Re: White list problem

12 Jan 2005 02:22:52 -0000 

On Tue, Jan 11, 2005 at 05:46:58PM -0800, List Mail User wrote:
>       Every one seem to be missing the forged HELO which (incorrectly) used
> the IP address of the receiving machine.  This seems to have fooled both your
> MTA;  The critical headers are:
> 
> > > Received: from 61.32.186.51 by kukla (envelope-from <[EMAIL PROTECTED]>, 
> > > uid 
> 71) with qmail-scanner-1.24 
> 
> and
> 
> > > Received: from unknown (HELO 64.81.195.127) (61.32.186.51)
> 
>   where clearly the forged HELO (i.e. "(HELO 64.81.195.127)") caused qmail,
> et. al. to believe you were receiving from a trusted machine.
> 

OK, I had noticed that, but why is spamassassin's whitelist_from looking 
at the HELO? I thought it looked at From: and its relatives.



>       This is a common trick - to try to pretend to be either the local
> machine or another of your legitimate 'MX' hosts.  I don't know qmail well
> enough to tell you the configuration fix, but you shouldn't be whitelisting
> anything based an unverified 'HELO' - Note the real IP address is readily

I'm not sure I understand how I whitelisted based on an unverified HELO. As
far as I can tell, my whitelists are all of the form

    whitelist_from [EMAIL PROTECTED]
    
or the like. Nothing that links to HELO that I understand. Please explain
further so I can fix.



> visible as 61.32.186.51.  Also, if RFC821 and RFC1822 were being enforced,
> the message would have been rejected anyway (IP addresses are supposed to
> *require* surrounding brackets - ex. [64.81.195.127] instead of a bare IP).
> 
>       In fact, you should probably be checking for any valid looking IP
> addresses and applying extra tests in those cases (I could tell you how for
> either sendmail or Postfix, but qmail or others are outside my own experience,
> except for the many hours spent helping friends work around qmail bugs).
> 

Perhaps you're right that I need to fix something upstream, but my
understanding of the HELO is that it will take well nigh anything. I think
my immediate question is more of why is spamassassin letting this mail
through?

Thanks for pointing out these areas to look at.

Ollie


-- 
|---------------------------|
| Ollie Acheson             |
| Morristown, NJ            |
|---------------------------|

Reply via email to