You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2005/06/28 01:41:01 UTC

[Bug 4436] New: FPS because trusted_networks are ignored for X-Originating-IP header

http://bugzilla.spamassassin.org/show_bug.cgi?id=4436

           Summary: FPS because trusted_networks are ignored for X-
                    Originating-IP header
           Product: Spamassassin
           Version: 3.0.4
          Platform: All
        OS/Version: other
            Status: NEW
          Severity: blocker
          Priority: P5
         Component: Rules (Eval Tests)
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: mbr@freebsd.org


Google Groups uses X-Originating-IP: in all its headers, causing
massive false positives rates for google mails if one does use
blacklists.

Consider this case:

internal_networks       127.
trusted_networks        213.165.64.20

As you can see, 213.165.64.20 is whitelisted. But
all google group mails originating from this server
will lead to false positives.

See the proposed patch and the example.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4436] FPS because trusted_networks are ignored for X-Originating-IP header

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4436


jm@jmason.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|Undefined                   |3.1.0




------- Additional Comments From jm@jmason.org  2005-06-27 16:46 -------
needs checking



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4436] FPS because trusted_networks are ignored for X-Originating-IP header

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4436


jm@jmason.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From jm@jmason.org  2005-06-27 18:29 -------
hi Martin --

you're partly right.  not entirely though ;)

you're correct that X-Originating-IP etc should be considered for
untrusted/firsttrusted tests, and that patch is now applied (updated for 3.1.0)
to svn trunk.

However, looking at the trusted_networks line you posted, that still won't have
the desired effect-- you have to trust *all* servers along the path from your
server to the poster, e.g.:

  trusted_networks        213.165.64.20 216.155.201/24 66.218/16 130.60.28.29

this is because otherwise, [216.155.201.60] could have been a spammer pretending
to be a Yahoo server, and all Received lines prior to that one could have been a
forgery.  So unless [216.155.201.60] is also trusted, no hosts prior to that can
be trusted because the Received lines themselves are not trustworthy.

anyway, that fix is now in trunk. closing...

Sending        lib/Mail/SpamAssassin/EvalTests.pm
Transmitting file data .
Committed revision 202109.





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4436] FPS because trusted_networks are ignored for X-Originating-IP header

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4436





------- Additional Comments From mbr@freebsd.org  2005-06-27 16:41 -------
Created an attachment (id=2961)
 --> (http://bugzilla.spamassassin.org/attachment.cgi?id=2961&action=view)
Proposed patch




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4436] FPS because trusted_networks are ignored for X-Originating-IP header

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4436





------- Additional Comments From mbr@freebsd.org  2005-06-27 22:20 -------
Hi,

> you're correct that X-Originating-IP etc should be considered for
> untrusted/firsttrusted tests, and that patch is now applied (updated for3.1.0)
> to svn trunk.
>
> However, looking at the trusted_networks line you posted, that still won't have
> the desired effect-- you have to trust *all* servers along the path from your
> server to the poster, e.g.:
>
>  trusted_networks        213.165.64.20 216.155.201/24 66.218/16 130.60.28.29

It has the desired effect because all yahoo servers are whitelisted here. Yes -
we have a really big whitelist, about 700 ISPs are whitelisted with all their
passing mailservers. And this helps a lot to avoid FPS, you wouldn't beleave it.

That a ISP server is hacked and sent from it directly is not really a problem
anymore these days.

> this is because otherwise, [216.155.201.60] could have been a spammer pretending
> to be a Yahoo server, and all Received lines prior to that one could have been a
> forgery.  So unless [216.155.201.60] is also trusted, no hosts prior to that can
> be trusted because the Received lines themselves are not trustworthy.

Of course. Sorry for my false example ...

Martin



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4436] FPS because trusted_networks are ignored for X-Originating-IP header

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4436





------- Additional Comments From mbr@freebsd.org  2005-06-27 16:42 -------
Created an attachment (id=2962)
 --> (http://bugzilla.spamassassin.org/attachment.cgi?id=2962&action=view)
Testcase




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.