Mailing List Archive

X-Originating-IP a received header?
Hi,

I have a system that received mail from a webmail product that adds a
X-Originating-IP header with the IP of the webmail user.

Since Spamassassin for some reason considers that to be a
Received-header that results in all mails from the webmail hitting the
RDNS_NONE rule (only IP is added in the header) which I currently have
set to 0 due to this.

It also impacts how I can use the trusted_networks setting on my mx:es.
If my mailrelays are trusted then the first "received" will be an
untrusted IP and, since it's likely a residential IP, likely listed in
spamhaus PBL...

Which all leads me to my question. Is there some way I can configure
Spamassassin to not consider X-Originating-IP to be a received-header?

--
BR/Mvh. Dan Malm, Systems Engineer, One.com
Re: X-Originating-IP a received header? [ In reply to ]
Dan Malm schrieb am 19.02.2021 um 13:28:
> I have a system that received mail from a webmail product that adds a
> X-Originating-IP header with the IP of the webmail user.
>
> Since Spamassassin for some reason considers that to be a
> Received-header that results in all mails from the webmail hitting the
> RDNS_NONE rule (only IP is added in the header) which I currently have
> set to 0 due to this.
Look into the originating_ip_headers and clear_originating_ip_headers
options of spamassassin.

Alex
Re: X-Originating-IP a received header? [ In reply to ]
On 2021-02-19 13:48, Alex Woick wrote:
> Dan Malm schrieb am 19.02.2021 um 13:28:
>> I have a system that received mail from a webmail product that adds a
>> X-Originating-IP header with the IP of the webmail user.
>>
>> Since Spamassassin for some reason considers that to be a
>> Received-header that results in all mails from the webmail hitting the
>> RDNS_NONE rule (only IP is added in the header) which I currently have
>> set to 0 due to this.
> Look into the originating_ip_headers and clear_originating_ip_headers
> options of spamassassin.

imho not needed if the ip is in both internal_networks and
trusted_networks

RDNS_NONE will not hit if this is configured

if it does, do "spamassassin -D -t webmail.msg >2&1 | less" look for it
there
Re: X-Originating-IP a received header? [ In reply to ]
On Fri, 19 Feb 2021 15:09:14 +0100
Benny Pedersen wrote:

> On 2021-02-19 13:48, Alex Woick wrote:
> > Dan Malm schrieb am 19.02.2021 um 13:28:
> >> I have a system that received mail from a webmail product that
> >> adds a X-Originating-IP header with the IP of the webmail user.
> >>
> >> Since Spamassassin for some reason considers that to be a
> >> Received-header that results in all mails from the webmail hitting
> >> the RDNS_NONE rule (only IP is added in the header) which I
> >> currently have set to 0 due to this.
> > Look into the originating_ip_headers and
> > clear_originating_ip_headers options of spamassassin.
>
> imho not needed if the ip is in both internal_networks and
> trusted_networks

Typically these addresses are ISP dynamic pool addresses, so that's not
practical.
Re: X-Originating-IP a received header? [ In reply to ]
On 2021-02-19 15:33, RW wrote:
> On Fri, 19 Feb 2021 15:09:14 +0100
> Benny Pedersen wrote:
>
>> On 2021-02-19 13:48, Alex Woick wrote:
>> > Dan Malm schrieb am 19.02.2021 um 13:28:
>> >> I have a system that received mail from a webmail product that
>> >> adds a X-Originating-IP header with the IP of the webmail user.
>> >>
>> >> Since Spamassassin for some reason considers that to be a
>> >> Received-header that results in all mails from the webmail hitting
>> >> the RDNS_NONE rule (only IP is added in the header) which I
>> >> currently have set to 0 due to this.
>> > Look into the originating_ip_headers and
>> > clear_originating_ip_headers options of spamassassin.
>>
>> imho not needed if the ip is in both internal_networks and
>> trusted_networks
>
> Typically these addresses are ISP dynamic pool addresses, so that's not
> practical.

webserver on a pbl listed ip ?

diffrent solotion then
Re: X-Originating-IP a received header? [ In reply to ]
uOn Fri, 19 Feb 2021, Dan Malm wrote:

> I have a system that received mail from a webmail product that adds a
> X-Originating-IP header with the IP of the webmail user.
>
> Since Spamassassin for some reason considers that to be a
> Received-header that results in all mails from the webmail hitting the
> RDNS_NONE rule (only IP is added in the header) which I currently have
> set to 0 due to this.

Could you post a sample of the headers from such? Obfuscate as you like,
I'm just wondering about the order in which they appear.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The promise of nuclear power: electricity too cheap to meter
The reality of nuclear power: FUD too cheap to meter
-----------------------------------------------------------------------
3 days until George Washington's 289th Birthday
Re: X-Originating-IP a received header? [ In reply to ]
On Fri, 19 Feb 2021 15:41:27 +0100
Benny Pedersen wrote:

> On 2021-02-19 15:33, RW wrote:
> > On Fri, 19 Feb 2021 15:09:14 +0100
> > Benny Pedersen wrote:

> >> imho not needed if the ip is in both internal_networks and
> >> trusted_networks
> >
> > Typically these addresses are ISP dynamic pool addresses, so that's
> > not practical.
>
> webserver on a pbl listed ip ?

No, it's the IP addresses of the client connecting to the webmail
server.
Re: X-Originating-IP a received header? [ In reply to ]
On 2021-02-19 19:20, RW wrote:

> No, it's the IP addresses of the client connecting to the webmail
> server.

this is why i still do sasl on ::1 :=)

good solution to fix the above is to create another inet listerner for
web apps that is not spamassassin scanned, or simple shotcurrit its
futute on NO_RELAYS so it does not matter for localy sent mails not even
from ips pbl'ed

meta if webapp do not fully do spamassassin check
Re: X-Originating-IP a received header? [ In reply to ]
On Fri, 19 Feb 2021 07:13:14 -0800 (PST)
John Hardin wrote:

> uOn Fri, 19 Feb 2021, Dan Malm wrote:
>
> > I have a system that received mail from a webmail product that adds
> > a X-Originating-IP header with the IP of the webmail user.
> >
> > Since Spamassassin for some reason considers that to be a
> > Received-header that results in all mails from the webmail hitting
> > the RDNS_NONE rule (only IP is added in the header) which I
> > currently have set to 0 due to this.
>
> Could you post a sample of the headers from such? Obfuscate as you
> like, I'm just wondering about the order in which they appear.
>
>

If you just process

X-Originating-IP: 1.2.3.4

1.2.3.4 is added to external and untrusted networks and you get

X-Spam-Relays-Untrusted: [ ip=1.2.3.4 ...
X-Spam-Relays-External: [ ip=1.2.3.4 ..

If you have an authenticated (with ESMTPA) Received header above it,
that header will be treated as internal and trusted, so it makes no
difference, 1.2.3.4 is still the last-external address.

The latter case is related to Bug 7590.
Re: X-Originating-IP a received header? [ In reply to ]
On 2021-02-19 16:13, John Hardin wrote:
> uOn Fri, 19 Feb 2021, Dan Malm wrote:
>
>> I have a system that received mail from a webmail product that adds a
>> X-Originating-IP header with the IP of the webmail user.
>>
>> Since Spamassassin for some reason considers that to be a
>> Received-header that results in all mails from the webmail hitting the
>> RDNS_NONE rule (only IP is added in the header) which I currently have
>> set to 0 due to this.
>
> Could you post a sample of the headers from such? Obfuscate as you like,
> I'm just wondering about the order in which they appear.
>
>

Received: from onecom-webmail1 (service.pub.appspod1-cph3.one.com
[46.30.211.130])
by mailrelay3 (Halon) with ESMTPSA
id 89da92dc-72a5-11eb-bf40-fd1a731c465d;
Fri, 19 Feb 2021 11:28:08 +0000 (UTC)
X-Originating-IP: 46.30.211.29
User-Agent: One.com webmail 39.4.34
Date: Fri, 19 Feb 2021 12:28:08 +0100
MIME-Version: 1.0
Message-ID: <1613734088881.26136.389428@webmail1>
To: <one@slave.one>
From: "One" <one@nyck.se>
Reply-To: <one@nyck.se>
Subject: testing
Content-Type: multipart/alternative;
boundary="----------389426-1613734088881-1"


--
BR/Mvh. Dan Malm, Systems Engineer, One.com
Re: X-Originating-IP a received header? [ In reply to ]
On Tue, 23 Feb 2021, Dan Malm wrote:

> On 2021-02-19 16:13, John Hardin wrote:
>> uOn Fri, 19 Feb 2021, Dan Malm wrote:
>>
>>> I have a system that received mail from a webmail product that adds a
>>> X-Originating-IP header with the IP of the webmail user.
>>>
>>> Since Spamassassin for some reason considers that to be a
>>> Received-header that results in all mails from the webmail hitting the
>>> RDNS_NONE rule (only IP is added in the header) which I currently have
>>> set to 0 due to this.
>>
>> Could you post a sample of the headers from such? Obfuscate as you like,
>> I'm just wondering about the order in which they appear.
>
> Received: from onecom-webmail1 (service.pub.appspod1-cph3.one.com
> [46.30.211.130])
> by mailrelay3 (Halon) with ESMTPSA
> id 89da92dc-72a5-11eb-bf40-fd1a731c465d;
> Fri, 19 Feb 2021 11:28:08 +0000 (UTC)
> X-Originating-IP: 46.30.211.29
> User-Agent: One.com webmail 39.4.34
> Date: Fri, 19 Feb 2021 12:28:08 +0100
> MIME-Version: 1.0
> Message-ID: <1613734088881.26136.389428@webmail1>
> To: <one@slave.one>
> From: "One" <one@nyck.se>
> Reply-To: <one@nyck.se>
> Subject: testing
> Content-Type: multipart/alternative;
> boundary="----------389426-1613734088881-1"

...and I assume that neither of those addresses are configured as
"internal" for you?


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Liberals love sex ed because it teaches kids to be safe around their
sex organs. Conservatives love gun education because it teaches kids
to be safe around guns. However, both believe that the other's
education goals lead to dangers too terrible to contemplate.
-----------------------------------------------------------------------
269 days since the first private commercial manned orbital mission (SpaceX)
Re: X-Originating-IP a received header? [ In reply to ]
On 2021-02-23 16:29, John Hardin wrote:
> On Tue, 23 Feb 2021, Dan Malm wrote:
>
>> On 2021-02-19 16:13, John Hardin wrote:
>>> uOn Fri, 19 Feb 2021, Dan Malm wrote:
>>>
>>>> I have a system that received mail from a webmail product that adds a
>>>> X-Originating-IP header with the IP of the webmail user.
>>>>
>>>> Since Spamassassin for some reason considers that to be a
>>>> Received-header that results in all mails from the webmail hitting the
>>>> RDNS_NONE rule (only IP is added in the header) which I currently have
>>>> set to 0 due to this.
>>>
>>> Could you post a sample of the headers from such? Obfuscate as you like,
>>> I'm just wondering about the order in which they appear.
>>
>> Received: from onecom-webmail1 (service.pub.appspod1-cph3.one.com
>> [46.30.211.130])
>>     by mailrelay3 (Halon) with ESMTPSA
>>     id 89da92dc-72a5-11eb-bf40-fd1a731c465d;
>>     Fri, 19 Feb 2021 11:28:08 +0000 (UTC)
>> X-Originating-IP: 46.30.211.29
>> User-Agent: One.com webmail 39.4.34
>> Date: Fri, 19 Feb 2021 12:28:08 +0100
>> MIME-Version: 1.0
>> Message-ID: <1613734088881.26136.389428@webmail1>
>> To: <one@slave.one>
>> From: "One" <one@nyck.se>
>> Reply-To: <one@nyck.se>
>> Subject: testing
>> Content-Type: multipart/alternative;
>> boundary="----------389426-1613734088881-1"
>
> ...and I assume that neither of those addresses are configured as
> "internal" for you?
>
>

They are currently not, no.

And "X-Originating-IP: 46.30.211.29" is the IP the webserver handling
the webmail saw for this mail, i.e. the user IP, which for normal users
will often be in PBL. It's also the IP that triggers the hit on RDNS_NONE

--
BR/Mvh. Dan Malm, Systems Engineer, One.com
Re: X-Originating-IP a received header? [ In reply to ]
On 2021-02-23 16:14, Dan Malm wrote:

> X-Originating-IP: 46.30.211.29
> User-Agent: One.com webmail 39.4.34
> Message-ID: <1613734088881.26136.389428@webmail1>

this ip is not pbl listed

if it was i would meta rule it
Re: X-Originating-IP a received header? [ In reply to ]
On Tue, 23 Feb 2021, Dan Malm wrote:

> On 2021-02-23 16:29, John Hardin wrote:
>> On Tue, 23 Feb 2021, Dan Malm wrote:
>>
>>> On 2021-02-19 16:13, John Hardin wrote:
>>>> On Fri, 19 Feb 2021, Dan Malm wrote:
>>>>
>>>>> I have a system that received mail from a webmail product that adds a
>>>>> X-Originating-IP header with the IP of the webmail user.
>>>>>
>>>>> Since Spamassassin for some reason considers that to be a
>>>>> Received-header that results in all mails from the webmail hitting the
>>>>> RDNS_NONE rule (only IP is added in the header) which I currently have
>>>>> set to 0 due to this.
>>>>
>>>> Could you post a sample of the headers from such? Obfuscate as you like,
>>>> I'm just wondering about the order in which they appear.
>>>
>>> Received: from onecom-webmail1 (service.pub.appspod1-cph3.one.com
>>> [46.30.211.130])
>>>     by mailrelay3 (Halon) with ESMTPSA
>>>     id 89da92dc-72a5-11eb-bf40-fd1a731c465d;
>>>     Fri, 19 Feb 2021 11:28:08 +0000 (UTC)
>>> X-Originating-IP: 46.30.211.29
>>> User-Agent: One.com webmail 39.4.34
>>> Date: Fri, 19 Feb 2021 12:28:08 +0100
>>> MIME-Version: 1.0
>>> Message-ID: <1613734088881.26136.389428@webmail1>
>>> To: <one@slave.one>
>>> From: "One" <one@nyck.se>
>>> Reply-To: <one@nyck.se>
>>> Subject: testing
>>> Content-Type: multipart/alternative;
>>> boundary="----------389426-1613734088881-1"
>>
>> ...and I assume that neither of those addresses are configured as
>> "internal" for you?
>
> They are currently not, no.
>
> And "X-Originating-IP: 46.30.211.29" is the IP the webserver handling
> the webmail saw for this mail, i.e. the user IP, which for normal users
> will often be in PBL. It's also the IP that triggers the hit on RDNS_NONE

Which it should not, as it's not the "last external" IP address. That's
why I asked for the headers - it seems from this (absent any actual
testing) that SA isn't keeping the received-equivalent headers in the
correct order with the genuine received headers.

One possible explanation is that the local Received header added by your
MTA (presumably mailrelay3) isn't being added before the message is being
passed to SA, so the X-Originating-IP header is the only thing that SA is
seeing. Did that message hit any "direct-to-MX" rules?

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim XI: Everything is air-droppable at least once.
-----------------------------------------------------------------------
269 days since the first private commercial manned orbital mission (SpaceX)
Re: X-Originating-IP a received header? [ In reply to ]
On Tue, 23 Feb 2021 13:41:58 -0800 (PST)
John Hardin wrote:

> On Tue, 23 Feb 2021, Dan Malm wrote:
>
> > On 2021-02-23 16:29, John Hardin wrote:
> >> On Tue, 23 Feb 2021, Dan Malm wrote:

> >>> Received: from onecom-webmail1 (service.pub.appspod1-cph3.one.com
> >>> [ ])
> >>>     by mailrelay3 (Halon) with
> >>>     id 89da92dc-72a5-11eb-bf40-fd1a731c465d;
> >>>     Fri, 19 Feb 2021 11:28:08 +0000 (UTC)
> >>> X-Originating-IP: 46.30.211.29


> > And "X-Originating-IP: 46.30.211.29" is the IP the webserver
> > handling the webmail saw for this mail, i.e. the user IP, which for
> > normal users will often be in PBL. It's also the IP that triggers
> > the hit on RDNS_NONE
>
> Which it should not, as it's not the "last external" IP address.
> That's why I asked for the headers - it seems from this (absent any
> actual testing) that SA isn't keeping the received-equivalent headers
> in the correct order with the genuine received headers.

I've explained this in a recent post in this thread. Without the SMTPA
you would have


X-Spam-Relays-External: [ ip=46.30.211.130 ...][ ip=46.30.211.29 ...]

With authentication (SMTPA) the networks move down one and you get

X-Spam-Relays-Internal: [ ip=46.30.211.130 ...]
X-Spam-Relays-External: [ ip=46.30.211.29 ...]

In most cases doing this leave X-Spam-Relays-External empty and it
prevents running LE tests on mail submission, but it takes no account of
sections added for Originating-IP or upstream Received headers.

This behaviour is actually abusable as a forged header can be used
trigger various whitelisting rules, see Bug 7590.