You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jason Haar <Ja...@trimble.com> on 2012/01/06 06:06:35 UTC
shouldn't SA treat certain web-script headers as X-Spam-Relays-External?
Hi there
I just had the following phishing attacks get through with scores in the 2s.
http://pastebin.com/4Yyc0m7j
http://pastebin.com/R0XMM9Je
Both are generated by different hacked websites - both from 41.184.112.222
Could X-EN-OrigIP: and X-PHP-Script: be added to X-Spam-Relays-External
so as to pick up the originating IP? Rewriting that IP into a Received
header pushed the score up by 10 points due to the RBLs it's in
PS: pastebin.com picked both of these as SPAM - what are they doing
right that SA isn't? ;-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: shouldn't SA treat certain web-script headers as
X-Spam-Relays-External?
Posted by Henrik K <he...@hege.li>.
On Fri, Jan 06, 2012 at 10:12:09PM +1300, Jason Haar wrote:
> Hi Henrik
>
> I tried that - didn't make a difference.
>
> In debug mode, it certainly made the IP address show up against
> X-Spam-Relays-External - but no RBL lookups against it occurred? That
> conflicts with the man page: "These IP addresses are virtually appended
> into the Received: chain, so they are used in RBL checks where appropriate."
First of all, as documentation says, originating IPs are not appended into
X-Spam-Relays-* metadata. So I don't know how you managed that.
Secondly, did you really verify RBL lookups aren't done? (grep in reverse)
spamassassin -t -D < msg 2>&1 |grep 222.112.184.41
Also if you grep the IP as is, you should see a like with
"originating: 41.184.112.222".
PS. I tried all this myself with 3.3.2 and trunk..
Re: shouldn't SA treat certain web-script headers as
X-Spam-Relays-External?
Posted by RW <rw...@googlemail.com>.
On Fri, 06 Jan 2012 22:12:09 +1300
Jason Haar wrote:
> Hi Henrik
>
> I tried that - didn't make a difference.
>
> In debug mode, it certainly made the IP address show up against
> X-Spam-Relays-External - but no RBL lookups against it occurred? That
> conflicts with the man page: "These IP addresses are virtually
> appended into the Received: chain, so they are used in RBL checks
> where appropriate."
>
> If I change the last Received header to contain that IP address, I
> get a totally different score than when I rely on
> originating_ip_headers. I think the problem is these other headers
> are added to the *end* of the X-Spam-Relays* variables instead of the
> beginning?
Most RBLs only run against the the last external IP address. Deeper
checks caused a high FP rate because of dynamic IPs being reassigned,
it doesn't matter for the last external since, since dynamic addresses
delivering to mx are overwhelmingly from botnets.
Re: shouldn't SA treat certain web-script headers as X-Spam-Relays-External?
Posted by Jason Haar <Ja...@trimble.com>.
Hi Henrik
I tried that - didn't make a difference.
In debug mode, it certainly made the IP address show up against
X-Spam-Relays-External - but no RBL lookups against it occurred? That
conflicts with the man page: "These IP addresses are virtually appended
into the Received: chain, so they are used in RBL checks where appropriate."
If I change the last Received header to contain that IP address, I get a
totally different score than when I rely on originating_ip_headers. I
think the problem is these other headers are added to the *end* of the
X-Spam-Relays* variables instead of the beginning?
i.e. with just relying on originating_ip_headers I see 41.184.112.222 as:
Jan 6 21:59:33.671 [13958] dbg: metadata: X-Spam-Relays-Untrusted: [
ip=178.33.48.155 rdns=s3.wirtualne.net helo=s3.wirtualne.net
by=dytn-smtp2.trimble.com ident= envfrom=sp1@s3.wirtualne.net intl=0 id=
auth= msa=0 ] [ ip=41.184.112.222 rdns= helo= by= ident= envfrom= intl=0
id= auth= msa=0 ]
whereas when 41.184.112.222 is the last Received header, I see:
Jan 6 21:56:35.901 [13397] dbg: metadata: X-Spam-Relays-Untrusted: [
ip=41.184.112.222 rdns=bosmailout05.eigbox.net
helo=bosmailout05.eigbox.net by=dytn-smtp2.trimble.com ident= envfrom=
intl=0 id= auth= msa=0 ] [ ip=10.20.15.5 rdns=bosmailscan05.eigbox.net
helo=bosmailscan05.eigbox.net by=bosmailout05.eigbox.net ident= envfrom=
intl=0 id=1Rj14Z-0006Lz-Bx auth= msa=0 ] [ ip=10.20.55.1
rdns=bosimpout01.eigbox.net helo=bosimpout01.eigbox.net
by=bosmailscan05.eigbox.net ident= envfrom= intl=0 id=1Rj14Y-0006gn-Tg
auth= msa=0 ] [ ip=10.20.12.10 rdns= helo=boscgi4605.eigbox.net
by=bosimpout01.eigbox.net ident= envfrom= intl=0
id=J46X1i0050D0PFN0146XHy auth= msa=0 ] [ ip=41.184.112.222 rdns= helo=
by= ident= envfrom= intl=0 id= auth= msa=0 ]
This is SA 3.3.2
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: shouldn't SA treat certain web-script headers as
X-Spam-Relays-External?
Posted by Henrik K <he...@hege.li>.
On Fri, Jan 06, 2012 at 06:06:35PM +1300, Jason Haar wrote:
> Hi there
>
> I just had the following phishing attacks get through with scores in the 2s.
>
> http://pastebin.com/4Yyc0m7j
> http://pastebin.com/R0XMM9Je
>
> Both are generated by different hacked websites - both from 41.184.112.222
>
> Could X-EN-OrigIP: and X-PHP-Script: be added to X-Spam-Relays-External
> so as to pick up the originating IP? Rewriting that IP into a Received
> header pushed the score up by 10 points due to the RBLs it's in
>
> PS: pastebin.com picked both of these as SPAM - what are they doing
> right that SA isn't? ;-)
http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html
See originating_ip_headers option.