shouldn't SA treat certain web-script headers as X-Spam-Relays-External?

[Jason Haar <Ja...@trimble.com>]

Hi there

I just had the following phishing attacks get through with scores in the 2s.

http://pastebin.com/4Yyc0m7j
http://pastebin.com/R0XMM9Je

Both are generated by different hacked websites - both from 41.184.112.222

Could X-EN-OrigIP: and X-PHP-Script: be added to X-Spam-Relays-External
so as to pick up the originating IP? Rewriting that IP into a Received
header pushed the score up by 10 points due to the RBLs it's in

PS: pastebin.com picked both of these as SPAM - what are they doing
right that SA isn't? ;-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: shouldn't SA treat certain web-script headers as X-Spam-Relays-External?

[Henrik K <he...@hege.li>]

On Fri, Jan 06, 2012 at 10:12:09PM +1300, Jason Haar wrote:
> Hi Henrik
> 
> I tried that - didn't make a difference.
> 
> In debug mode, it certainly made the IP address show up against
> X-Spam-Relays-External - but no RBL lookups against it occurred? That
> conflicts with the man page: "These IP addresses are virtually appended
> into the Received: chain, so they are used in RBL checks where appropriate."

First of all, as documentation says, originating IPs are not appended into
X-Spam-Relays-* metadata. So I don't know how you managed that.

Secondly, did you really verify RBL lookups aren't done? (grep in reverse)

spamassassin -t -D < msg 2>&1 |grep 222.112.184.41

Also if you grep the IP as is, you should see a like with
"originating: 41.184.112.222".

PS. I tried all this myself with 3.3.2 and trunk..

Re: shouldn't SA treat certain web-script headers as X-Spam-Relays-External?

[RW <rw...@googlemail.com>]

On Fri, 06 Jan 2012 22:12:09 +1300
Jason Haar wrote:

> Hi Henrik
> 
> I tried that - didn't make a difference.
> 
> In debug mode, it certainly made the IP address show up against
> X-Spam-Relays-External - but no RBL lookups against it occurred? That
> conflicts with the man page: "These IP addresses are virtually
> appended into the Received: chain, so they are used in RBL checks
> where appropriate."
> 
> If I change the last Received header to contain that IP address, I
> get a totally different score than when I rely on
> originating_ip_headers. I think the problem is these other headers
> are added to the *end* of the X-Spam-Relays* variables instead of the
> beginning?

Most RBLs only run against the the last external IP address. Deeper
checks caused a high FP rate because of dynamic IPs being reassigned,
it doesn't matter for the last external since, since dynamic addresses
delivering to mx are overwhelmingly from botnets.

Re: shouldn't SA treat certain web-script headers as X-Spam-Relays-External?

[Jason Haar <Ja...@trimble.com>]

Hi Henrik

I tried that - didn't make a difference.

In debug mode, it certainly made the IP address show up against
X-Spam-Relays-External - but no RBL lookups against it occurred? That
conflicts with the man page: "These IP addresses are virtually appended
into the Received: chain, so they are used in RBL checks where appropriate."

If I change the last Received header to contain that IP address, I get a
totally different score than when I rely on originating_ip_headers. I
think the problem is these other headers are added to the *end* of the
X-Spam-Relays* variables instead of the beginning?

i.e. with just relying on originating_ip_headers  I see 41.184.112.222 as:

Jan  6 21:59:33.671 [13958] dbg: metadata: X-Spam-Relays-Untrusted: [
ip=178.33.48.155 rdns=s3.wirtualne.net helo=s3.wirtualne.net
by=dytn-smtp2.trimble.com ident= envfrom=sp1@s3.wirtualne.net intl=0 id=
auth= msa=0 ] [ ip=41.184.112.222 rdns= helo= by= ident= envfrom= intl=0
id= auth= msa=0 ]

whereas when 41.184.112.222 is the last Received header, I see:

Jan  6 21:56:35.901 [13397] dbg: metadata: X-Spam-Relays-Untrusted: [
ip=41.184.112.222 rdns=bosmailout05.eigbox.net
helo=bosmailout05.eigbox.net by=dytn-smtp2.trimble.com ident= envfrom=
intl=0 id= auth= msa=0 ] [ ip=10.20.15.5 rdns=bosmailscan05.eigbox.net
helo=bosmailscan05.eigbox.net by=bosmailout05.eigbox.net ident= envfrom=
intl=0 id=1Rj14Z-0006Lz-Bx auth= msa=0 ] [ ip=10.20.55.1
rdns=bosimpout01.eigbox.net helo=bosimpout01.eigbox.net
by=bosmailscan05.eigbox.net ident= envfrom= intl=0 id=1Rj14Y-0006gn-Tg
auth= msa=0 ] [ ip=10.20.12.10 rdns= helo=boscgi4605.eigbox.net
by=bosimpout01.eigbox.net ident= envfrom= intl=0
id=J46X1i0050D0PFN0146XHy auth= msa=0 ] [ ip=41.184.112.222 rdns= helo=
by= ident= envfrom= intl=0 id= auth= msa=0 ]


This is SA 3.3.2

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: shouldn't SA treat certain web-script headers as X-Spam-Relays-External?

[Henrik K <he...@hege.li>]

On Fri, Jan 06, 2012 at 06:06:35PM +1300, Jason Haar wrote:
> Hi there
> 
> I just had the following phishing attacks get through with scores in the 2s.
> 
> http://pastebin.com/4Yyc0m7j
> http://pastebin.com/R0XMM9Je
> 
> Both are generated by different hacked websites - both from 41.184.112.222
> 
> Could X-EN-OrigIP: and X-PHP-Script: be added to X-Spam-Relays-External
> so as to pick up the originating IP? Rewriting that IP into a Received
> header pushed the score up by 10 points due to the RBLs it's in
> 
> PS: pastebin.com picked both of these as SPAM - what are they doing
> right that SA isn't? ;-)

http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html

See originating_ip_headers option.