Okay, follow-up question: Where does SpamAssassin get the IP? Is it the oldest IP in the received headers (low), or the most recent (top)?
If it is oldest (assuming originating IP), then that could be faked easily enough. If it is top, then what does it do if there is no IP (as many SpamAssassin implementations seem to have the message processed before adding appropriate received headers.. tisk, tisk, tisk...) Either way... a lot of people I know are on Comcast in the same town... they are all on the same sub-"b" class network (/17 I think)... So entirely possible to have this nightmare happen. Perhaps then, this is a time to look at using SPF along with AWL. Have AWL use the same record for all SPF'd IPs for that domain and then the usual (change to a class "c"?) records for those falling outside the SPF's listed IPs or no SPF for that domain. It won't stop those who truly use the same server/subnet, but it should help some? Getting later at night... and I'm starting to become more muddled in my thoughts... sorry. ------------------------------------------------------------ Jason J Ellingson Technical Consultant 615.301.1682 : nashville 612.605.1132 : minneapolis www.ellingson.com [EMAIL PROTECTED] -----Original Message----- From: William Stearns [mailto:[EMAIL PROTECTED] Sent: Sunday, September 19, 2004 12:25 AM To: Jason J. Ellingson Cc: ML-spamassassin-talk; William Stearns Subject: Re: AWL DoS? Good evening, Jason, On Sat, 18 Sep 2004, Jason J. Ellingson wrote: > I'm sure someone thought of this, but I don't see it asked before... so... > ===== > 1) Person X regularly gets emails from Person Y (good friends) > > 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked > FROM: address of Person Y. > > 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. > > 4) Future emails from Person Y to Person X now get tagged as spam since AWL > keeps bumping up the score because of the GTUBE that was sent earlier. > ===== > I hope that makes sense... > > I gotta think this isn't gonna happen... but anyone know if it can? If so, > I'm not going to enable AWL on my server. You're asking the right questions. To the best of my knowledge, this has already been addressed. What goes in the AWL isn't just the raw email address, it's the email address plus the first two octets of the source IP address. For someone to successfully attack this way, the attacker would need a legal IP address in the same class B network as the legitimate sender. If sent from a different network, the +1000 user would show up in a different AWL entry than the legitimate sender. Cheers, - Bill --------------------------------------------------------------------------- "I am Homer of Borg! Prepare to be... OOooo! donuts!" (Courtesy of: Carlos Morgado <[EMAIL PROTECTED]>) -------------------------------------------------------------------------- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------
