samba - Feb 2001 - A little problem with Samba mail traffic...

Hello all!

	I just noticed that a great deal of recent Samba mailing list
traffic was being lost at my site.  I discovered it was being dumped into
on of my "spam cans".  Stranged...  It wasn't one of the rbl style
black-hole dumps but rather one of the content traps...

	A little further research revealed why.  One of my spam traps
triggers (inaccurately, apparently) on malformed IP addresses in Received
headers, since some spam packages generate bogus forged IP addresses in
fake Received headers.  Here's two of the headers from a recent message
from the Samba list (the bottom one is the problem)...

] Received: from mail.valinux.com (mail.valinux.com [198.186.202.175])
] 	by au2.samba.org (Postfix) with ESMTP id 6740A65985B
] 	for <samba@samba.org>; Thu, 15 Feb 2001 19:25:08 +1100 (EST)
] Received: from beefcake.hdqt.valinux.com
] 	([10.1.0.14.55044] helo=valinux.com ident=root) 
          ^^^^^^^^^^^^^^^
] 	by mail.valinux.com with esmtp (Exim 3.22 #1 (Debian))
] 	id 14TJuh-0001QC-00; Thu, 15 Feb 2001 00:37:19 -0800

	This is what it gets tagged with:

] X-Procmail: unwanted ordinary tag-contents header bad IP

	This is the procmail tagging recipe that triggering on it...

] #
] # Morons trying to forge IP addresses
] :0 Hf
] * ^Received: .*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])
] | formail -b -f -A "$trash_header ordinary tag-contents header bad
IP"

	Ok...  Pretty obvious what's happening.  Exim is apparently
tacking on the port number to the IP address on which it received the
message.  That port number is triggering the forgery detector causing
the spam rule to fire.  I've now disabled that rule since it rarely
catches very much spam anymore anyways.  But this came from a stock
common anti-spam package I obtained by following links off the sendmail
site.  I'm sure there are other people using this (who are probably NOT
getting this message for this very reason) and many of those dump
tagged messages straight to /dev/null rather than into spam cans for
latter checking and mucking out.

	I don't know if there has been a recent change at VA Linux or
in the mailing list routing, but this seems to have only started occuring
fairly recently (like in the last week or so).

	I don't know what to suggest to the list other than watch out for
people who start complaining about not receiving mail from the list.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

[Reply-to set to postmaster@valinux.com]

On Thu, Feb 15, 2001 at 10:32:07AM -0500, Michael H. Warfield
wrote:
> ] Received: from beefcake.hdqt.valinux.com
> ] 	([10.1.0.14.55044] helo=valinux.com ident=root) 
>           ^^^^^^^^^^^^^^^
Yes, it's  a configuration option in  exim to add the  port number. The main
reason for  that is  to allow tracking  when you go  through a  NAT firewall
(i.e. you  get the  IP of  the firewall,  and without  the port  number, you
cannot trace back the connection to the original sending machine)
> ] #
> ] # Morons trying to forge IP addresses
> ] :0 Hf
> ] * ^Received: .*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])
> ] | formail -b -f -A "$trash_header ordinary tag-contents header bad
IP"
 
It looks  like one  or two  spam checkers do this  indeed. One of  our users
internally noticed  that and already contacted  the author so that  he could
update the regex.
 
> common anti-spam package I obtained by following links off the sendmail
> site.  I'm sure there are other people using this (who are probably NOT
> getting this message for this very reason) and many of those dump
> tagged messages straight to /dev/null rather than into spam cans for
> latter checking and mucking out.
 
That's very unfortunate.
Quite frankly, I'm not sure what to do. On one side, we can provide received
lines which do not  allow tracking back to the originally  sending IP, or on
the other side, a few overzealous spam checkers will break.
 
> 	I don't know if there has been a recent change at VA Linux or
> in the mailing list routing, but this seems to have only started occuring
> fairly recently (like in the last week or so).
 
It's not really  mailing list routing, it's just exim.conf  on our main
mail
server.
(Unless I  missed something, VA  isn't hosting  samba lists, so  this should
only affect posts  that come from VA, not the  whole list. Of course, Jeremy
works at VA, but who cares about what he says anyway ;-D)

 
I'm not  quite sure  what's best. 
Hopefully the few spam checkers will be  fixed and I believe that people are
responsible for the  mail they themselves filter out, but  if you think that
we should  turn this off instead  of having the spam  checkers fixed, please
send us Email to voice your opinion

(It's disabled right now so that this mail reaches the people in question)

Thanks,
Marc
-- 
VA Linux Systems Server Sysadmin. 510 687 7061
 
Home page: http://marc.merlins.org/
Finger marc_f@merlins.org for PGP key