Forwarded spam - SpamAssassin

This is a discussion on Forwarded spam - SpamAssassin ; I'm trying to improve the effectiveness of a spamassassin installation, and there's one user who gets a lot of spam that is forwarded from another address, which effectively kills the network tests and in some cases messes with the BAYES ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Forwarded spam

  1. Forwarded spam

    I'm trying to improve the effectiveness of a spamassassin installation,
    and there's one user who gets a lot of spam that is forwarded from
    another address, which effectively kills the network tests and in some
    cases messes with the BAYES score as well. I want to get rid of it.

    My solution to the problem was originally to add the forwarding mtas to
    trusted_networks (seems ironic, but I think this is appropriate).

    Unfortunately, this doesn't work, because the headers look like this
    (with apologies for the munging, but it's not my e-mail):

    Received: from mta3.iomartmail.com ([62.128.193.153])
    by smtp.DOMAIN.com with esmtps (TLS1.0HE_RSA_AES_256_CBC_SHA1:32)
    (Exim 4.69)
    (envelope-from )
    id 1KOUZB-0001Xq-Eb
    for USER@DOMAIN.com; Thu, 31 Jul 2008 10:35:29 +0100
    Received: from mta3.iomartmail.com (localhost.localdomain [127.0.0.1])
    by mta3.iomartmail.com (8.12.11.20060308/8.12.11) with ESMTP id
    m6V9ZOVc018574
    for ; Thu, 31 Jul 2008 10:35:24 +0100
    Received: from p548AAE80.dip0.t-ipconnect.de
    (p548AB09B.dip0.t-ipconnect.de [84.138.176.155])
    by mta3.iomartmail.com (8.12.11.20060308/8.12.11) with SMTP id
    m6V9ZNUK018506
    for ; Thu, 31 Jul 2008 10:35:24 +0100

    info@ORIGINALDOMAIN.co.uk is the original address, which is handled by
    mta[X].iomartmail.com, and it's forwarded to USER@DOMAIN.com, which is
    handled by smtp.DOMAIN.com.

    I can put 62.128.193.153 into trusted_networks, which should make
    spamassassin look at the next header back, but that's another
    iomartmail.com machine (presumably a virus/spam checker), and I'm fairly
    sure adding 127.0.0.1 to trusted_networks would be a mistake.

    Question one: Is there a way of getting the network tests working on
    these forwarded e-mails?


    My next idea is just to add a load of score to messages to
    ORIGINALDOMAIN.com. Looking in the wiki at
    http://wiki.apache.org/spamassassin/...01073b8180c728
    I see this:

    ===
    Checking the From: line, or any other header, works much the same:

    header LOCAL_DEMONSTRATION_FROM From =~ /test\.com/i
    score LOCAL_DEMONSTRATION_FROM 0.1

    Now, that rule is pretty silly, as it doesn't do much that a
    blacklist_from can't.
    ===

    What I want to do is blacklist_to *@ORIGINALDOMAIN.co.uk, but with a
    score of 3 (ie, it's not really a blacklisting). The quote above seems
    to suggest I can do that, but I can't see it in the docs. Question two:
    is it possible to set a score on a blacklisted address?

    Finally, I can use header ToCC, and that'll probably do, but I wanted to
    know if there's a better way.

    Thanks,
    Chris


  2. Re: Forwarded spam

    Chris Lear wrote:
    > I'm trying to improve the effectiveness of a spamassassin
    > installation, and there's one user who gets a lot of spam that is
    > forwarded from another address, which effectively kills the network
    > tests and in some cases messes with the BAYES score as well. I want to
    > get rid of it.
    >
    > My solution to the problem was originally to add the forwarding mtas
    > to trusted_networks (seems ironic, but I think this is appropriate).
    >
    > Unfortunately, this doesn't work, because the headers look like this
    > (with apologies for the munging, but it's not my e-mail):
    >
    > Received: from mta3.iomartmail.com ([62.128.193.153])
    > by smtp.DOMAIN.com with esmtps (TLS1.0HE_RSA_AES_256_CBC_SHA1:32)
    > (Exim 4.69)
    > (envelope-from )
    > id 1KOUZB-0001Xq-Eb
    > for USER@DOMAIN.com; Thu, 31 Jul 2008 10:35:29 +0100
    > Received: from mta3.iomartmail.com (localhost.localdomain [127.0.0.1])
    > by mta3.iomartmail.com (8.12.11.20060308/8.12.11) with ESMTP id
    > m6V9ZOVc018574
    > for ; Thu, 31 Jul 2008 10:35:24 +0100
    > Received: from p548AAE80.dip0.t-ipconnect.de
    > (p548AB09B.dip0.t-ipconnect.de [84.138.176.155])
    > by mta3.iomartmail.com (8.12.11.20060308/8.12.11) with SMTP id
    > m6V9ZNUK018506
    > for ; Thu, 31 Jul 2008 10:35:24 +0100
    >
    > info@ORIGINALDOMAIN.co.uk is the original address, which is handled by
    > mta[X].iomartmail.com, and it's forwarded to USER@DOMAIN.com, which is
    > handled by smtp.DOMAIN.com.
    >
    > I can put 62.128.193.153 into trusted_networks, which should make
    > spamassassin look at the next header back, but that's another
    > iomartmail.com machine (presumably a virus/spam checker), and I'm
    > fairly sure adding 127.0.0.1 to trusted_networks would be a mistake.

    Why would adding 127.0.0.1 to trusted_networks be a mistake? Since trust
    is a path this won't lead to spammers being able to forge trust, as
    they'd have to first get to your system from a trusted IP address. (or
    manage to do a TCP blind-spoofing attack and make it look like it came
    from one)

    >
    > Question one: Is there a way of getting the network tests working on
    > these forwarded e-mails?
    >
    >
    > My next idea is just to add a load of score to messages to
    > ORIGINALDOMAIN.com. Looking in the wiki at
    > http://wiki.apache.org/spamassassin/...01073b8180c728
    > I see this:
    >
    > ===
    > Checking the From: line, or any other header, works much the same:
    >
    > header LOCAL_DEMONSTRATION_FROM From =~ /test\.com/i
    > score LOCAL_DEMONSTRATION_FROM 0.1
    >
    > Now, that rule is pretty silly, as it doesn't do much that a
    > blacklist_from can't.
    > ===
    >
    > What I want to do is blacklist_to *@ORIGINALDOMAIN.co.uk, but with a
    > score of 3 (ie, it's not really a blacklisting). The quote above seems
    > to suggest I can do that, but I can't see it in the docs. Question
    > two: is it possible to set a score on a blacklisted address?

    No, unless you reset the score for all blacklist_to's
    score USER_IN_BLACKLIST_TO 3.0

    When I said it "doesn't do much that a blacklist_from can't", I didn't
    mean to say there's nothing it can do that a blacklist_from/to can't..
    there's just not much. Custom per-address scoring, using a full regex
    instead of a file-glob, and per-address combinations with other rules in
    a meta are things blacklist_from/to can't do that a rule can.


    > Finally, I can use header ToCC, and that'll probably do, but I wanted
    > to know if there's a better way.

    That's the best way I know of. Also, be aware that unless your MTA drops
    hints about the recipient in the Received: headers with a "for" clause,
    SA won't know who the real recipient is when a message is BCC'ed. This
    is important, as lots of spam is effectively BCC'ed (i.e.: actual
    recipient is in the envelope, but not the To: or Cc, so your ToCC may
    not match spam.


  3. Re: Forwarded spam

    * Matt Kettler wrote (31/07/08 11:25):
    > Chris Lear wrote:
    >> I'm trying to improve the effectiveness of a spamassassin
    >> installation, and there's one user who gets a lot of spam that is
    >> forwarded from another address, which effectively kills the network
    >> tests and in some cases messes with the BAYES score as well. I want to
    >> get rid of it.
    >>
    >> My solution to the problem was originally to add the forwarding mtas
    >> to trusted_networks (seems ironic, but I think this is appropriate).
    >>
    >> Unfortunately, this doesn't work, because the headers look like this
    >> (with apologies for the munging, but it's not my e-mail):
    >>
    >> Received: from mta3.iomartmail.com ([62.128.193.153])
    >> by smtp.DOMAIN.com with esmtps (TLS1.0HE_RSA_AES_256_CBC_SHA1:32)
    >> (Exim 4.69)
    >> (envelope-from )
    >> id 1KOUZB-0001Xq-Eb
    >> for USER@DOMAIN.com; Thu, 31 Jul 2008 10:35:29 +0100
    >> Received: from mta3.iomartmail.com (localhost.localdomain [127.0.0.1])
    >> by mta3.iomartmail.com (8.12.11.20060308/8.12.11) with ESMTP id
    >> m6V9ZOVc018574
    >> for ; Thu, 31 Jul 2008 10:35:24 +0100
    >> Received: from p548AAE80.dip0.t-ipconnect.de
    >> (p548AB09B.dip0.t-ipconnect.de [84.138.176.155])
    >> by mta3.iomartmail.com (8.12.11.20060308/8.12.11) with SMTP id
    >> m6V9ZNUK018506
    >> for ; Thu, 31 Jul 2008 10:35:24 +0100
    >>
    >> info@ORIGINALDOMAIN.co.uk is the original address, which is handled by
    >> mta[X].iomartmail.com, and it's forwarded to USER@DOMAIN.com, which is
    >> handled by smtp.DOMAIN.com.
    >>
    >> I can put 62.128.193.153 into trusted_networks, which should make
    >> spamassassin look at the next header back, but that's another
    >> iomartmail.com machine (presumably a virus/spam checker), and I'm
    >> fairly sure adding 127.0.0.1 to trusted_networks would be a mistake.

    > Why would adding 127.0.0.1 to trusted_networks be a mistake? Since trust
    > is a path this won't lead to spammers being able to forge trust, as
    > they'd have to first get to your system from a trusted IP address. (or
    > manage to do a TCP blind-spoofing attack and make it look like it came
    > from one)


    OK, you've persuaded me. It seemed fishy, but I wasn't being logical.
    I'll do that and keep an eye on it. Don't worry - I'm not going to
    obsess about TCP spoofing.

    >
    >> Question one: Is there a way of getting the network tests working on
    >> these forwarded e-mails?
    >>
    >>
    >> My next idea is just to add a load of score to messages to
    >> ORIGINALDOMAIN.com. Looking in the wiki at
    >> http://wiki.apache.org/spamassassin/...01073b8180c728
    >> I see this:
    >>
    >> ===
    >> Checking the From: line, or any other header, works much the same:
    >>
    >> header LOCAL_DEMONSTRATION_FROM From =~ /test\.com/i
    >> score LOCAL_DEMONSTRATION_FROM 0.1
    >>
    >> Now, that rule is pretty silly, as it doesn't do much that a
    >> blacklist_from can't.
    >> ===
    >>
    >> What I want to do is blacklist_to *@ORIGINALDOMAIN.co.uk, but with a
    >> score of 3 (ie, it's not really a blacklisting). The quote above seems
    >> to suggest I can do that, but I can't see it in the docs. Question
    >> two: is it possible to set a score on a blacklisted address?

    > No, unless you reset the score for all blacklist_to's
    > score USER_IN_BLACKLIST_TO 3.0
    >
    > When I said it "doesn't do much that a blacklist_from can't", I didn't
    > mean to say there's nothing it can do that a blacklist_from/to can't..
    > there's just not much. Custom per-address scoring, using a full regex
    > instead of a file-glob, and per-address combinations with other rules in
    > a meta are things blacklist_from/to can't do that a rule can.
    >


    Thanks. That all makes sense. I was reading too much into the remark. As
    a side note, in my perusal of the documentation, I didn't stumble easily
    on the link between the blacklist_to option and the USER_IN_BLACKLIST_TO
    rule.

    >
    >> Finally, I can use header ToCC, and that'll probably do, but I wanted
    >> to know if there's a better way.

    > That's the best way I know of. Also, be aware that unless your MTA drops
    > hints about the recipient in the Received: headers with a "for" clause,
    > SA won't know who the real recipient is when a message is BCC'ed. This
    > is important, as lots of spam is effectively BCC'ed (i.e.: actual
    > recipient is in the envelope, but not the To: or Cc, so your ToCC may
    > not match spam.


    Understood. That's part of the reason I didn't take to this solution
    originally. I assumed that the blacklist_to option would fetch the real
    recipient out of the received headers (which, as you can see above, do
    contain the "for" clause).

    Thanks for the help.

    Chris


  4. Re: Forwarded spam

    On 31.07.08 11:05, Chris Lear wrote:
    > I'm trying to improve the effectiveness of a spamassassin installation,
    > and there's one user who gets a lot of spam that is forwarded from
    > another address, which effectively kills the network tests and in some
    > cases messes with the BAYES score as well. I want to get rid of it.


    many tests (e.g. those who chcek for dynamic IP) use last external IP, which
    means some network checks will still be killed by such forwarder.

    I think it's the forwarder who has to take care of spam... any further
    forwarding blurs the difference between ham and spam...


    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Posli tento mail 100 svojim znamim - nech vidia aky si idiot
    Send this email to 100 your friends - let them see what an idiot you are


  5. Re: Forwarded spam

    * Matus UHLAR - fantomas wrote (31/07/08 14:07):
    > On 31.07.08 11:05, Chris Lear wrote:
    >> I'm trying to improve the effectiveness of a spamassassin installation,
    >> and there's one user who gets a lot of spam that is forwarded from
    >> another address, which effectively kills the network tests and in some
    >> cases messes with the BAYES score as well. I want to get rid of it.

    >
    > many tests (e.g. those who chcek for dynamic IP) use last external IP, which
    > means some network checks will still be killed by such forwarder.


    I seem to remember someone saying a while ago that it's not clear to the
    average spamassassin admin (eg me) which rules use trusted and which use
    external. Is there either a place that explains it all - or is there
    some logic that anyone can tell me? Not crucial, but I'm interested.

    >
    > I think it's the forwarder who has to take care of spam... any further
    > forwarding blurs the difference between ham and spam...


    I agree entirely.

    Chris


+ Reply to Thread