https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5987
Summary: ALL_TRUSTED uses forged EHLO instead of real IP address
Product: Spamassassin
Version: unspecified
Platform: Other
OS/Version: All
Status: NEW
Severity: major
Priority: P3
Component: Rules
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
Using internal_networks / trusted_networks, you can configure which networks
are yours. I did that, and a spammer forged the public IP address of the mail
server (probably using EHLO), and the ALL_TRUSTED rules triggered.
ALL_TRUSTED has a score of about -1.5.
http://wiki.apache.org/spamassassin/Rules/ALL_TRUSTED states:
"If your message hits on the ALL_TRUSTED rule, it means that all of the
Received: headers in the message were inserted by SMTP relays you have
indicated are "TrustedRelays" and the "from" part of the Received: header is
also from one of your "TrustedRelays"; consequently, no tests of the source of
the message (for example, tests against DNSBlocklists) will be performed."
The offending spam:
Return-Path: <[EMAIL PROTECTED]>
...
Received: from [1.2.3.4] (unknown [67.212.189.117])
by mail.example.com (Postfix) with SMTP id AEDE0303C57C
for <[EMAIL PROTECTED]>; Tue, 23 Sep 2008 12:50:31 +0200 (CEST)
Message-ID: <[EMAIL PROTECTED]>
From: "=?windows-1255?B?4/L6IOT5+OXvIA==?="
<[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Reply-To: "=?windows-1255?B?4/L6IOT5+OXvIA==?="
<[EMAIL PROTECTED]
net>
Subject:
=?windows-1255?B?7Ozu5eMg7OPh+CDh+fT6IOTi5eLsLi4u5Obu8OQg7OT49uD6IO7h5e
Ag4efp8O0gIQ==?=
Date: Tue, 23 Sep 2008 05:50:30 -0500
X-Priority: 1
Importance: Highest
X-Mailer: Email Marketer Business Edition 1.90
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_476_2892_13059721.
22605925"
EM-Campaign: {23876CB5-3361-4001-9DCF-8E9691B8241F}
EM-Task: 36
X-Spam-Status: No, score=0.4 required=8.0 tests=ALL_TRUSTED,HTML_MESSAGE,
MIME_QP_LONG_LINE autolearn=no version=3.2.4
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
mail.example.com
This message is in MIME format with multi-part. Since your mail reader does not
understand this format, some or all of this message may not be legible.
------=_NextPart_476_2892_13059721.22605925
...
For privacy, I replaced the real hostname, IP address and email address with IP
address 1.2.3.4 and example.com. In the actual mail, 1.2.3.4 was the IP address
of the mail server (mail.example.com).
You can see from the Received: line:
Received: from [1.2.3.4] (unknown [67.212.189.117]) by mail.example.com ...
that the spammer pretended to have the IP of my own server. 1.2.3.4 is of
course internal and trusted, but here, it's forged. Postfix did log the real IP
address, though, which was 67.212.189.117.
The bug is that ALL_TRUSTED apparently used 1.2.3.4 and not 67.212.189.117 to
reason about the origin server.
Before you say that this is not what this rule is about:
1. The wiki docs above say "the from part of the Received: header is also from
one of your TrustedRelays". This was not true for me.
2. It makes no sense in this case to assign a score of -1.5 to the email.
There's no reason to believe that this might be ham. Therefore, no matter how
defined, the rule assigns a wrong score, as-is.
--
Configure bugmail:
https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
