You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "William A. Fink" <bi...@billfink.com> on 2013/10/30 15:41:52 UTC
Feedback on blacklist rule I plan to write
I have a brief question. I'll provide my setup though isn't applicable.
I'm using SpamAssassin version 3.3.1, on FreeBSD 8.1-RELEASE
I'm using Sendmail for my MTA
I'm using Procmail for my local
My question is: The SMTP protocol allows a return address to be
'<us...@ip-address.com>' and 'user@ip-address.com' and some other variations,
I'll assume.
My background knows that nearly _all_ mail when transferred uses
'user@domain-name.com' or '<us...@domain-name.com>'
This AM I was researching an email (spam) that I received and the actual
(hard-core) email-header and noticed they're using something similar to:
"user@some-domain@ip-address" and it's getting through.
My _real_ question is:
Can't I simply blacklist all/any emails that arrive where they're using
'user@ip-address' - while that's a rhetorical question, (I know I can) but
I'm looking for feedback as to why this would not be a good idea. ANY
respectable/legitimate MTA uses their domain-name as the latter part of the
return address, correct?
Feedback is more what I'm looking for on my question versus an answer to
'can I?' do this.
I will not care if there is that small percentage of MTA's that are/do
legitimately send using the IP address method. (Another discussion,
perhaps?)
If this is logical, how would I enter that in my local.cf ??
' blacklist_from @"[0..255].[0..255] .[0..255] .[0..255]"
(With/WithOUT quotes?)
...or is the REALLY a very bad idea?
Thanks so much for your assistance in advance.
RE: Feedback on blacklist rule I plan to write
Posted by Benny Pedersen <me...@junc.eu>.
John Hardin skrev den 2013-10-30 19:44:
> blacklist_from uses file globbing syntax rather than REs:
>
> Whitelist and blacklist addresses are now file-glob-style patterns,
> so
> friend@somewhere.com, *@isp.com, or *.domain.net will all work.
> Specifically, * and ? are allowed, but all other metacharacters are
> not.
> Regular expressions are not used for security reasons.
>
> You don't have fine enough control over it to blacklist numeric IPs in
> the from address. You'd either have to do that in your MTA, or using a
> regular header rule having a high score.
its wanted to match root@[127.0.0.1] in the blacklist from re
so its blacklist_from root@*
hard for me :=)
RE: Feedback on blacklist rule I plan to write
Posted by John Hardin <jh...@impsec.org>.
On Wed, 30 Oct 2013, William A. Fink wrote:
> blacklist_from @"\[[0..255].[0..255] .[0..255] .[0..255]\]"
blacklist_from uses file globbing syntax rather than REs:
Whitelist and blacklist addresses are now file-glob-style patterns, so
friend@somewhere.com, *@isp.com, or *.domain.net will all work.
Specifically, * and ? are allowed, but all other metacharacters are not.
Regular expressions are not used for security reasons.
You don't have fine enough control over it to blacklist numeric IPs in the
from address. You'd either have to do that in your MTA, or using a regular
header rule having a high score.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
Tomorrow: Halloween
RE: Feedback on blacklist rule I plan to write
Posted by Benny Pedersen <me...@junc.eu>.
William A. Fink skrev den 2013-10-30 18:55:
> (local.cf)
> --------------------
> Whiltelist_from @friendly_domain.com
this allow forges
> blacklist_from @"\[[0..255].[0..255] .[0..255] .[0..255]\]"
blacklist_from *@"\[\[0..255]\.[0..255]\.[0..255]\.[0..255]\]"
forges is still possible on blacklist, but there is no point
Re: Feedback on blacklist rule I plan to write
Posted by Kai Schaetzl <ma...@conactive.com>.
Why so complicated? For literals just look for [ and ]. They can only be
around a literal IP address. Or if you want to block only the non-routable
addresses use these for regexp.
Your regexp seems to be ok to me, but I'm not an expert in regexp and I
don't know if you can use it there (it's not a rule). The blacklist_from
will act on other from headers as well - if that's ok.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
RE: Feedback on blacklist rule I plan to write
Posted by "William A. Fink" <bi...@billfink.com>.
Good point/question.
I want to avoid every email where contained in the header information the
'Reply-To' field is constructed in this format:
'user@[literal-ip-address]'
an example: 'bill@[192.168.1.10]' or 'bill@[10.10.5.6]'
Can you tell if my format/syntax is proper in the rule, how I think, would
be formatted?
(local.cf)
--------------------
Whiltelist_from @friendly_domain.com
...
blacklist_from @"\[[0..255].[0..255] .[0..255] .[0..255]\]"
<<<---That one.
....
Followed by other proper 'local.cf' properly formatted rules.
Thanks!
-----Original Message-----
From: Kai Schaetzl [mailto:maillists@conactive.com]
Sent: Wednesday, October 30, 2013 12:31 PM
To: users@spamassassin.apache.org
Subject: Re: Feedback on blacklist rule I plan to write
William A. Fink wrote on Wed, 30 Oct 2013 10:41:52 -0400:
> My question is: The SMTP protocol allows a return address to be
> '<us...@ip-address.com>' and 'user@ip-address.com' and some other
variations,
> I'll assume.
Are you really talking about ip-address.*com* or just ip-address?
SMTP allows ip-literals [ip-address], not ip-address. I think.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Feedback on blacklist rule I plan to write
Posted by Kai Schaetzl <ma...@conactive.com>.
William A. Fink wrote on Wed, 30 Oct 2013 10:41:52 -0400:
> My question is: The SMTP protocol allows a return address to be
> '<us...@ip-address.com>' and 'user@ip-address.com' and some other variations,
> I'll assume.
Are you really talking about ip-address.*com* or just ip-address?
SMTP allows ip-literals [ip-address], not ip-address. I think.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Feedback on blacklist rule I plan to write
Posted by Marc Perkel <su...@junkemailfilter.com>.
If it's all spam then why not?
On 10/30/2013 7:41 AM, William A. Fink wrote:
> I have a brief question. I'll provide my setup though isn't applicable.
>
> I'm using SpamAssassin version 3.3.1, on FreeBSD 8.1-RELEASE
>
> I'm using Sendmail for my MTA
>
> I'm using Procmail for my local
>
> My question is: The SMTP protocol allows a return address to be
> '<us...@ip-address.com>' and 'user@ip-address.com' and some other variations,
> I'll assume.
>
> My background knows that nearly _all_ mail when transferred uses
> 'user@domain-name.com' or '<us...@domain-name.com>'
>
> This AM I was researching an email (spam) that I received and the actual
> (hard-core) email-header and noticed they're using something similar to:
>
> "user@some-domain@ip-address" and it's getting through.
>
> My _real_ question is:
>
> Can't I simply blacklist all/any emails that arrive where they're using
> 'user@ip-address' - while that's a rhetorical question, (I know I can) but
> I'm looking for feedback as to why this would not be a good idea. ANY
> respectable/legitimate MTA uses their domain-name as the latter part of the
> return address, correct?
>
> Feedback is more what I'm looking for on my question versus an answer to
> 'can I?' do this.
>
> I will not care if there is that small percentage of MTA's that are/do
> legitimately send using the IP address method. (Another discussion,
> perhaps?)
>
> If this is logical, how would I enter that in my local.cf ??
>
> ' blacklist_from @"[0..255].[0..255] .[0..255] .[0..255]"
> (With/WithOUT quotes?)
>
> ...or is the REALLY a very bad idea?
>
> Thanks so much for your assistance in advance.
>
>
>
>
>
>
--
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400
Re: Feedback on blacklist rule I plan to write
Posted by Adam Moffett <ad...@plexicomm.net>.
absolutely right, thanks for jogging my memory.
> My reading of RFC5321 seems to indicate that"user@1.2.3.4" is NOT a
> valid address. It should instead be written as"user@[1.2.3.4]"
Re: Feedback on blacklist rule I plan to write
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>> >On Wed, 30 Oct 2013 11:44:19 -0400
>> >David F. Skoll wrote:
>> >> My reading of RFC5321 seems to indicate that "user@1.2.3.4" is NOT
>> >> a valid address. It should instead be written as "user@[1.2.3.4]"
>> On 30.10.13 17:53, RW wrote:
>> >If you are referring to 4.1.3. I would say it's defining a routing
>> >mechanism rather than limiting what a valid address is.
>On Wed, 30 Oct 2013 20:13:40 +0100
>Matus UHLAR - fantomas wrote:
>> 4.1.2 defines it as part of mail address:
>>
>> address-literal = "[" ( IPv4-address-literal /
>> IPv6-address-literal /
>> General-address-literal ) "]"
>>
>> Mailbox = Local-part "@" ( Domain / address-literal )
On 30.10.13 20:07, RW wrote:
>But does anything actually say that 1.2.3.4 can't be treated as a
>hostname. Isn't the point of the [] to be a hint to the server that it
>can treat the contents as an IP address and deliver to that address. I
>don't see anything obviously wrong with something like no-reply@1.2.3.4
Well, it's not valid e-mail address and some MTAs can reject it (I guess
some even do). That's all.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
Re: Feedback on blacklist rule I plan to write
Posted by Dave Warren <da...@hireahit.com>.
On 2013-10-30 14:48, Benny Pedersen wrote:
> Dave Warren skrev den 2013-10-30 22:08:
>
>> 192.2.0.55 has a TLD... 55.
>
> dig 192.2.0.55
>
> what name have the nic ns then ?
None. That's actually my entire point.
>
>> Since the 55 TLD doesn't exist, you get a NXDOMAIN from the
>> root-servers and reject the mail.
>
> you could say it that way yes, but its still incorrect
How is that incorrect? The RFCs specify how to describe an address
literal, anything else should be treated as a domain name. 192.2.0.55 is
no different than hello.example or
aaaaaaaaaaaaaaathisisjustanexample20131030.com, both the MX and A record
lookups return a NXDOMAIN, and so the mail is not deliverable.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
Re: Feedback on blacklist rule I plan to write
Posted by Benny Pedersen <me...@junc.eu>.
Dave Warren skrev den 2013-10-30 22:08:
> 192.2.0.55 has a TLD... 55.
dig 192.2.0.55
what name have the nic ns then ?
> My interpretation is that when you have an IP specified properly
> [192.2.0.55], it's treated as a IPv4 address literal and is
> deliverable. When you have a bare IP, 192.2.0.55, you follow normal
> DNS lookups.
[192.2.0.55] is treated as a valid domain, but dont dig it :)
> Since the 55 TLD doesn't exist, you get a NXDOMAIN from the
> root-servers and reject the mail.
you could say it that way yes, but its still incorrect
Re: Feedback on blacklist rule I plan to write
Posted by Dave Warren <da...@hireahit.com>.
On 2013-10-30 13:54, Benny Pedersen wrote:
> Adam Moffett skrev den 2013-10-30 22:18:
>
>> I do enjoy a good educational argument though.
>
> domains needs a tld to be valid, ip addresses have no tld, so domain
> not found is what postfix and other mta sees
192.2.0.55 has a TLD... 55.
My interpretation is that when you have an IP specified properly
[192.2.0.55], it's treated as a IPv4 address literal and is deliverable.
When you have a bare IP, 192.2.0.55, you follow normal DNS lookups.
Since the 55 TLD doesn't exist, you get a NXDOMAIN from the root-servers
and reject the mail.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
Re: Feedback on blacklist rule I plan to write
Posted by Benny Pedersen <me...@junc.eu>.
David B Funk skrev den 2013-10-30 22:28:
> name@12.34.56.78 is -not- a valid email address (unless there's a
> new
> TLD named "78" ;).
that fun will come one day, spam blocking on ips will loose :)
Re: Feedback on blacklist rule I plan to write
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Wed, 30 Oct 2013, Benny Pedersen wrote:
> Adam Moffett skrev den 2013-10-30 22:18:
>
>> I do enjoy a good educational argument though.
>
> domains needs a tld to be valid, ip addresses have no tld, so domain not
> found is what postfix and other mta sees
>
> but postfix and possible other mtas allow *@[1.2.3.4] as sender/recipient
> envelope
RFC-2821 section 4 lists the correct syntax of IPv4 & IPv6 address literal
components of valid recipient addresses.
name@[12.34.56.78] is a valid email address using IPv4 address literals
name@12.34.56.78 is -not- a valid email address (unless there's a new
TLD named "78" ;).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Feedback on blacklist rule I plan to write
Posted by Benny Pedersen <me...@junc.eu>.
Adam Moffett skrev den 2013-10-30 22:18:
> I do enjoy a good educational argument though.
domains needs a tld to be valid, ip addresses have no tld, so domain not
found is what postfix and other mta sees
but postfix and possible other mtas allow *@[1.2.3.4] as
sender/recipient envelope
Re: Feedback on blacklist rule I plan to write
Posted by Adam Moffett <ad...@plexicomm.net>.
On 10/30/2013 3:07 PM, RW wrote:
> On Wed, 30 Oct 2013 20:13:40 +0100
> Matus UHLAR - fantomas wrote:
>
>>> On Wed, 30 Oct 2013 11:44:19 -0400
>>> David F. Skoll wrote:
>>>
>>>> On Wed, 30 Oct 2013 11:06:35 -0500
>>>> Adam Moffett <ad...@plexicomm.net> wrote:
>>>>
>>>>> I'm reasonably sure that user@ip makes a valid address, but even
>>>>> if it is I don't think I've ever observed it anywhere.
>>>> My reading of RFC5321 seems to indicate that "user@1.2.3.4" is NOT
>>>> a valid address. It should instead be written as "user@[1.2.3.4]"
>> On 30.10.13 17:53, RW wrote:
>>> If you are referring to 4.1.3. I would say it's defining a routing
>>> mechanism rather than limiting what a valid address is.
>> 4.1.2 defines it as part of mail address:
>>
>> address-literal = "[" ( IPv4-address-literal /
>> IPv6-address-literal /
>> General-address-literal ) "]"
>>
>> Mailbox = Local-part "@" ( Domain / address-literal )
> But does anything actually say that 1.2.3.4 can't be treated as a
> hostname. Isn't the point of the [] to be a hint to the server that it
> can treat the contents as an IP address and deliver to that address. I
> don't see anything obviously wrong with something like no-reply@1.2.3.4
>
>
Are we splitting hairs? Does it matter either way? I think it's a safe
assumption that none of my users are going to expect to receive an email
to or from an address formatted that way, so scoring it higher would
hurt no one. It's also not certain that a spammer is sending it that
way to begin with, so *not* scoring it high also probably hurts no one.
I do enjoy a good educational argument though.
Literal IP address as domain name (was Re: Feedback on blacklist
rule I plan to write)
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 30 Oct 2013 20:07:16 +0000
RW <rw...@googlemail.com> wrote:
> But does anything actually say that 1.2.3.4 can't be treated as a
> hostname.
Sec. 4.1.2 of RFC 5321 allows this according to the BNF grammar. But
I don't think the semantics are well-defined.
Both of these adhere to the grammar:
example@1.2.3.4
example@1.2.3.444
How are they to be interpreted? 1.2.3.4 is a legal IP address. It's
also a legal "domain" according to the BNF, but is it a legal domain
name in the DNS? RFC 1035 says a valid "label" in a domain
name has to start with a letter... but we all know that "3m.com" is a
valid domain name (or at least, that it resolves!) Then RFC 2181 muddies
the water and says:
"Those [length] restrictions
aside, any binary string whatever can be used as the label of any
resource record. [...]
Note however, that the various applications that make use of DNS data
can have restrictions imposed on what particular values are
acceptable in their environment. For example, that any binary label
can have an MX record does not imply that any binary name can be used
as the host part of an e-mail address. Clients of the DNS can impose
whatever restrictions are appropriate to their circumstances on the
values they use as keys for DNS lookup requests, and on the values
returned by the DNS. If the client has such restrictions, it is
solely responsible for validating the data from the DNS to ensure
that it conforms before it makes any use of that data."
1.2.3.444 means... what? It's not an IP address, and if we take
RFC 2181 at it's word, should we do MX and A lookups on "1.2.3.444"?
All in all, I would avoid email addresses that match the perl regex
[^@]+@\d+\.\d+\.\d+\.\d+
Regards,
David.
Re: Feedback on blacklist rule I plan to write
Posted by RW <rw...@googlemail.com>.
On Wed, 30 Oct 2013 20:13:40 +0100
Matus UHLAR - fantomas wrote:
> >On Wed, 30 Oct 2013 11:44:19 -0400
> >David F. Skoll wrote:
> >
> >> On Wed, 30 Oct 2013 11:06:35 -0500
> >> Adam Moffett <ad...@plexicomm.net> wrote:
> >>
> >> > I'm reasonably sure that user@ip makes a valid address, but even
> >> > if it is I don't think I've ever observed it anywhere.
> >>
> >> My reading of RFC5321 seems to indicate that "user@1.2.3.4" is NOT
> >> a valid address. It should instead be written as "user@[1.2.3.4]"
>
> On 30.10.13 17:53, RW wrote:
> >If you are referring to 4.1.3. I would say it's defining a routing
> >mechanism rather than limiting what a valid address is.
>
> 4.1.2 defines it as part of mail address:
>
> address-literal = "[" ( IPv4-address-literal /
> IPv6-address-literal /
> General-address-literal ) "]"
>
> Mailbox = Local-part "@" ( Domain / address-literal )
But does anything actually say that 1.2.3.4 can't be treated as a
hostname. Isn't the point of the [] to be a hint to the server that it
can treat the contents as an IP address and deliver to that address. I
don't see anything obviously wrong with something like no-reply@1.2.3.4
Re: Feedback on blacklist rule I plan to write
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Wed, 30 Oct 2013 11:44:19 -0400
>David F. Skoll wrote:
>
>> On Wed, 30 Oct 2013 11:06:35 -0500
>> Adam Moffett <ad...@plexicomm.net> wrote:
>>
>> > I'm reasonably sure that user@ip makes a valid address, but even if
>> > it is I don't think I've ever observed it anywhere.
>>
>> My reading of RFC5321 seems to indicate that "user@1.2.3.4" is NOT a
>> valid address. It should instead be written as "user@[1.2.3.4]"
On 30.10.13 17:53, RW wrote:
>If you are referring to 4.1.3. I would say it's defining a routing
>mechanism rather than limiting what a valid address is.
4.1.2 defines it as part of mail address:
address-literal = "[" ( IPv4-address-literal /
IPv6-address-literal /
General-address-literal ) "]"
Mailbox = Local-part "@" ( Domain / address-literal )
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: Feedback on blacklist rule I plan to write
Posted by RW <rw...@googlemail.com>.
On Wed, 30 Oct 2013 11:44:19 -0400
David F. Skoll wrote:
> On Wed, 30 Oct 2013 11:06:35 -0500
> Adam Moffett <ad...@plexicomm.net> wrote:
>
> > I'm reasonably sure that user@ip makes a valid address, but even if
> > it is I don't think I've ever observed it anywhere.
>
> My reading of RFC5321 seems to indicate that "user@1.2.3.4" is NOT a
> valid address. It should instead be written as "user@[1.2.3.4]"
If you are referring to 4.1.3. I would say it's defining a routing
mechanism rather than limiting what a valid address is.
Personally I don't think it matters - almost all SpamAssassin tests
penalize RFC compliant behaviour, and plenty of RFC violations are
neutral indicators.
Re: Feedback on blacklist rule I plan to write
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 30 Oct 2013 11:06:35 -0500
Adam Moffett <ad...@plexicomm.net> wrote:
> I'm reasonably sure that user@ip makes a valid address, but even if
> it is I don't think I've ever observed it anywhere.
My reading of RFC5321 seems to indicate that "user@1.2.3.4" is NOT a
valid address. It should instead be written as "user@[1.2.3.4]"
RFC5321 covers envelope addresses. RFC5322 covers header addresses
and also suggests that address literals need to be written as [1.2.3.4]
rather than 1.2.3.4.
Regards,
David.
Re: Feedback on blacklist rule I plan to write
Posted by Adam Moffett <ad...@plexicomm.net>.
I'm reasonably sure that user@ip makes a valid address, but even if it
is I don't think I've ever observed it anywhere.
I'm certain that double @ format you mention is invalid unless one of
the @'s is inside of quotation marks or parenthesis. e.g.:
"Ihave@inMyUsername"@somewhere.com or
MyUsername(Ihave@inAComment)@somewhere.com. If you're literally seeing
user@domain@ip then I think you could safely reject that simply for
having a malformed from: address.
I wouldn't hesitate to reject a message for either reason...but I may
tend to shoot first and question later.
> I have a brief question. I'll provide my setup though isn't applicable.
>
> I'm using SpamAssassin version 3.3.1, on FreeBSD 8.1-RELEASE
>
> I'm using Sendmail for my MTA
>
> I'm using Procmail for my local
>
> My question is: The SMTP protocol allows a return address to be
> '<us...@ip-address.com>' and 'user@ip-address.com' and some other variations,
> I'll assume.
>
> My background knows that nearly _all_ mail when transferred uses
> 'user@domain-name.com' or '<us...@domain-name.com>'
>
> This AM I was researching an email (spam) that I received and the actual
> (hard-core) email-header and noticed they're using something similar to:
>
> "user@some-domain@ip-address" and it's getting through.
>
> My _real_ question is:
>
> Can't I simply blacklist all/any emails that arrive where they're using
> 'user@ip-address' - while that's a rhetorical question, (I know I can) but
> I'm looking for feedback as to why this would not be a good idea. ANY
> respectable/legitimate MTA uses their domain-name as the latter part of the
> return address, correct?
>
> Feedback is more what I'm looking for on my question versus an answer to
> 'can I?' do this.
>
> I will not care if there is that small percentage of MTA's that are/do
> legitimately send using the IP address method. (Another discussion,
> perhaps?)
>
> If this is logical, how would I enter that in my local.cf ??
>
> ' blacklist_from @"[0..255].[0..255] .[0..255] .[0..255]"
> (With/WithOUT quotes?)
>
> ...or is the REALLY a very bad idea?
>
> Thanks so much for your assistance in advance.
>
>
>