Bug 846 - default whitelists still easily forged
Summary: default whitelists still easily forged
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 2.41
Hardware: Other other
: P2 normal
Target Milestone: 2.60
Assignee: Daniel Quinlan
URL:
Whiteboard:
Keywords:
: 848 1522 1543 1790 1884 (view as bug list)
Depends on:
Blocks: 1522 1543
  Show dependency tree
 
Reported: 2002-09-06 16:58 UTC by Theo Van Dinter
Modified: 2003-06-09 14:06 UTC (History)
5 users (show)



Attachment Type Modified Status Actions Submitter/CLA Status
First message text/plain None Theo Van Dinter [HasCLA]
Second message text/plain None Theo Van Dinter [HasCLA]
correct first message text/plain None Theo Van Dinter [HasCLA]
correct second message text/plain None Theo Van Dinter [HasCLA]
Return-Path @amazon, From @vip.sina.com, Received amazon.com ([61....]) text/plain None Liudvikas Bukys [NoCLA]

Note You need to log in before you can comment on or make changes to this bug.
Description Theo Van Dinter 2002-09-06 16:58:36 UTC
I wish we would just disable these damn things.  Two spams at around -90.

whitelist_from_rcvd  *@walmart.com                          walmart.com

213.68.163 is somewhere in RIPE net (Europe), and the second one is
obviously from brazil.

From a76gfny@walmart.com  Fri Sep  6 16:39:31 2002
Return-Path: <a76gfny@walmart.com>
Received: from walmart.com ([213.68.163.202])
        by eclectic.kluge.net (8.12.6/8.12.6) with SMTP id g86KcQnP028166
        for <felicity@eclectic.kluge.net>; Fri, 6 Sep 2002 16:39:13 -0400
Date: Fri, 6 Sep 2002 16:38:26 -0400
From: Jenny <a76gfny@walmart.com>
To: <felicity@eclectic.kluge.net>
Subject: Hi felicity, it is incredible...
Message-Id: <10313878891293.24776@walmart.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_7k7j9s8Du4MBAQ2r5QZB8LPpdUPAZC9g2dcC21G36bvZU50c"
Content-Disposition: inline
Content-transfer-encoding: base64
User-Agent: Mutt/1.2i
X-Spam-Status: No, hits=-93.4 required=5.0
tests=ALL_NATURAL,BASE64_ENC_TEXT,CARRIAGE_RETURNS,PENIS_ENLARGE,PENIS_ENLARGE2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_OSIRUSOFT_COM,SPAM_PHRASE_02_03,SUPERLONG_LINE,USER_AGENT,USER_AGENT_MUTT,USER_IN_WHITELIST
version=2.41
Status: RO
Content-Length: 854
Lines: 17

From a9337ny@walmart.com  Fri Sep  6 16:41:14 2002
Return-Path: <a9337ny@walmart.com>
Received: from walmart.com (200-207-53-20.dsl.telesp.net.br [200.207.53.20])
        by eclectic.kluge.net (8.12.6/8.12.6) with SMTP id g86Kf4nP028276
        for <felicity@kluge.net>; Fri, 6 Sep 2002 16:41:10 -0400
Date: Fri, 6 Sep 2002 16:41:04 -0400
From: Jenny <a9337ny@walmart.com>
To: <felicity@kluge.net>
Subject: Hi felicity, it is incredible...
Message-Id: <10313880620206.27276@walmart.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_X464xN3e66jQUL2EGaI14Csi1h7fpu4ACHz4kzg9O93184MR"
Content-Disposition: inline
Content-transfer-encoding: base64
User-Agent: Mutt/1.2i
X-Spam-Status: No, hits=-89.9 required=5.0
tests=ALL_NATURAL,BASE64_ENC_TEXT,CARRIAGE_RETURNS,PENIS_ENLARGE,PENIS_ENLARGE2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_OSIRUSOFT_COM,SPAM_PHRASE_02_03,SUPERLONG_LINE,USER_AGENT,USER_AGENT_MUTT,USER_IN_WHITELIST,X_OSIRU_SPAMWARE_SITE
version=2.41
Status: RO
Content-Length: 863
Lines: 18
Comment 1 Marc Perkel 2002-09-06 20:00:16 UTC
Subject: Re: [SAdev]  New: default whitelists still easily forged

yep - as I predicted. Default white lists are a bad idea.

bugzilla-daemon@hughes-family.org wrote:

>http://www.hughes-family.org/bugzilla/show_bug.cgi?id=846
>
>           Summary: default whitelists still easily forged
>           Product: Spamassassin
>           Version: 2.41
>          Platform: Other
>        OS/Version: other
>            Status: NEW
>          Severity: normal
>          Priority: P2
>         Component: Rules
>        AssignedTo: spamassassin-devel@lists.sourceforge.net
>        ReportedBy: felicity@kluge.net
>
>
>I wish we would just disable these damn things.  Two spams at around -90.
>
>whitelist_from_rcvd  *@walmart.com                          walmart.com
>
>213.68.163 is somewhere in RIPE net (Europe), and the second one is
>obviously from brazil.
>
>>From a76gfny@walmart.com  Fri Sep  6 16:39:31 2002
>Return-Path: <a76gfny@walmart.com>
>Received: from walmart.com ([213.68.163.202])
>        by eclectic.kluge.net (8.12.6/8.12.6) with SMTP id g86KcQnP028166
>        for <felicity@eclectic.kluge.net>; Fri, 6 Sep 2002 16:39:13 -0400
>Date: Fri, 6 Sep 2002 16:38:26 -0400
>From: Jenny <a76gfny@walmart.com>
>To: <felicity@eclectic.kluge.net>
>Subject: Hi felicity, it is incredible...
>Message-Id: <10313878891293.24776@walmart.com>
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>boundary="_7k7j9s8Du4MBAQ2r5QZB8LPpdUPAZC9g2dcC21G36bvZU50c"
>Content-Disposition: inline
>Content-transfer-encoding: base64
>User-Agent: Mutt/1.2i
>X-Spam-Status: No, hits=-93.4 required=5.0
>tests=ALL_NATURAL,BASE64_ENC_TEXT,CARRIAGE_RETURNS,PENIS_ENLARGE,PENIS_ENLARGE2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_OSIRUSOFT_COM,SPAM_PHRASE_02_03,SUPERLONG_LINE,USER_AGENT,USER_AGENT_MUTT,USER_IN_WHITELIST
>version=2.41
>Status: RO
>Content-Length: 854
>Lines: 17
>
>>From a9337ny@walmart.com  Fri Sep  6 16:41:14 2002
>Return-Path: <a9337ny@walmart.com>
>Received: from walmart.com (200-207-53-20.dsl.telesp.net.br [200.207.53.20])
>        by eclectic.kluge.net (8.12.6/8.12.6) with SMTP id g86Kf4nP028276
>        for <felicity@kluge.net>; Fri, 6 Sep 2002 16:41:10 -0400
>Date: Fri, 6 Sep 2002 16:41:04 -0400
>From: Jenny <a9337ny@walmart.com>
>To: <felicity@kluge.net>
>Subject: Hi felicity, it is incredible...
>Message-Id: <10313880620206.27276@walmart.com>
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>boundary="_X464xN3e66jQUL2EGaI14Csi1h7fpu4ACHz4kzg9O93184MR"
>Content-Disposition: inline
>Content-transfer-encoding: base64
>User-Agent: Mutt/1.2i
>X-Spam-Status: No, hits=-89.9 required=5.0
>tests=ALL_NATURAL,BASE64_ENC_TEXT,CARRIAGE_RETURNS,PENIS_ENLARGE,PENIS_ENLARGE2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_OSIRUSOFT_COM,SPAM_PHRASE_02_03,SUPERLONG_LINE,USER_AGENT,USER_AGENT_MUTT,USER_IN_WHITELIST,X_OSIRU_SPAMWARE_SITE
>version=2.41
>Status: RO
>Content-Length: 863
>Lines: 18
>
>
>
>------- You are receiving this mail because: -------
>You are the assignee for the bug, or are watching the assignee.
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>_______________________________________________
>Spamassassin-devel mailing list
>Spamassassin-devel@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/spamassassin-devel
>
>  
>

Comment 2 Daniel Quinlan 2002-09-08 00:19:55 UTC
Please attach the emails using the "Create a new attachment" feature.
We can't test any improvements without good examples.
Comment 3 Theo Van Dinter 2002-09-08 01:48:42 UTC
Created attachment 301 [details]
First message
Comment 4 Theo Van Dinter 2002-09-08 01:48:55 UTC
Created attachment 302 [details]
Second message
Comment 5 Theo Van Dinter 2002-09-08 01:51:44 UTC
fyi: my 2 attachments were saved post me removing the default whitelist 
entries, that's why the scores are actually not ~-90.
Comment 6 Theo Van Dinter 2002-09-08 01:57:43 UTC
fyi: no, I'm just being stupid.  damn it.  that's what I get for trying to 
post stuff at 4:50am (can't sleep) on a very foreign machine at a family 
member's house.  let me try getting the correct messages and sending those in.
Comment 7 Theo Van Dinter 2002-09-08 01:58:49 UTC
Created attachment 303 [details]
correct first message
Comment 8 Theo Van Dinter 2002-09-08 01:58:59 UTC
Created attachment 304 [details]
correct second message
Comment 9 Daniel Quinlan 2002-09-08 14:10:45 UTC
assigning to myself

I am testing/refining an improvement to whitelist_from_rcvd.  It works right
now, but it needs more work to make it less susceptible to FPs and FNs -- a lot
more work.
Comment 10 Daniel Quinlan 2002-09-20 01:33:33 UTC
*** Bug 848 has been marked as a duplicate of this bug. ***
Comment 11 Liudvikas Bukys 2003-05-21 06:03:41 UTC
Created attachment 981 [details]
Return-Path @amazon, From @vip.sina.com, Received amazon.com ([61....])
Comment 12 Theo Van Dinter 2003-05-24 13:44:23 UTC
*** Bug 1522 has been marked as a duplicate of this bug. ***
Comment 13 Theo Van Dinter 2003-05-24 13:45:53 UTC
*** Bug 1543 has been marked as a duplicate of this bug. ***
Comment 14 Theo Van Dinter 2003-05-24 18:04:24 UTC
*** Bug 1884 has been marked as a duplicate of this bug. ***
Comment 15 Theo Van Dinter 2003-05-24 19:50:22 UTC
*** Bug 1790 has been marked as a duplicate of this bug. ***
Comment 16 Duncan Findlay 2003-06-06 23:10:47 UTC
Dan, what's the status on this?
Comment 17 Justin Mason 2003-06-07 15:40:57 UTC
suggestion:  We can reimplement the default whitelists in an unforgable way, by
getting rid of the _rcvd version, and adding a new one which just tests the last
untrusted header -- since the rDNS data in that is added by a "trusted" relay
it's unforgeable.

However it requires that the trusted_networks param be set, or that our
heuristic for this be correct.

I think that would be acceptable in most cases though -- and at least it would
not  let spam through.

comments?  sound good?
Comment 18 Justin Mason 2003-06-09 22:06:16 UTC
ok, fixed!

It now uses the trusted-networks code to figure out the trustworthy Received
header, and only uses the reverse DNS from that.  As a bonus, the default
whitelists now only get -15 points, so even if they do forge it, they can still
get caught.  (-100 was a bit extreme.)

I've tested it, and Theo's tests no longer escape, but a few shipping
confirmations etc. I have here are correctly diagnosed.

Note: may require trusted_networks to be set (if the heuristics don't work).