Subject: Re: [SAdev]  New: default whitelists still easily forged

yep - as I predicted. Default white lists are a bad idea.

bugzilla-daemon@hughes-family.org wrote:

>http://www.hughes-family.org/bugzilla/show_bug.cgi?id=846
>
>           Summary: default whitelists still easily forged
>           Product: Spamassassin
>           Version: 2.41
>          Platform: Other
>        OS/Version: other
>            Status: NEW
>          Severity: normal
>          Priority: P2
>         Component: Rules
>        AssignedTo: spamassassin-devel@lists.sourceforge.net
>        ReportedBy: felicity@kluge.net
>
>
>I wish we would just disable these damn things.  Two spams at around -90.
>
>whitelist_from_rcvd  *@walmart.com                          walmart.com
>
>213.68.163 is somewhere in RIPE net (Europe), and the second one is
>obviously from brazil.
>
>>From a76gfny@walmart.com  Fri Sep  6 16:39:31 2002
>Return-Path: <a76gfny@walmart.com>
>Received: from walmart.com ([213.68.163.202])
>        by eclectic.kluge.net (8.12.6/8.12.6) with SMTP id g86KcQnP028166
>        for <felicity@eclectic.kluge.net>; Fri, 6 Sep 2002 16:39:13 -0400
>Date: Fri, 6 Sep 2002 16:38:26 -0400
>From: Jenny <a76gfny@walmart.com>
>To: <felicity@eclectic.kluge.net>
>Subject: Hi felicity, it is incredible...
>Message-Id: <10313878891293.24776@walmart.com>
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>boundary="_7k7j9s8Du4MBAQ2r5QZB8LPpdUPAZC9g2dcC21G36bvZU50c"
>Content-Disposition: inline
>Content-transfer-encoding: base64
>User-Agent: Mutt/1.2i
>X-Spam-Status: No, hits=-93.4 required=5.0
>tests=ALL_NATURAL,BASE64_ENC_TEXT,CARRIAGE_RETURNS,PENIS_ENLARGE,PENIS_ENLARGE2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_OSIRUSOFT_COM,SPAM_PHRASE_02_03,SUPERLONG_LINE,USER_AGENT,USER_AGENT_MUTT,USER_IN_WHITELIST
>version=2.41
>Status: RO
>Content-Length: 854
>Lines: 17
>
>>From a9337ny@walmart.com  Fri Sep  6 16:41:14 2002
>Return-Path: <a9337ny@walmart.com>
>Received: from walmart.com (200-207-53-20.dsl.telesp.net.br [200.207.53.20])
>        by eclectic.kluge.net (8.12.6/8.12.6) with SMTP id g86Kf4nP028276
>        for <felicity@kluge.net>; Fri, 6 Sep 2002 16:41:10 -0400
>Date: Fri, 6 Sep 2002 16:41:04 -0400
>From: Jenny <a9337ny@walmart.com>
>To: <felicity@kluge.net>
>Subject: Hi felicity, it is incredible...
>Message-Id: <10313880620206.27276@walmart.com>
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>boundary="_X464xN3e66jQUL2EGaI14Csi1h7fpu4ACHz4kzg9O93184MR"
>Content-Disposition: inline
>Content-transfer-encoding: base64
>User-Agent: Mutt/1.2i
>X-Spam-Status: No, hits=-89.9 required=5.0
>tests=ALL_NATURAL,BASE64_ENC_TEXT,CARRIAGE_RETURNS,PENIS_ENLARGE,PENIS_ENLARGE2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_OSIRUSOFT_COM,SPAM_PHRASE_02_03,SUPERLONG_LINE,USER_AGENT,USER_AGENT_MUTT,USER_IN_WHITELIST,X_OSIRU_SPAMWARE_SITE
>version=2.41
>Status: RO
>Content-Length: 863
>Lines: 18
>
>
>
>------- You are receiving this mail because: -------
>You are the assignee for the bug, or are watching the assignee.
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>_______________________________________________
>Spamassassin-devel mailing list
>Spamassassin-devel@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/spamassassin-devel
>
>  
>

Please attach the emails using the "Create a new attachment" feature.
We can't test any improvements without good examples.

Created attachment 301 [details]
First message

Created attachment 302 [details]
Second message

fyi: my 2 attachments were saved post me removing the default whitelist 
entries, that's why the scores are actually not ~-90.

fyi: no, I'm just being stupid.  damn it.  that's what I get for trying to 
post stuff at 4:50am (can't sleep) on a very foreign machine at a family 
member's house.  let me try getting the correct messages and sending those in.

Created attachment 303 [details]
correct first message

Created attachment 304 [details]
correct second message

assigning to myself

I am testing/refining an improvement to whitelist_from_rcvd.  It works right
now, but it needs more work to make it less susceptible to FPs and FNs -- a lot
more work.

*** Bug 848 has been marked as a duplicate of this bug. ***

Created attachment 981 [details]
Return-Path @amazon, From @vip.sina.com, Received amazon.com ([61....])

*** Bug 1522 has been marked as a duplicate of this bug. ***

*** Bug 1543 has been marked as a duplicate of this bug. ***

*** Bug 1884 has been marked as a duplicate of this bug. ***

*** Bug 1790 has been marked as a duplicate of this bug. ***

Dan, what's the status on this?

suggestion:  We can reimplement the default whitelists in an unforgable way, by
getting rid of the _rcvd version, and adding a new one which just tests the last
untrusted header -- since the rDNS data in that is added by a "trusted" relay
it's unforgeable.

However it requires that the trusted_networks param be set, or that our
heuristic for this be correct.

I think that would be acceptable in most cases though -- and at least it would
not  let spam through.

comments?  sound good?

ok, fixed!

It now uses the trusted-networks code to figure out the trustworthy Received
header, and only uses the reverse DNS from that.  As a bonus, the default
whitelists now only get -15 points, so even if they do forge it, they can still
get caught.  (-100 was a bit extreme.)

I've tested it, and Theo's tests no longer escape, but a few shipping
confirmations etc. I have here are correctly diagnosed.

Note: may require trusted_networks to be set (if the heuristics don't work).