You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <sc...@secnap.net> on 2009/06/05 12:20:12 UTC
for discussion FQDN of *.lan vs *.home
I posted a bug, you can discuss here and I guess vote or discuss on
bugzilla:
Way too many people are using .lan (local area network) as their
internal, local lan.
I agree if FIRST untrusted does a 'helo *.lan' you should score it high,
but if they have an internal server that does a helo *.lan to their
external (bastian or smart host) and it uses a valid FQDN, you should
not score it so high.
header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=\S+\.(?:home|lan) /i
3.714 points is pretty high.
score HELO_LH_HOME 2.602 3.169 2.689 3.714
in this case client used the 'default' FQDN on their exchange server
(yes, stupid, not RFC compliant) they have a real FQDN that matches
their ip, but for some reason, microsoft does not make it abundantly
clear how important the FQDN setting in exchange is.
Score a little lower, or maybe score *.lan and *.home a little different
split it into two rules.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
Re: for discussion FQDN of *.lan vs *.home
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-06-05 at 06:20 -0400, Michael Scheidell wrote:
> I posted a bug, you can discuss here and I guess vote or discuss on
> bugzilla:
No voting. And please keep the discussion on the list.
> Way too many people are using .lan (local area network) as their
> internal, local lan.
>
> I agree if FIRST untrusted does a 'helo *.lan' you should score it high,
> but if they have an internal server that does a helo *.lan to their
> external (bastian or smart host) and it uses a valid FQDN, you should
> not score it so high.
>
> header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
^^^^^^^
The rule is anchored at the beginning of the internal header, and
excludes the closing square bracket in his matching. Thus it only
matches the last (the one handing off to your MX) untrusted relay.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: for discussion FQDN of *.lan vs *.home
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-06-05 at 16:28 +0300, Henrik K wrote:
> On Fri, Jun 05, 2009 at 12:19:59PM +0100, RW wrote:
> > This test only looks at the last hop, so I don't see your concern.
> >
> > Actually it should be the last hop into the internal network,
> > presumably it's one of the tests that's fixed in SVN. IMO it should
> > also test for "auth= "
>
> Right, it's internal in SVN.. though isn't in sa-update yet.
*External*. :)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: for discussion FQDN of *.lan vs *.home
Posted by Henrik K <he...@hege.li>.
On Fri, Jun 05, 2009 at 12:19:59PM +0100, RW wrote:
> >
> > header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+
> > helo=\S+\.(?:home|lan) /i
>
> This test only looks at the last hop, so I don't see your concern.
>
> Actually it should be the last hop into the internal network,
> presumably it's one of the tests that's fixed in SVN. IMO it should
> also test for "auth= "
Right, it's internal in SVN.. though isn't in sa-update yet.
Re: for discussion FQDN of *.lan vs *.home
Posted by RW <rw...@googlemail.com>.
On Fri, 05 Jun 2009 06:20:12 -0400
Michael Scheidell <sc...@secnap.net> wrote:
> I agree if FIRST untrusted
FWIW the terms first and last should always be used in the client ->
spamassassin direction.
> does a 'helo *.lan' you should score it
> high, but if they have an internal server that does a helo *.lan to
> their external (bastian or smart host) and it uses a valid FQDN, you
> should not score it so high.
>
> header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+
> helo=\S+\.(?:home|lan) /i
This test only looks at the last hop, so I don't see your concern.
Actually it should be the last hop into the internal network,
presumably it's one of the tests that's fixed in SVN. IMO it should
also test for "auth= "
Re: for discussion FQDN of *.lan vs *.home
Posted by Michael Scheidell <sc...@secnap.net>.
sorry, bugzilla link:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6124
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________