FM_FAKE_HELO_VERIZON - SpamAssassin

This is a discussion on FM_FAKE_HELO_VERIZON - SpamAssassin ; I have a user of a mailing list who is sending from a Verizon system, and is being marked as spam. Some is use of HTML etc but > * 2.0 BOTNET_CLIENT Relay has a client-like hostname > * =20 ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: FM_FAKE_HELO_VERIZON

  1. FM_FAKE_HELO_VERIZON

    I have a user of a mailing list who is sending from a Verizon system,
    and is being marked as spam. Some is use of HTML etc but

    > * 2.0 BOTNET_CLIENT Relay has a client-like hostname
    > * =20
    > [botnet_client,ip=206.46.173.1,hostname=vms173001pu b.verizon.net,
    > ipinhostname]
    > * 2.6 FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo.


    are the two that do not seem to be under control. The mailing list
    archive seems to be hiding teh headers at present.

    What exactly do they mean? How can he prevent it?

    ==John ffitch


  2. Re: FM_FAKE_HELO_VERIZON

    jpff wrote:
    > I have a user of a mailing list who is sending from a Verizon system,
    > and is being marked as spam. Some is use of HTML etc but
    >
    >> * 2.0 BOTNET_CLIENT Relay has a client-like hostname
    >> * =20
    >> [botnet_client,ip=206.46.173.1,hostname=vms173001pu b.verizon.net,
    >> ipinhostname]


    botnet belives the hostname is dynamic (probably because of the 173001
    part). However, verizon.net SPF record includes 206.46.0.0/16. hmmm...

    >> * 2.6 FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo.


    yep. happens with Matt Kettler mail!

    I have opened a bug:
    https://issues.apache.org/SpamAssass...ug.cgi?id=5972


    I suggest the following modification

    header __FHOST_RDNS X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]*[a-z] /i

    meta FM_FAKE_HELO_VERIZON (__FHELO_VERIZON && !__FHOST_VERIZON &&
    __FHOST_RDNS)
    meta FM_FAKE_HELO_HOTMAIL (__HOTMAILCOM && !__HOST_HOTMAIL && __FHOST_RDNS)


    now, it would be nice to modify Received.pm to ignore invalid rdns. any
    opinions?


    >
    > are the two that do not seem to be under control. The mailing list
    > archive seems to be hiding teh headers at present.
    >
    > What exactly do they mean? How can he prevent it?
    >



  3. Re: FM_FAKE_HELO_VERIZON

    On Sun, 2008-09-14 at 14:43 +0200, mouss wrote:

    > verizon.net SPF record includes 206.46.0.0/16.


    Verizon SPF'd a class-B space?? Please don't tell me that covers part of
    their dynamic address pool...

    --
    John Hardin KA7OHZ http://www.impsec.org/~jhardin/
    jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
    key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
    Look at the people at the top of both efforts. Linus Torvalds is a
    university graduate with a CS degree. Bill Gates is a university
    dropout who bragged about dumpster-diving and using other peoples'
    garbage code as the basis for his code. Maybe that has something to
    do with the difference in quality/security between Linux and
    Windows. -- anytwofiveelevenis on Y! SCOX
    -----------------------------------------------------------------------
    3 days until the 221st anniversary of the signing of the U.S. Constitution


  4. Re: FM_FAKE_HELO_VERIZON

    John Hardin wrote:
    > On Sun, 2008-09-14 at 14:43 +0200, mouss wrote:
    >
    >> verizon.net SPF record includes 206.46.0.0/16.

    >
    > Verizon SPF'd a class-B space?? Please don't tell me that covers part of
    > their dynamic address pool...
    >


    If they block port 25 except for "responsible" users, I have no problem
    with that. Maybe some people (Matt?) know more?


  5. Re: FM_FAKE_HELO_VERIZON

    On Sunday 14 September 2008, mouss wrote:
    >John Hardin wrote:
    >> On Sun, 2008-09-14 at 14:43 +0200, mouss wrote:
    >>> verizon.net SPF record includes 206.46.0.0/16.

    >>
    >> Verizon SPF'd a class-B space?? Please don't tell me that covers part of
    >> their dynamic address pool...

    >
    >If they block port 25 except for "responsible" users, I have no problem
    >with that. Maybe some people (Matt?) know more?


    I sure would have a problem with that. Its bad enough I have to run my web
    server by natting port 85 to 80 cuz vz blocks port 80 so you'll build your
    web pages with their service they they can load up with commercials.

    I pull from 3 different mail servers cuz vz has some pretty weird ideas about
    what is good mail and what is spam, they have blocked lkml, the busiest list
    in linuxdom as that much traffic has to be spam. I can also post through all
    three of the servers I suck from, and if they start blocking 25 that isn't
    addressed to their server, my first email will be to the FCC demanding they
    lose their common carrier status.

    --
    Cheers, Gene
    "There are four boxes to be used in defense of liberty:
    soap, ballot, jury, and ammo. Please use in that order."
    -Ed Howdershelt (Author)
    Work is the crab grass in the lawn of life.
    -- Schulz


  6. Re: FM_FAKE_HELO_VERIZON

    Gene Heskett wrote:
    > On Sunday 14 September 2008, mouss wrote:
    >> John Hardin wrote:
    >>> On Sun, 2008-09-14 at 14:43 +0200, mouss wrote:
    >>>> verizon.net SPF record includes 206.46.0.0/16.
    >>> Verizon SPF'd a class-B space?? Please don't tell me that covers part of
    >>> their dynamic address pool...

    >> If they block port 25 except for "responsible" users, I have no problem
    >> with that. Maybe some people (Matt?) know more?

    >
    > I sure would have a problem with that. Its bad enough I have to run my web
    > server by natting port 85 to 80 cuz vz blocks port 80 so you'll build your
    > web pages with their service they they can load up with commercials.
    >
    > I pull from 3 different mail servers cuz vz has some pretty weird ideas about
    > what is good mail and what is spam, they have blocked lkml, the busiest list
    > in linuxdom as that much traffic has to be spam. I can also post through all
    > three of the servers I suck from, and if they start blocking 25 that isn't
    > addressed to their server, my first email will be to the FCC demanding they
    > lose their common carrier status.
    >


    When we say "an ISP blocks outbound port 25", we mean "they force
    passing via their relay". or if you prefer, they block TCP packets where
    the "foreign" port is 25 (if dest IP is "external", dest port must not
    be 25. and if source port is external, source port must not be 25).

    This doesn't limit the recipients of their mail to the ISP customers.
    nor should this limit the sender to the ISP domain (some ISPs are known
    to limit to N declared sender domains though).


  7. Re: FM_FAKE_HELO_VERIZON

    On Sunday 14 September 2008, mouss wrote:
    >Gene Heskett wrote:
    >> On Sunday 14 September 2008, mouss wrote:
    >>> John Hardin wrote:
    >>>> On Sun, 2008-09-14 at 14:43 +0200, mouss wrote:
    >>>>> verizon.net SPF record includes 206.46.0.0/16.
    >>>>
    >>>> Verizon SPF'd a class-B space?? Please don't tell me that covers part of
    >>>> their dynamic address pool...
    >>>
    >>> If they block port 25 except for "responsible" users, I have no problem
    >>> with that. Maybe some people (Matt?) know more?

    >>
    >> I sure would have a problem with that. Its bad enough I have to run my
    >> web server by natting port 85 to 80 cuz vz blocks port 80 so you'll build
    >> your web pages with their service they they can load up with commercials.
    >>
    >> I pull from 3 different mail servers cuz vz has some pretty weird ideas
    >> about what is good mail and what is spam, they have blocked lkml, the
    >> busiest list in linuxdom as that much traffic has to be spam. I can also
    >> post through all three of the servers I suck from, and if they start
    >> blocking 25 that isn't addressed to their server, my first email will be
    >> to the FCC demanding they lose their common carrier status.

    >
    >When we say "an ISP blocks outbound port 25", we mean "they force
    >passing via their relay". or if you prefer, they block TCP packets where
    >the "foreign" port is 25 (if dest IP is "external", dest port must not
    >be 25. and if source port is external, source port must not be 25).


    Yes, same definition I'm using.

    >This doesn't limit the recipients of their mail to the ISP customers.
    >nor should this limit the sender to the ISP domain (some ISPs are known
    >to limit to N declared sender domains though).


    No, but they use it as I stated, to make you put your web visible stuff on
    their servers, where they can surround it with their commercials. So they
    block port 80 going out to their customers. Silently, and they deny at at
    tech support to their last breath. Like comcast, to do so and lose the
    common carrier status, would cost them millions. Tain't gonna happen as long
    as Bushco is naming commissioners.

    That said, I have relatively little faith that the commission would act, there
    are far too many commercial folks all too willing to treat the commissioners
    to whatever they might indicate they need. And as in any other enterprise,
    its only illegal if you get caught. The catchers unforch are busy. And so
    it goes...

    --
    Cheers, Gene
    "There are four boxes to be used in defense of liberty:
    soap, ballot, jury, and ammo. Please use in that order."
    -Ed Howdershelt (Author)
    Disclaimer: "These opinions are my own, though for a small fee they be
    yours too."
    -- Dave Haynie


  8. Re: FM_FAKE_HELO_VERIZON

    At 03:33 14-09-2008, jpff wrote:
    >I have a user of a mailing list who is sending from a Verizon system,
    >and is being marked as spam. Some is use of HTML etc but
    >
    > > * 2.0 BOTNET_CLIENT Relay has a client-like hostname
    > > * =20
    > > [botnet_client,ip=206.46.173.1,hostname=vms173001pu b.verizon.net,
    > > ipinhostname]
    > > * 2.6 FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo.

    >
    >are the two that do not seem to be under control. The mailing list
    >archive seems to be hiding teh headers at present.


    The first rule is not a SpamAssassin (project) rule. It incorrectly
    detects the hostname as a "botnet client".

    A bug reported has been posted for the second rule.

    Regards,
    -sm


  9. Re: FM_FAKE_HELO_VERIZON

    On Sun, 2008-09-14 at 16:45 -0400, Gene Heskett wrote:

    > No, but they use it as I stated, to make you put your web visible stuff on
    > their servers, where they can surround it with their commercials. So they
    > block port 80 going out to their customers.


    Not to minimize how annoying that is, but how is it relevant to an ISP
    blocking outbound port 25 from their dynamic IP blocks to the internet
    at large for users who have not explicitly asked for that access, given
    how much that capability is subject to abuse?

    --
    John Hardin KA7OHZ http://www.impsec.org/~jhardin/
    jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
    key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
    I'm seriously considering getting one of those bright-orange prison
    overalls and stencilling PASSENGER on the back. Along with the paper
    slippers, I ought to be able to walk right through security.
    -- Brian Kantor in a.s.r
    -----------------------------------------------------------------------
    3 days until the 221st anniversary of the signing of the U.S. Constitution


+ Reply to Thread