You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2018/08/02 00:41:06 UTC

__HELO_MISC_IP & __HELO_DYNAMIC_IPADDR2 fp

Hi all,

I received an email today from bittitan.com that hit several dynamic
IP rules despite it appearing to have a static IP:

Aug  1 19:31:42.962 [3586] dbg: rules: ran header rule __HELO_MISC_IP
======> got hit: "[ ip=50.203.126.142
rdns=50-203-126-142-static.hfc.comcastbusiness.net
helo=50-203-126-142-static.hfc.comcastbusiness.net
by=mail01.example.com ident= envfrom= intl=0 id=DAAC96800C81A auth= "

Aug  1 20:38:54.420 [13198] dbg: rules: ran header rule
__HELO_DYNAMIC_IPADDR2 ======> got hit: "[ ip=50.203.126.142
rdns=50-203-126-142
-static.hfc.comcastbusiness.net
helo=50-203-126-142-static.hfc.comcastbusiness.net
by=mail01.example.com ident= envfrom= intl
=0 id=DAAC96800C81A auth= "

Aug  1 19:31:43.031 [3586] dbg: spf: checking HELO
(helo=50-203-126-142-static.hfc.comcastbusiness.net,
ip=50.203.126.142)

Below are the headers from this email:

Received: from 50-203-126-142-static.hfc.comcastbusiness.net
(50-203-126-142-static.hfc.comcastbusiness.net [50.203.126.142])
        by mail01.example.com (Postfix) with ESMTP id DAAC96800C81A
        for <an...@example.com>; Wed,  1 Aug 2018 18:22:50 -0400 (EDT)
Received: from uw2pvmsmtp003.corp.bittitan.local ([10.100.2.12]) by
50-203-126-142-static.hfc.comcastbusiness.net with Microsoft
SMTPSVC(10.0.14393.0);
         Wed, 1 Aug 2018 15:22:18 -0700
Received: from IISPROD-200004I ([10.100.2.6]) by
uw2pvmsmtp003.corp.bittitan.local with Microsoft
SMTPSVC(10.0.14393.0);
         Wed, 1 Aug 2018 22:22:37 +0000

The full (sanitized) headers can be found here:
https://pastebin.com/K6jqMgFg

Ideas for what's going on here would be appreciated.

Re: __HELO_MISC_IP & __HELO_DYNAMIC_IPADDR2 fp

Posted by RW <rw...@googlemail.com>.

On Wed, 1 Aug 2018 22:04:21 -0700 (PDT)
John Hardin wrote:

> On Wed, 1 Aug 2018, John Hardin wrote:
> 

> OK, the DYNAMIC_IPADDR rules were a little too basic; I added some 
> exclusions for obviously-static patterns.
> 
> A couple of the hits on that (__HELO_MISC_IP and
> CK_HELO_DYNAMIC_SPLIT_IP which you didn't note) are in KAM's sandbox
> and I'm reluctant to go stomping around in it without his approval.
> Kevin, you might want to add an exclusion to those like I did for the
> base DYNAMIC_IPADDR rules.

I see that

   __HELO_MISC_IP, CK_HELO_DYNAMIC_SPLIT_IP and CK_HELO_GENERIC

are incorrectly running 'first-trusted' rather than last-external.

Re: __HELO_MISC_IP & __HELO_DYNAMIC_IPADDR2 fp

Posted by John Hardin <jh...@impsec.org>.

On Wed, 1 Aug 2018, John Hardin wrote:

> On Wed, 1 Aug 2018, Alex wrote:
>
>> Aug  1 19:31:42.962 [3586] dbg: rules: ran header rule __HELO_MISC_IP
>> ======> got hit: "[ ip=50.203.126.142
>> rdns=50-203-126-142-static.hfc.comcastbusiness.net
>> helo=50-203-126-142-static.hfc.comcastbusiness.net
>> by=mail01.example.com ident= envfrom= intl=0 id=DAAC96800C81A auth= "
>> 
>> Aug  1 20:38:54.420 [13198] dbg: rules: ran header rule
>> __HELO_DYNAMIC_IPADDR2 ======> got hit: "[ ip=50.203.126.142
>> rdns=50-203-126-142
>> -static.hfc.comcastbusiness.net
>> helo=50-203-126-142-static.hfc.comcastbusiness.net
>> by=mail01.example.com ident= envfrom= intl
>> =0 id=DAAC96800C81A auth= "
>> 
>> The full (sanitized) headers can be found here:
>> https://pastebin.com/K6jqMgFg
>> 
>> Ideas for what's going on here would be appreciated.
>
> I'll take a look.

OK, the DYNAMIC_IPADDR rules were a little too basic; I added some 
exclusions for obviously-static patterns.

A couple of the hits on that (__HELO_MISC_IP and CK_HELO_DYNAMIC_SPLIT_IP 
which you didn't note) are in KAM's sandbox and I'm reluctant to go 
stomping around in it without his approval. Kevin, you might want to add 
an exclusion to those like I did for the base DYNAMIC_IPADDR rules.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   When I say "I don't want the government to do X", do not
   automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
  3 days until the 283rd anniversary of John Peter Zenger's acquittal

Re: __HELO_MISC_IP & __HELO_DYNAMIC_IPADDR2 fp

Posted by John Hardin <jh...@impsec.org>.

On Wed, 1 Aug 2018, Alex wrote:

> Hi all,
>
> I received an email today from bittitan.com that hit several dynamic
> IP rules despite it appearing to have a static IP:
>
> Aug  1 19:31:42.962 [3586] dbg: rules: ran header rule __HELO_MISC_IP
> ======> got hit: "[ ip=50.203.126.142
> rdns=50-203-126-142-static.hfc.comcastbusiness.net
> helo=50-203-126-142-static.hfc.comcastbusiness.net
> by=mail01.example.com ident= envfrom= intl=0 id=DAAC96800C81A auth= "
>
> Aug  1 20:38:54.420 [13198] dbg: rules: ran header rule
> __HELO_DYNAMIC_IPADDR2 ======> got hit: "[ ip=50.203.126.142
> rdns=50-203-126-142
> -static.hfc.comcastbusiness.net
> helo=50-203-126-142-static.hfc.comcastbusiness.net
> by=mail01.example.com ident= envfrom= intl
> =0 id=DAAC96800C81A auth= "
>
> Aug  1 19:31:43.031 [3586] dbg: spf: checking HELO
> (helo=50-203-126-142-static.hfc.comcastbusiness.net,
> ip=50.203.126.142)
>
> Below are the headers from this email:
>
> Received: from 50-203-126-142-static.hfc.comcastbusiness.net
> (50-203-126-142-static.hfc.comcastbusiness.net [50.203.126.142])
>        by mail01.example.com (Postfix) with ESMTP id DAAC96800C81A
>        for <an...@example.com>; Wed,  1 Aug 2018 18:22:50 -0400 (EDT)
> Received: from uw2pvmsmtp003.corp.bittitan.local ([10.100.2.12]) by
> 50-203-126-142-static.hfc.comcastbusiness.net with Microsoft
> SMTPSVC(10.0.14393.0);
>         Wed, 1 Aug 2018 15:22:18 -0700
> Received: from IISPROD-200004I ([10.100.2.6]) by
> uw2pvmsmtp003.corp.bittitan.local with Microsoft
> SMTPSVC(10.0.14393.0);
>         Wed, 1 Aug 2018 22:22:37 +0000
>
> The full (sanitized) headers can be found here:
> https://pastebin.com/K6jqMgFg
>
> Ideas for what's going on here would be appreciated.

I'll take a look.


-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   When I say "I don't want the government to do X", do not
   automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
  3 days until the 283rd anniversary of John Peter Zenger's acquittal