I was troubleshooting a spam here that didn't hit a rule I expected it to
hit, and found something I think needs some discussion...
The rule was looking at X-Spam-Relays-External envfrom= to determine the
envelope sender domain. When running the message in my testbed, I found
that the envfrom= was not populated at all, and this is why the rule
missed.
The envelope sender was available in a Return-Path header.
Not all MTAs put the envelope sender address into the Received header they
generate.
Would it be justified to populate the envfrom= in X-Spam-Relays-External
from Return-Path (and/or potentially X-Envelope-From) if it's not
available in any Received header?
If not, then rules looking at X-Spam-Relays-External envfrom= will not
work reliably in all environments and should be replaced with checks of
Return-Path.
@smf if you're still around: the __FSL_ENVFROM_* rules fall afoul of this.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Je ne suis pas Charlie. Je suis arm?.
-----------------------------------------------------------------------
Tomorrow: the 6th anniversary of the Charlie Hebdo massacre
hit, and found something I think needs some discussion...
The rule was looking at X-Spam-Relays-External envfrom= to determine the
envelope sender domain. When running the message in my testbed, I found
that the envfrom= was not populated at all, and this is why the rule
missed.
The envelope sender was available in a Return-Path header.
Not all MTAs put the envelope sender address into the Received header they
generate.
Would it be justified to populate the envfrom= in X-Spam-Relays-External
from Return-Path (and/or potentially X-Envelope-From) if it's not
available in any Received header?
If not, then rules looking at X-Spam-Relays-External envfrom= will not
work reliably in all environments and should be replaced with checks of
Return-Path.
@smf if you're still around: the __FSL_ENVFROM_* rules fall afoul of this.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Je ne suis pas Charlie. Je suis arm?.
-----------------------------------------------------------------------
Tomorrow: the 6th anniversary of the Charlie Hebdo massacre