You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by jpff <jp...@codemist.co.uk> on 2008/09/14 12:33:26 UTC
FM_FAKE_HELO_VERIZON
I have a user of a mailing list who is sending from a Verizon system,
and is being marked as spam. Some is use of HTML etc but
> * 2.0 BOTNET_CLIENT Relay has a client-like hostname
> * =20
> [botnet_client,ip=206.46.173.1,hostname=vms173001pub.verizon.net,
> ipinhostname]
> * 2.6 FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo.
are the two that do not seem to be under control. The mailing list
archive seems to be hiding teh headers at present.
What exactly do they mean? How can he prevent it?
==John ffitch
Re: FM_FAKE_HELO_VERIZON
Posted by John Hardin <jh...@impsec.org>.
On Sun, 2008-09-14 at 16:45 -0400, Gene Heskett wrote:
> No, but they use it as I stated, to make you put your web visible stuff on
> their servers, where they can surround it with their commercials. So they
> block port 80 going out to their customers.
Not to minimize how annoying that is, but how is it relevant to an ISP
blocking outbound port 25 from their dynamic IP blocks to the internet
at large for users who have not explicitly asked for that access, given
how much that capability is subject to abuse?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I'm seriously considering getting one of those bright-orange prison
overalls and stencilling PASSENGER on the back. Along with the paper
slippers, I ought to be able to walk right through security.
-- Brian Kantor in a.s.r
-----------------------------------------------------------------------
3 days until the 221st anniversary of the signing of the U.S. Constitution
Re: FM_FAKE_HELO_VERIZON
Posted by Gene Heskett <ge...@verizon.net>.
On Sunday 14 September 2008, mouss wrote:
>Gene Heskett wrote:
>> On Sunday 14 September 2008, mouss wrote:
>>> John Hardin wrote:
>>>> On Sun, 2008-09-14 at 14:43 +0200, mouss wrote:
>>>>> verizon.net SPF record includes 206.46.0.0/16.
>>>>
>>>> Verizon SPF'd a class-B space?? Please don't tell me that covers part of
>>>> their dynamic address pool...
>>>
>>> If they block port 25 except for "responsible" users, I have no problem
>>> with that. Maybe some people (Matt?) know more?
>>
>> I sure would have a problem with that. Its bad enough I have to run my
>> web server by natting port 85 to 80 cuz vz blocks port 80 so you'll build
>> your web pages with their service they they can load up with commercials.
>>
>> I pull from 3 different mail servers cuz vz has some pretty weird ideas
>> about what is good mail and what is spam, they have blocked lkml, the
>> busiest list in linuxdom as that much traffic has to be spam. I can also
>> post through all three of the servers I suck from, and if they start
>> blocking 25 that isn't addressed to their server, my first email will be
>> to the FCC demanding they lose their common carrier status.
>
>When we say "an ISP blocks outbound port 25", we mean "they force
>passing via their relay". or if you prefer, they block TCP packets where
>the "foreign" port is 25 (if dest IP is "external", dest port must not
>be 25. and if source port is external, source port must not be 25).
Yes, same definition I'm using.
>This doesn't limit the recipients of their mail to the ISP customers.
>nor should this limit the sender to the ISP domain (some ISPs are known
>to limit to N declared sender domains though).
No, but they use it as I stated, to make you put your web visible stuff on
their servers, where they can surround it with their commercials. So they
block port 80 going out to their customers. Silently, and they deny at at
tech support to their last breath. Like comcast, to do so and lose the
common carrier status, would cost them millions. Tain't gonna happen as long
as Bushco is naming commissioners.
That said, I have relatively little faith that the commission would act, there
are far too many commercial folks all too willing to treat the commissioners
to whatever they might indicate they need. And as in any other enterprise,
its only illegal if you get caught. The catchers unforch are busy. And so
it goes...
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Disclaimer: "These opinions are my own, though for a small fee they be
yours too."
-- Dave Haynie
Re: FM_FAKE_HELO_VERIZON
Posted by mouss <mo...@netoyen.net>.
Gene Heskett wrote:
> On Sunday 14 September 2008, mouss wrote:
>> John Hardin wrote:
>>> On Sun, 2008-09-14 at 14:43 +0200, mouss wrote:
>>>> verizon.net SPF record includes 206.46.0.0/16.
>>> Verizon SPF'd a class-B space?? Please don't tell me that covers part of
>>> their dynamic address pool...
>> If they block port 25 except for "responsible" users, I have no problem
>> with that. Maybe some people (Matt?) know more?
>
> I sure would have a problem with that. Its bad enough I have to run my web
> server by natting port 85 to 80 cuz vz blocks port 80 so you'll build your
> web pages with their service they they can load up with commercials.
>
> I pull from 3 different mail servers cuz vz has some pretty weird ideas about
> what is good mail and what is spam, they have blocked lkml, the busiest list
> in linuxdom as that much traffic has to be spam. I can also post through all
> three of the servers I suck from, and if they start blocking 25 that isn't
> addressed to their server, my first email will be to the FCC demanding they
> lose their common carrier status.
>
When we say "an ISP blocks outbound port 25", we mean "they force
passing via their relay". or if you prefer, they block TCP packets where
the "foreign" port is 25 (if dest IP is "external", dest port must not
be 25. and if source port is external, source port must not be 25).
This doesn't limit the recipients of their mail to the ISP customers.
nor should this limit the sender to the ISP domain (some ISPs are known
to limit to N declared sender domains though).
Re: FM_FAKE_HELO_VERIZON
Posted by Gene Heskett <ge...@verizon.net>.
On Sunday 14 September 2008, mouss wrote:
>John Hardin wrote:
>> On Sun, 2008-09-14 at 14:43 +0200, mouss wrote:
>>> verizon.net SPF record includes 206.46.0.0/16.
>>
>> Verizon SPF'd a class-B space?? Please don't tell me that covers part of
>> their dynamic address pool...
>
>If they block port 25 except for "responsible" users, I have no problem
>with that. Maybe some people (Matt?) know more?
I sure would have a problem with that. Its bad enough I have to run my web
server by natting port 85 to 80 cuz vz blocks port 80 so you'll build your
web pages with their service they they can load up with commercials.
I pull from 3 different mail servers cuz vz has some pretty weird ideas about
what is good mail and what is spam, they have blocked lkml, the busiest list
in linuxdom as that much traffic has to be spam. I can also post through all
three of the servers I suck from, and if they start blocking 25 that isn't
addressed to their server, my first email will be to the FCC demanding they
lose their common carrier status.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Work is the crab grass in the lawn of life.
-- Schulz
Re: FM_FAKE_HELO_VERIZON
Posted by mouss <mo...@netoyen.net>.
John Hardin wrote:
> On Sun, 2008-09-14 at 14:43 +0200, mouss wrote:
>
>> verizon.net SPF record includes 206.46.0.0/16.
>
> Verizon SPF'd a class-B space?? Please don't tell me that covers part of
> their dynamic address pool...
>
If they block port 25 except for "responsible" users, I have no problem
with that. Maybe some people (Matt?) know more?
Re: FM_FAKE_HELO_VERIZON
Posted by John Hardin <jh...@impsec.org>.
On Sun, 2008-09-14 at 14:43 +0200, mouss wrote:
> verizon.net SPF record includes 206.46.0.0/16.
Verizon SPF'd a class-B space?? Please don't tell me that covers part of
their dynamic address pool...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
-----------------------------------------------------------------------
3 days until the 221st anniversary of the signing of the U.S. Constitution
Re: FM_FAKE_HELO_VERIZON
Posted by mouss <mo...@netoyen.net>.
jpff wrote:
> I have a user of a mailing list who is sending from a Verizon system,
> and is being marked as spam. Some is use of HTML etc but
>
>> * 2.0 BOTNET_CLIENT Relay has a client-like hostname
>> * =20
>> [botnet_client,ip=206.46.173.1,hostname=vms173001pub.verizon.net,
>> ipinhostname]
botnet belives the hostname is dynamic (probably because of the 173001
part). However, verizon.net SPF record includes 206.46.0.0/16. hmmm...
>> * 2.6 FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo.
yep. happens with Matt Kettler mail!
I have opened a bug:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5972
I suggest the following modification
header __FHOST_RDNS X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]*[a-z] /i
meta FM_FAKE_HELO_VERIZON (__FHELO_VERIZON && !__FHOST_VERIZON &&
__FHOST_RDNS)
meta FM_FAKE_HELO_HOTMAIL (__HOTMAILCOM && !__HOST_HOTMAIL && __FHOST_RDNS)
now, it would be nice to modify Received.pm to ignore invalid rdns. any
opinions?
>
> are the two that do not seem to be under control. The mailing list
> archive seems to be hiding teh headers at present.
>
> What exactly do they mean? How can he prevent it?
>
Re: FM_FAKE_HELO_VERIZON
Posted by SM <sm...@resistor.net>.
At 03:33 14-09-2008, jpff wrote:
>I have a user of a mailing list who is sending from a Verizon system,
>and is being marked as spam. Some is use of HTML etc but
>
> > * 2.0 BOTNET_CLIENT Relay has a client-like hostname
> > * =20
> > [botnet_client,ip=206.46.173.1,hostname=vms173001pub.verizon.net,
> > ipinhostname]
> > * 2.6 FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo.
>
>are the two that do not seem to be under control. The mailing list
>archive seems to be hiding teh headers at present.
The first rule is not a SpamAssassin (project) rule. It incorrectly
detects the hostname as a "botnet client".
A bug reported has been posted for the second rule.
Regards,
-sm