You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Michael Scheidell <mi...@secnap.com> on 2011/08/10 16:26:08 UTC

pilot error? or idiots at microsoft?

so, what brain decided it would be ok to use 169.* addresses for their 
internal ip's?

was it microsoft? (var says that ms uses these for their internal 
clustering ip's for clustered exchange servers)

so, either ms is really being stupid, or the var has something set up wrong.

and.. guess what,  SA doesn't know that 169* addresses are 'internal'

here is a outbound email (note: yes, this is amavisd, so, if you reply, 
trim your cc to the group you subscribe to, thanks).

but our 'outbound' policy maps required a 9+ before its marked spam, so, 
amavisd doesn't know this is outbound email. based on these silly 
169.254.* ip's..

so, anyone ever heard of something so stupid?

x-spam-status:Yes, score=4.603 tag=-999 tag2=4 kill=4 
tests=[APOSTROPHE_FROM=0.545, BAYES_40=-0.001, DCC_REPUT_00_12=-0.4, 
HTML_MESSAGE=0.001, LOCAL_1UB_FORGED=2, RDNS_NONE=0.793, 
SARE_GIF_ATTACH=1.42, SPF_SOFTFAIL=0.665, ST_CREDIT_FOR_TWO=-1.42, 
ST_INLINE_IMAGE=1] autolearn=no

received:from spamtrap2.client.local ([127.0.0.1]) by 
spamtrap2.client.local (spamtrap2.client.local [127.0.0.1]) 
(SpammerTrap(r) SME-500, port 10024) with LMTP id QxTwPcYqMh-9 for 
<us...@example.com>; Wed, 10 Aug 2011 09:57:53 -0400 (EDT)

received:from MBX2.client.local (unknown [172.20.128.25]) (using TLSv1 
with cipher AES128-SHA (128/128 bits)) (No client certificate requested) 
by spamtrap2.client.local (Postfix) with ESMTPS id 6773561C0F5 for 
<us...@example.com>; Wed, 10 Aug 2011 09:57:53 -0400 (EDT)

received:from MBX1.client.local ([169.254.1.69]) by MBX2.client.local 
([169.254.2.63]) with mapi id 14.01.0289.001; Wed, 10 Aug 2011 09:57:51 
-0400
-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
 >*| *SECNAP Network Security Corporation

    * Best Mobile Solutions Product of 2011
    * Best Intrusion Prevention Product
    * Hot Company Finalist 2011
    * Best Email Security Product
    * Certified SNORT Integrator


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________

Re: pilot error? or idiots at microsoft?

Posted by Bernd Petrovitsch <be...@petrovitsch.priv.at>.

On Mit, 2011-08-10 at 10:26 -0400, Michael Scheidell wrote:
> so, what brain decided it would be ok to use 169.* addresses for their
> internal ip's?

IETF for link-local IPv4 addresses ->
https://secure.wikimedia.org/wikipedia/en/wiki/Link-local_address

[....]
> and.. guess what,  SA doesn't know that 169* addresses are 'internal'

Well, there are also RFC1918 addresses which are often, but not always,
are "private".

	Bernd
-- 
Bernd Petrovitsch                  Email : bernd@petrovitsch.priv.at
                     LUGA : http://www.luga.at

Re: pilot error? or idiots at microsoft?

Posted by Mark Martinec <Ma...@ijs.si>.

On Wednesday August 10 2011 16:40:26 Michael Scheidell wrote:
> So, we open a bugzilla and put 169.254* addresses into 'local_networks'
> by default? like rfc1918?
> it the example, sa sees the internal (trusted) 172* ip, and sees 'first
> untrusted' (the 169* address!)
> spf fails, rbls are consulted. all could be avoided if ms actually
> followed RFC's
> <http://technet.microsoft.com/en-us/magazine/gg314976.aspx>

The 169.254.0.0/16 should be treated just like 127.0.0.0/8,
::1/128, and 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
It is a private address (link-local vs. host-local vs site-local).
As such it should be included in internal_networks, trusted_networks
and @mynetworks in amavisd.conf.

Just as there is nothing wrong with seeing 127.0.0.1 in a
received trace, there is nothing wrong with seing 169.254.x.x
there.

  Mark

Re: pilot error? or idiots at microsoft?

Posted by Michael Scheidell <mi...@secnap.com>.

On 8/10/11 10:35 AM, Adam Moffett wrote:
> AFAIK, 169.254/16 is the autoconfiguration range for private networks 
> that don't have a DHCP server.
>
> That said, I have seen people use it for other internal purposes and 
> it isn't usually an issue.
I am moving more to assume ms are idiots.  this seems to be the default 
config for exchange clusters.

So, we open a bugzilla and put 169.254* addresses into 'local_networks' 
by default? like rfc1918?
it the example, sa sees the internal (trusted) 172* ip, and sees 'first 
untrusted' (the 169* address!)
spf fails, rbls are consulted. all could be avoided if ms actually 
followed RFC's

<http://technet.microsoft.com/en-us/magazine/gg314976.aspx>

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
 >*| *SECNAP Network Security Corporation

    * Best Mobile Solutions Product of 2011
    * Best Intrusion Prevention Product
    * Hot Company Finalist 2011
    * Best Email Security Product
    * Certified SNORT Integrator

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________

Re: pilot error? or idiots at microsoft?

Posted by Adam Moffett <ad...@plexicomm.net>.

AFAIK, 169.254/16 is the autoconfiguration range for private networks 
that don't have a DHCP server.

That said, I have seen people use it for other internal purposes and it 
isn't usually an issue.

> so, what brain decided it would be ok to use 169.* addresses for their 
> internal ip's?
>
> was it microsoft? (var says that ms uses these for their internal 
> clustering ip's for clustered exchange servers)
>
> so, either ms is really being stupid, or the var has something set up 
> wrong.
>
> and.. guess what,  SA doesn't know that 169* addresses are 'internal'
>
> here is a outbound email (note: yes, this is amavisd, so, if you 
> reply, trim your cc to the group you subscribe to, thanks).
>
> but our 'outbound' policy maps required a 9+ before its marked spam, 
> so, amavisd doesn't know this is outbound email. based on these silly 
> 169.254.* ip's..
>
> so, anyone ever heard of something so stupid?
>
> x-spam-status:Yes, score=4.603 tag=-999 tag2=4 kill=4 
> tests=[APOSTROPHE_FROM=0.545, BAYES_40=-0.001, DCC_REPUT_00_12=-0.4, 
> HTML_MESSAGE=0.001, LOCAL_1UB_FORGED=2, RDNS_NONE=0.793, 
> SARE_GIF_ATTACH=1.42, SPF_SOFTFAIL=0.665, ST_CREDIT_FOR_TWO=-1.42, 
> ST_INLINE_IMAGE=1] autolearn=no
>
> received:from spamtrap2.client.local ([127.0.0.1]) by 
> spamtrap2.client.local (spamtrap2.client.local [127.0.0.1]) 
> (SpammerTrap(r) SME-500, port 10024) with LMTP id QxTwPcYqMh-9 for 
> <us...@example.com>; Wed, 10 Aug 2011 09:57:53 -0400 (EDT)
>
> received:from MBX2.client.local (unknown [172.20.128.25]) (using TLSv1 
> with cipher AES128-SHA (128/128 bits)) (No client certificate 
> requested) by spamtrap2.client.local (Postfix) with ESMTPS id 
> 6773561C0F5 for <us...@example.com>; Wed, 10 Aug 2011 09:57:53 -0400 (EDT)
>
> received:from MBX1.client.local ([169.254.1.69]) by MBX2.client.local 
> ([169.254.2.63]) with mapi id 14.01.0289.001; Wed, 10 Aug 2011 
> 09:57:51 -0400
> -- 
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> >*| *SECNAP Network Security Corporation
>
>     * Best Mobile Solutions Product of 2011
>     * Best Intrusion Prevention Product
>     * Hot Company Finalist 2011
>     * Best Email Security Product
>     * Certified SNORT Integrator
>
>
> ------------------------------------------------------------------------
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see http://www.secnap.com/products/spammertrap/
>
> ------------------------------------------------------------------------
>