You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Angel L. Mateo" <am...@um.es> on 2010/10/28 11:25:21 UTC
Bad pattern in HELO_DYNAMIC_IPADDR check?
Hello,
We are having a problema with one of our users that all his email was
marked as spam. The problem is that all his emails has the
HELO_DYNAMIC_IPADDR (or HELO_DYNAMIC_IPADDR2) check, because
spamassassin thinks that the connection used the IP address in the helo
commando, but not.
The name used in the helo command is 72d07e260c444a7 (one automatically
generated by windows installer) which is the hostname of the computer.
But HELO_DYNAMIC_IPADDR uses the regular expression
[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+
that much an IP address, but a lot of things more.
If the purpose of this pattern is to much against an IP address it
should be (more or less) \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} or something
like that.
Is there any reason for this pattern being so general? Or this is a bug?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica _(___V
Tfo: 868887590
Fax: 868888337
Re: Bad pattern in HELO_DYNAMIC_IPADDR check?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2010-10-28 at 11:25 +0200, Angel L. Mateo wrote:
> We are having a problema with one of our users that all his email was
> marked as spam. The problem is that all his emails has the
> HELO_DYNAMIC_IPADDR (or HELO_DYNAMIC_IPADDR2) check, because
> spamassassin thinks that the connection used the IP address in the helo
> commando, but not.
On Thu, 2010-10-28 at 06:03 -0700, John Hardin wrote:
> You should look at your trusted_networks settings if this is a local
> network client, and should consider using authenticated SMTP if it's a
> remote trusted client.
This is the problem.
With an authenticated submission, the mail should hit ALL_TRUSTED
instead. Since it's an MUA sending the mail, untrusted and external
relays should be empty.
Scanning outbound mail? Which other rules hit?
> Posting full headers from a sample message would help.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Bad pattern in HELO_DYNAMIC_IPADDR check?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 8 Nov 2010, Angel L. Mateo wrote:
> El 28/10/10 15:03, John Hardin escribió:
>> On Thu, 28 Oct 2010, Angel L. Mateo wrote:
>>
>> > Is there any reason for this pattern being so general? Or this is a bug?
>>
>> IPv4 addresses are numbers (uint4 to be precise), dotted quad notation
>> is just the most-human-readable way to represent them. It is valid to
>> represent an IPv4 address as a 32-bit hex value.
>>
> I know this, but is '72d07e260c444a7' an IP address? Not for me, but
> for HELO_DYNAMIC_IPADDR it is.
...good point. A valid IPv4 would only be 8 hex digits.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You do not examine legislation in the light of the benefits it
will convey if properly administered, but in the light of the
wrongs it would do and the harms it would cause if improperly
administered. -- Lyndon B. Johnson
-----------------------------------------------------------------------
3 days until Veterans Day
Re: Bad pattern in HELO_DYNAMIC_IPADDR check?
Posted by "Angel L. Mateo" <am...@um.es>.
El 08/11/10 12:31, Matus UHLAR - fantomas escribió:
>>> On Thu, 28 Oct 2010, Angel L. Mateo wrote:
>>>> Is there any reason for this pattern being so general? Or this is a bug?
>
>> El 28/10/10 15:03, John Hardin escribió:
>>> IPv4 addresses are numbers (uint4 to be precise), dotted quad notation
>>> is just the most-human-readable way to represent them. It is valid to
>>> represent an IPv4 address as a 32-bit hex value.
>
> On 08.11.10 11:51, Angel L. Mateo wrote:
>> I know this, but is '72d07e260c444a7' an IP address? Not for me, but
>> for HELO_DYNAMIC_IPADDR it is.
>
> Are you sure it's the one header that matches it? Aren't there more
> Received: headers?
Yes, it is. It's one or more digits, followed by one or more non
digits... The problem is that the pattern
[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+
is too general.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica _(___V
Tfo: 868887590
Fax: 868888337
Re: Bad pattern in HELO_DYNAMIC_IPADDR check?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>> On Thu, 28 Oct 2010, Angel L. Mateo wrote:
>>> Is there any reason for this pattern being so general? Or this is a bug?
> El 28/10/10 15:03, John Hardin escribió:
>> IPv4 addresses are numbers (uint4 to be precise), dotted quad notation
>> is just the most-human-readable way to represent them. It is valid to
>> represent an IPv4 address as a 32-bit hex value.
On 08.11.10 11:51, Angel L. Mateo wrote:
> I know this, but is '72d07e260c444a7' an IP address? Not for me, but
> for HELO_DYNAMIC_IPADDR it is.
Are you sure it's the one header that matches it? Aren't there more
Received: headers?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
Re: Bad pattern in HELO_DYNAMIC_IPADDR check?
Posted by "Angel L. Mateo" <am...@um.es>.
El 28/10/10 15:03, John Hardin escribió:
> On Thu, 28 Oct 2010, Angel L. Mateo wrote:
>
>> Is there any reason for this pattern being so general? Or this is a bug?
>
> IPv4 addresses are numbers (uint4 to be precise), dotted quad notation
> is just the most-human-readable way to represent them. It is valid to
> represent an IPv4 address as a 32-bit hex value.
>
I know this, but is '72d07e260c444a7' an IP address? Not for me, but
for HELO_DYNAMIC_IPADDR it is.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica _(___V
Tfo: 868887590
Fax: 868888337
Re: Bad pattern in HELO_DYNAMIC_IPADDR check?
Posted by John Hardin <jh...@impsec.org>.
On Thu, 28 Oct 2010, Angel L. Mateo wrote:
> Is there any reason for this pattern being so general? Or this is a
> bug?
IPv4 addresses are numbers (uint4 to be precise), dotted quad notation is
just the most-human-readable way to represent them. It is valid to
represent an IPv4 address as a 32-bit hex value.
You should look at your trusted_networks settings if this is a local
network client, and should consider using authenticated SMTP if it's a
remote trusted client.
Posting full headers from a sample message would help.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
3 days until Halloween