You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2018/08/02 00:41:06 UTC
__HELO_MISC_IP & __HELO_DYNAMIC_IPADDR2 fp
Hi all,
I received an email today from bittitan.com that hit several dynamic
IP rules despite it appearing to have a static IP:
Aug 1 19:31:42.962 [3586] dbg: rules: ran header rule __HELO_MISC_IP
======> got hit: "[ ip=50.203.126.142
rdns=50-203-126-142-static.hfc.comcastbusiness.net
helo=50-203-126-142-static.hfc.comcastbusiness.net
by=mail01.example.com ident= envfrom= intl=0 id=DAAC96800C81A auth= "
Aug 1 20:38:54.420 [13198] dbg: rules: ran header rule
__HELO_DYNAMIC_IPADDR2 ======> got hit: "[ ip=50.203.126.142
rdns=50-203-126-142
-static.hfc.comcastbusiness.net
helo=50-203-126-142-static.hfc.comcastbusiness.net
by=mail01.example.com ident= envfrom= intl
=0 id=DAAC96800C81A auth= "
Aug 1 19:31:43.031 [3586] dbg: spf: checking HELO
(helo=50-203-126-142-static.hfc.comcastbusiness.net,
ip=50.203.126.142)
Below are the headers from this email:
Received: from 50-203-126-142-static.hfc.comcastbusiness.net
(50-203-126-142-static.hfc.comcastbusiness.net [50.203.126.142])
by mail01.example.com (Postfix) with ESMTP id DAAC96800C81A
for <an...@example.com>; Wed, 1 Aug 2018 18:22:50 -0400 (EDT)
Received: from uw2pvmsmtp003.corp.bittitan.local ([10.100.2.12]) by
50-203-126-142-static.hfc.comcastbusiness.net with Microsoft
SMTPSVC(10.0.14393.0);
Wed, 1 Aug 2018 15:22:18 -0700
Received: from IISPROD-200004I ([10.100.2.6]) by
uw2pvmsmtp003.corp.bittitan.local with Microsoft
SMTPSVC(10.0.14393.0);
Wed, 1 Aug 2018 22:22:37 +0000
The full (sanitized) headers can be found here:
https://pastebin.com/K6jqMgFg
Ideas for what's going on here would be appreciated.
Re: __HELO_MISC_IP & __HELO_DYNAMIC_IPADDR2 fp
Posted by RW <rw...@googlemail.com>.
On Wed, 1 Aug 2018 22:04:21 -0700 (PDT)
John Hardin wrote:
> On Wed, 1 Aug 2018, John Hardin wrote:
>
> OK, the DYNAMIC_IPADDR rules were a little too basic; I added some
> exclusions for obviously-static patterns.
>
> A couple of the hits on that (__HELO_MISC_IP and
> CK_HELO_DYNAMIC_SPLIT_IP which you didn't note) are in KAM's sandbox
> and I'm reluctant to go stomping around in it without his approval.
> Kevin, you might want to add an exclusion to those like I did for the
> base DYNAMIC_IPADDR rules.
I see that
__HELO_MISC_IP, CK_HELO_DYNAMIC_SPLIT_IP and CK_HELO_GENERIC
are incorrectly running 'first-trusted' rather than last-external.
Re: __HELO_MISC_IP & __HELO_DYNAMIC_IPADDR2 fp
Posted by John Hardin <jh...@impsec.org>.
On Wed, 1 Aug 2018, John Hardin wrote:
> On Wed, 1 Aug 2018, Alex wrote:
>
>> Aug 1 19:31:42.962 [3586] dbg: rules: ran header rule __HELO_MISC_IP
>> ======> got hit: "[ ip=50.203.126.142
>> rdns=50-203-126-142-static.hfc.comcastbusiness.net
>> helo=50-203-126-142-static.hfc.comcastbusiness.net
>> by=mail01.example.com ident= envfrom= intl=0 id=DAAC96800C81A auth= "
>>
>> Aug 1 20:38:54.420 [13198] dbg: rules: ran header rule
>> __HELO_DYNAMIC_IPADDR2 ======> got hit: "[ ip=50.203.126.142
>> rdns=50-203-126-142
>> -static.hfc.comcastbusiness.net
>> helo=50-203-126-142-static.hfc.comcastbusiness.net
>> by=mail01.example.com ident= envfrom= intl
>> =0 id=DAAC96800C81A auth= "
>>
>> The full (sanitized) headers can be found here:
>> https://pastebin.com/K6jqMgFg
>>
>> Ideas for what's going on here would be appreciated.
>
> I'll take a look.
OK, the DYNAMIC_IPADDR rules were a little too basic; I added some
exclusions for obviously-static patterns.
A couple of the hits on that (__HELO_MISC_IP and CK_HELO_DYNAMIC_SPLIT_IP
which you didn't note) are in KAM's sandbox and I'm reluctant to go
stomping around in it without his approval. Kevin, you might want to add
an exclusion to those like I did for the base DYNAMIC_IPADDR rules.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When I say "I don't want the government to do X", do not
automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
3 days until the 283rd anniversary of John Peter Zenger's acquittal
Re: __HELO_MISC_IP & __HELO_DYNAMIC_IPADDR2 fp
Posted by John Hardin <jh...@impsec.org>.
On Wed, 1 Aug 2018, Alex wrote:
> Hi all,
>
> I received an email today from bittitan.com that hit several dynamic
> IP rules despite it appearing to have a static IP:
>
> Aug 1 19:31:42.962 [3586] dbg: rules: ran header rule __HELO_MISC_IP
> ======> got hit: "[ ip=50.203.126.142
> rdns=50-203-126-142-static.hfc.comcastbusiness.net
> helo=50-203-126-142-static.hfc.comcastbusiness.net
> by=mail01.example.com ident= envfrom= intl=0 id=DAAC96800C81A auth= "
>
> Aug 1 20:38:54.420 [13198] dbg: rules: ran header rule
> __HELO_DYNAMIC_IPADDR2 ======> got hit: "[ ip=50.203.126.142
> rdns=50-203-126-142
> -static.hfc.comcastbusiness.net
> helo=50-203-126-142-static.hfc.comcastbusiness.net
> by=mail01.example.com ident= envfrom= intl
> =0 id=DAAC96800C81A auth= "
>
> Aug 1 19:31:43.031 [3586] dbg: spf: checking HELO
> (helo=50-203-126-142-static.hfc.comcastbusiness.net,
> ip=50.203.126.142)
>
> Below are the headers from this email:
>
> Received: from 50-203-126-142-static.hfc.comcastbusiness.net
> (50-203-126-142-static.hfc.comcastbusiness.net [50.203.126.142])
> by mail01.example.com (Postfix) with ESMTP id DAAC96800C81A
> for <an...@example.com>; Wed, 1 Aug 2018 18:22:50 -0400 (EDT)
> Received: from uw2pvmsmtp003.corp.bittitan.local ([10.100.2.12]) by
> 50-203-126-142-static.hfc.comcastbusiness.net with Microsoft
> SMTPSVC(10.0.14393.0);
> Wed, 1 Aug 2018 15:22:18 -0700
> Received: from IISPROD-200004I ([10.100.2.6]) by
> uw2pvmsmtp003.corp.bittitan.local with Microsoft
> SMTPSVC(10.0.14393.0);
> Wed, 1 Aug 2018 22:22:37 +0000
>
> The full (sanitized) headers can be found here:
> https://pastebin.com/K6jqMgFg
>
> Ideas for what's going on here would be appreciated.
I'll take a look.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When I say "I don't want the government to do X", do not
automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
3 days until the 283rd anniversary of John Peter Zenger's acquittal