You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2012/02/24 17:51:36 UTC
[Bug 6768] New: Patchy checking of authentication
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6768
Bug #: 6768
Summary: Patchy checking of authentication
Product: Spamassassin
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Rules
AssignedTo: dev@spamassassin.apache.org
ReportedBy: rwmaillists@googlemail.com
Classification: Unclassified
Mostly rules aimed at direct-to-mx spam sources should avoid hitting
authenticated submissions. Quite a lot of rules of this type are using neither
an "auth=" check nor a meta with __LAST_EXTERNAL_RELAY_NO_AUTH.
RDNS_NONE or __RDNS_NONE
FAKE_HELO_MAIL_COM_DOM
HELO_DYNAMIC_DIALIN
HELO_DYNAMIC_HEXIP
HELO_DYNAMIC_SPLIT_IP
DOS_RCVD_IP_TWICE_C
FH_HELO_ALMOST_IP
FH_HELO_ENDS_DOT
FH_HELO_EQ_610HEX
FH_HELO_EQ_CHARTER
FH_HELO_EQ_D_D_D_D
FH_HOST_EQ_DYNAMICIP
FH_HOST_EQ_PACBELL_D
FH_HOST_EQ_VERIZON_P
FORGED_RELAY_MUA_TO_MX
FSL_HELO_BARE_IP_1
FSL_HELO_DEVICE
FSL_HELO_NON_FQDN_1
FSL_HELO_SETUP
HELO_FRIEND
HELO_LH_HOME
HELO_LOCALHOST
HELO_OEM
RDNS_LOCALHOST
__DOS_SINGLE_EXT_RELAY
FM_FAKE_HELO_VERIZON
__HELO_NO_DOMAIN
__NSL_RCVD_FROM_41
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6768] Patchy checking of authentication
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6768
Mark London <mr...@psfc.mit.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mrl@psfc.mit.edu
--- Comment #3 from Mark London <mr...@psfc.mit.edu> 2012-05-08 15:25:28 UTC ---
Spammers from the 41 ip range are constantly using authenticated squirrelmail
accounts (or at least inserting fake headers), so that __NSL_RCVD_FROM_41 is
not being triggered. I think that especially for __NSL_RCVD_FROM_41, it should
be triggered, regardless of how it originates.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6768] Patchy checking of authentication
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6768
Henrik Krohns <he...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hege@hege.li
--- Comment #2 from Henrik Krohns <he...@hege.li> 2012-02-24 17:18:22 UTC ---
Thinking about it, you might very well be right.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6768] Patchy checking of authentication
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6768
John Hardin <jh...@impsec.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin@impsec.org
--- Comment #4 from John Hardin <jh...@impsec.org> 2012-05-08 17:43:44 UTC ---
(In reply to comment #3)
> Spammers from the 41 ip range are constantly using authenticated squirrelmail
> accounts (or at least inserting fake headers), so that __NSL_RCVD_FROM_41 is
> not being triggered. I think that especially for __NSL_RCVD_FROM_41, it should
> be triggered, regardless of how it originates.
Can you attach a sample of one such that __NSL_RCVD_FROM_41 /by itself/ misses?
The few samples I have of a squirrelmail spam from the 41 netblock all do hit
that subrule.
I don't think the inclusion of subrules in RW's list makes sense, they are
expected to be incomplete and may have lots of FPs.
I could see __NSL_RCVD_FROM_41 missing a squirrel email from the 41 netblock if
it was meta'd with some other rule that is taking the "SquirrelMail
authenticated user mumble" into account. That's hardly a problem in the
__NSL_RCVD_FROM_41 subrule; that's a problem in whatever is considering
"SquirrelMail authenticated user mumble" as equivalent to a trusted auth at the
recipient.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6768] Patchy checking of authentication
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6768
--- Comment #8 from John Hardin <jh...@impsec.org> 2012-05-08 21:53:02 UTC ---
(In reply to comment #7)
> If I take out the header line that has Squirrelmail in it (right after the
> "from 41... line", the rule triggers properly for me.
That sounds like the header parser is getting confused by the Squirrelmail text
and not even adding that Received header to X-Spam-Relays-External. I don't
recall any bugs like that, but I haven't been following parser bugs too
closely.
I was going to suggest checking the definition of your __NSL_RCVD_FROM_41 rule,
as it used to be:
header __NSL_RCVD_FROM_41 Received =~ /[([]41\./
and that wouldn't hit because of the blank, but simply removing the
Squirrelmail text wouldn't magically make that rule start working...
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6768] Patchy checking of authentication
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6768
--- Comment #5 from Mark London <mr...@psfc.mit.edu> 2012-05-08 18:55:30 UTC ---
Created attachment 5058
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5058
Squirrelmail email from 41.0.0.0 domain
Attached is an example.
We are running redhat 6, spamassassin-3.3.1-2
- Mark
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6768] Patchy checking of authentication
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6768
--- Comment #9 from John Hardin <jh...@impsec.org> ---
Related issues in bugzilla: bug#3236 bug#3302 bug#6549 (still open)
I don't think the discussion of SquirrelMail effects is relevant to this bug.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6768] Patchy checking of authentication
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6768
--- Comment #6 from John Hardin <jh...@impsec.org> 2012-05-08 21:08:22 UTC ---
(In reply to comment #5)
> Created attachment 5058 [details]
> Squirrelmail email from 41.0.0.0 domain
>
> Attached is an example.
>
> We are running redhat 6, spamassassin-3.3.1-2
>
> - Mark
That message hits for me:
May 8 13:49:34.056 [24371] dbg: rules: ran header rule __NSL_RCVD_FROM_41
======> got hit: " ip=41."
What are you expecting to see that you aren't, that makes you believe
__NSL_RCVD_FROM_41 is missing?
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6768] Patchy checking of authentication
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6768
--- Comment #7 from Mark London <mr...@psfc.mit.edu> 2012-05-08 21:20:58 UTC ---
If I take out the header line that has Squirrelmail in it (right after the
"from 41... line", the rule triggers properly for me.
It must have something to do with the spamassassin rpm built for redhat. I
installed a clean version of their rpm on a workstation, and I get the same
result. I'll try figure out what is going on.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6768] Patchy checking of authentication
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6768
--- Comment #1 from Henrik Krohns <he...@hege.li> 2012-02-24 17:06:14 UTC ---
*** Bug 6767 has been marked as a duplicate of this bug. ***
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.