You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matus UHLAR - fantomas <uh...@fantomas.sk> on 2019/04/26 15:50:31 UTC
locally submitted / outgoing mail hitting multiple rules
Hello,
half year ago I discussed issue with mail submitted from local clients,
without authentication, being marked as spam, because some rules hit.
thread archive here:
https://marc.info/?l=spamassassin-users&m=153563489524609&w=2
Summary of the issue:
- clients are listed in trusted_hosts (local IP addresses)
as advised in https://wiki.apache.org/spamassassin/DynablockIssues
- clients aren't using smtp auth (historical reasons)
The results:
mail that hits ALL_TRUSTED and __DOS_SINGLE_EXT_RELAY
is considered locally submitted.
- mailservers should put their Received: headers to mail thus not hit
__DOS_SINGLE_EXT_RELAY
This leads me to testing rule:
meta TRUSTED_SUBMISSION ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY
describe TRUSTED_SUBMISSION mail submitted by trusted client
score TRUSTED_SUBMISSION -3
For now, I am testing this rule.
I hope that later this rule could be incpororated into multiple rules as
John Hardin mentioned:
https://marc.info/?l=spamassassin-users&m=153575741730705&w=2
> For example, MIMEOLE_DIRECT_TO_MX, DOS_OE_TO_MX, DOS_OUTLOOK_TO_MX,
> XPRIO_SHORT_SUBJ, ...?
Btw, sorry John for not answering your last question:
https://marc.info/?l=spamassassin-users&m=153633826515464&w=2
>> For now, I believe that using (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY)
>> is just what I need to prevent all rules from firing:
>I think you mean !ALL_TRUSTED, right?
yes, mail with (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY) is trusted
submission, while (!ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY)
is direct-to-MX
I believe that mail who hit bost ALL_TRUSTED and __DOS_SINGLE_EXT_RELAY
should be exempted from hitting __DOS_DIRECT_TO_MX, currently:
meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !ALL_TRUSTED && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
- this would make exemption to all those rules.
(note that it's apparently possible to skip !__DOS_RELAYED_EXT from the rule
above because it seems complementary to __DOS_SINGLE_EXT_RELAY)
and looking at it now, these rules use __DOS_DIRECT_TO_MX:
meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX
meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
- I don't think adding && !ALL_TRUSTED should cause an issue here
__DOS_SINGLE_EXT_RELAY is currently only used in rules
DOS_FIX_MY_URI - adding !ALL_TRUSTED shouldn't break anything
HDR_ORDER_FTSDMCXX_DIRECT - !ALL_TRUSTED was added already
HDRS_LCASE
T_MANY_HDRS_LCASE
- there use !__DOS_SINGLE_EXT_RELAY, no change thus.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
Re: locally submitted / outgoing mail hitting multiple rules
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>On Fri, 26 Apr 2019, Matus UHLAR - fantomas wrote:
>>>Btw, sorry John for not answering your last question:
>>>
>>>https://marc.info/?l=spamassassin-users&m=153633826515464&w=2
>>>
>>>>>For now, I believe that using (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY)
>>>>>is just what I need to prevent all rules from firing:
>>>
>>>>I think you mean !ALL_TRUSTED, right?
>>>
>>>yes, mail with (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY) is trusted
>>>submission, while (!ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY) is direct-to-MX
>>>
>>>I believe that mail who hit bost ALL_TRUSTED and __DOS_SINGLE_EXT_RELAY
>>>should be exempted from hitting __DOS_DIRECT_TO_MX, currently:
>>>
>>>meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY &&
>>>!__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB &&
>>>!__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
>>>
>>>
>>>meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY &&
>>>!ALL_TRUSTED && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB &&
>>>!__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
>>
>>I see no reason to object to this.
On 26.04.19 13:07, John Hardin wrote:
>...on second thought... (sigh)
>
>__DOS_DIRECT_TO_MX doesn't imply anything about spam or ham. It's "was
>the mail submitted directly to this server - no hops prior to that" -
>which is a neutral fact about the mail. Adding !ALL_TRUSTED changes
>that meaning, to say "submitted directly *by an untrusted source*".
>
>Is it valid to do that silently?
I believe that direct sumissions from trusted source should not be handled
the same as direct submissions from untrusted source.
and I believe that all rules using __DOS_DIRECT_TO_MX are meant for
untrusted sources.
>Or would it be better to add a new meta like
>__DOS_DIRECT_TO_MX_UNTRUSTED and modify the rules using
>__DOS_DIRECT_TO_MX where appropriate (which, granted, is likely all
>instances - but I don't *know* for sure that is appropriate in all
>cases) to avoid silently changing the context for rules not in the SA
>repo?
>
>That way the *intent* of the rules is clear and unambiguous.
Yes, this is the another option, more clear, although uninformed rule
creators could create rules using __DOS_DIRECT_TO_MX so we would complain
again.
I currently can't imagine rule deliberatly trying to catch mail originating
from trusted sources to MX servers, but it may be possible.
Well, that's why I ask :)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
Re: locally submitted / outgoing mail hitting multiple rules
Posted by John Hardin <jh...@impsec.org>.
On Fri, 26 Apr 2019, John Hardin wrote:
> On Fri, 26 Apr 2019, Matus UHLAR - fantomas wrote:
>
>> Btw, sorry John for not answering your last question:
>>
>> https://marc.info/?l=spamassassin-users&m=153633826515464&w=2
>>
>>>> For now, I believe that using (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY)
>>>> is just what I need to prevent all rules from firing:
>>
>>> I think you mean !ALL_TRUSTED, right?
>>
>> yes, mail with (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY) is trusted
>> submission, while (!ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY) is direct-to-MX
>>
>> I believe that mail who hit bost ALL_TRUSTED and __DOS_SINGLE_EXT_RELAY
>> should be exempted from hitting __DOS_DIRECT_TO_MX, currently:
>>
>> meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY &&
>> !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST &&
>> !__DOS_RELAYED_EXT
>>
>>
>> meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !ALL_TRUSTED &&
>> !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST &&
>> !__DOS_RELAYED_EXT
>
> I see no reason to object to this.
...on second thought... (sigh)
__DOS_DIRECT_TO_MX doesn't imply anything about spam or ham. It's "was the
mail submitted directly to this server - no hops prior to that" - which is
a neutral fact about the mail. Adding !ALL_TRUSTED changes that meaning,
to say "submitted directly *by an untrusted source*".
Is it valid to do that silently?
Or would it be better to add a new meta like __DOS_DIRECT_TO_MX_UNTRUSTED
and modify the rules using __DOS_DIRECT_TO_MX where appropriate (which,
granted, is likely all instances - but I don't *know* for sure that is
appropriate in all cases) to avoid silently changing the context for rules
not in the SA repo?
That way the *intent* of the rules is clear and unambiguous.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You can’t arm slaves and expect them to remain slaves,
and similarly, you can’t disarm free citizens and
expect them to remain free. -- JPFO
-----------------------------------------------------------------------
5 days until May Day - Remember 110 million people murdered by Communism
Re: locally submitted / outgoing mail hitting multiple rules
Posted by John Hardin <jh...@impsec.org>.
On Fri, 26 Apr 2019, Matus UHLAR - fantomas wrote:
> Btw, sorry John for not answering your last question:
>
> https://marc.info/?l=spamassassin-users&m=153633826515464&w=2
>
>>> For now, I believe that using (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY)
>>> is just what I need to prevent all rules from firing:
>
>> I think you mean !ALL_TRUSTED, right?
>
> yes, mail with (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY) is trusted
> submission, while (!ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY) is direct-to-MX
>
> I believe that mail who hit bost ALL_TRUSTED and __DOS_SINGLE_EXT_RELAY
> should be exempted from hitting __DOS_DIRECT_TO_MX, currently:
>
> meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID
> && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
>
>
> meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !ALL_TRUSTED &&
> !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST &&
> !__DOS_RELAYED_EXT
I see no reason to object to this.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
A government is a lot like a gun: It's always loaded,
and it's stupid and dangerous to point it at anything
you don't intend to hurt. -- GOF at TSM
-----------------------------------------------------------------------
5 days until May Day - Remember 110 million people murdered by Communism
Re: locally submitted / outgoing mail hitting multiple rules
Posted by "@lbutlr" <kr...@kreme.com>.
On 26 Apr 2019, at 09:50, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> This leads me to testing rule:
>
> meta TRUSTED_SUBMISSION ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY
> describe TRUSTED_SUBMISSION mail submitted by trusted client
> score TRUSTED_SUBMISSION -3
>
> For now, I am testing this rule.
>
> I hope that later this rule could be incpororated into multiple rules as
> John Hardin mentioned:
I suppose it's not going to hurt, but the real solution seems to be to use smtp auth. Historic reasons or not, this is the better solution in the general case, and things like this only encourage hanging on to that legacy bad behavior.
I mean, I had complains many years ago when i started requiring authentication to send mail and removed pop-before-smtp (MANY years ago), or when I required people upgrade to newer clients that could support current security, but I wasn't going to budge on this.
This seems more like a solution that people can find and install if they really really need it and maybe not something that should be in the default rules.
--
"Alas, earwax."