamily.com wrote:
> > The following email to me gets through by their spoofing my IP even
though
> > it clearly comes from somewhere else. I remember someone mentioning a
> > trusted_networks-like setting that used something like a
> > apparently_received_from name or something similar. How do I set it up?
> > Just a pointer to a DOC will suffice, unless you've had trouble setting
it
> > up...
> >
> > I've searched google and have found some cryptic stuff but am new enough
> > to this to ask for help. I hope this isn't so elementary that I'm
> > annoying.
> >
> > <<< start email header >>>
> >
> > Return-Path: <ka...@ourldsfamily.com>
> > X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
> >      moroni.ourldsfamily.com
> > X-Spam-Status: No, score=-89.8 required=0.8 tests=AWL,INVALID_TZ_EST,
> >      MIME_BOUND_DD_DIGITS,MSGID_DOLLARS_RANDOM,RCVD_HELO_IP_MISMATCH,
> >      RCVD_IN_SORBS_SOCKS,RCVD_IN_WHOIS_BOGONS,RCVD_NUMERIC_HELO,
> >      UNPARSEABLE_RELAY,USER_IN_WHITELIST,X_MESSAGE_INFO autolearn=no
>
> Hi,
>
> You want to look at USER_IN_WHITELIST_TO or USER_IN_WHITELIST_FROM, not
> your current setting of USER_IN_WHITELIST in you rlocal.cf or user_prefs.
>
> Regards,
>
> Rick
>

I've run across a similar issue and believe it to be a bug in the way
Spamassassin handles WHITELIST_FROM_RCVD.

According to the docs, whitelist_from_rcvd matches what you've specified as
an ok rDNS location "against the reverse DNS lookup used during the handover
from the internet to your internal network's mail exchangers. ".

However, if you look at the received header Karl posted:
Received: from 198.60.114.90 ([200.167.92.14])
                                                ^^^^^^^^^^^^^^^
     by moroni.ourldsfamily.com (8.12.5/8.12.5) with SMTP id jAAHFTBO030068
     for <ka...@ourldsfamily.com>; Thu, 10 Nov 2005 10:15:31 -0700

and check the IP address this message came from, no PTR records exist for
this IP so his system can't do a reverse DNS lookup.  For some reason, in
this case Spamassassin seems to trust the "from 198.60.114.90" part of the
header as the source of the message, which if I understand my mail headers
properly comes from the easily forged HELO exchange.  (Of course, I could be
wrong about this.)

My guess is that Karl's config file has something like
WHITELIST_FROM_RCVD karlp@ourldsfamily.com 198.60.114.90

causing Spamassassin to trigger the USER_IN_WHITELIST rule, even though this
message was not really received from his trusted IP.

Someone correct me if I'm wrong about the way I'm reading my headers;
otherwise I probably will file the bugzilla!

Sandy

Re: Apparently Recieved by my server...

Posted by Rick Macdougall <ri...@nougen.com>.

karlp@ourldsfamily.com wrote:
> The following email to me gets through by their spoofing my IP even though
> it clearly comes from somewhere else. I remember someone mentioning a
> trusted_networks-like setting that used something like a
> apparently_received_from name or something similar. How do I set it up?
> Just a pointer to a DOC will suffice, unless you've had trouble setting it
> up...
> 
> I've searched google and have found some cryptic stuff but am new enough
> to this to ask for help. I hope this isn't so elementary that I'm
> annoying.
> 
> <<< start email header >>>
> 
> Return-Path: <ka...@ourldsfamily.com>
> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
>      moroni.ourldsfamily.com
> X-Spam-Status: No, score=-89.8 required=0.8 tests=AWL,INVALID_TZ_EST,
>      MIME_BOUND_DD_DIGITS,MSGID_DOLLARS_RANDOM,RCVD_HELO_IP_MISMATCH,
>      RCVD_IN_SORBS_SOCKS,RCVD_IN_WHOIS_BOGONS,RCVD_NUMERIC_HELO,
>      UNPARSEABLE_RELAY,USER_IN_WHITELIST,X_MESSAGE_INFO autolearn=no

Hi,

You want to look at USER_IN_WHITELIST_TO or USER_IN_WHITELIST_FROM, not 
your current setting of USER_IN_WHITELIST in you rlocal.cf or user_prefs.

Regards,

Rick