Mailing List Archive: X-Originating-IP fires too much

X-Originating-IP fires too much

uhlar at fantomas

Dec 1, 2021, 2:25 AM

Post #1 of 6 (671 views)

Hello,

hoping that adding sending IP Address to X-Originating-IP: header will help
me fight against spam posted via webmail it seems I caused more problems
than it was supposed to solve.

mail sent from external IP 192.0.2.1 via webmail on 192.168.0.10, then pushed
to SMTP server 192.168.0.10 (authenticated).

results
- ALL_TRUSTED doesn't fire because 192.0.2.1 in X-Originating-IP

- HELO_NO_DOMAIN fires
- RDNS_NONE fires
- both because X-Originating-IP contains no helo/DNS data.

any idea what could I do here, besides disabling X-Originating-IP
generation?

Received: from mail.example.com ([127.0.0.1])
by localhost (mail.example.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id kEVGzIXBomJ9; Wed, 1 Dec 2021 09:47:49 +0100 (CET)
Received: from mail.example.com (mail.example.com [192.168.0.10])
by mail.example.com (Postfix) with ESMTPSA id 591781C008E
for <redacted@gmail.com>; Wed, 1 Dec 2021 09:47:49 +0100 (CET)
User-Agent: Roundcube Webmail/1.3.17
X-Originating-IP: [192.0.2.1]

Dec 1 11:04:48.911 [11167] dbg: metadata: X-Spam-Relays-Trusted: [. ip=127.0.0.1 rdns=localhost helo=localhost by=mail.example.com ident= envfrom= intl=1 id=D0BF51C1B71 auth= msa=0 ] [. ip=127.0.0.1 rdns= helo=mail.example.com by=localhost ident= envfrom= intl=1 id=kEVGzIXBomJ9 auth= msa=0 ] [. ip=192.168.0.10 rdns=mail.example.com helo=mail.example.com by=mail.example.com ident= envfrom= intl=1 id=591781C008E auth=ESMTPSA msa=0 ]
Dec 1 11:04:48.911 [11167] dbg: metadata: X-Spam-Relays-Untrusted: [. ip=192.0.2.1 rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0 ]
Dec 1 11:04:48.911 [11167] dbg: metadata: X-Spam-Relays-Internal: [. ip=127.0.0.1 rdns=localhost helo=localhost by=mail.example.com ident= envfrom= intl=1 id=D0BF51C1B71 auth= msa=0 ] [. ip=127.0.0.1 rdns= helo=mail.example.com by=localhost ident= envfrom= intl=1 id=kEVGzIXBomJ9 auth= msa=0 ] [. ip=192.168.0.10 rdns=mail.example.com helo=mail.example.com by=mail.example.com ident= envfrom= intl=1 id=591781C008E auth=ESMTPSA msa=0 ]
Dec 1 11:04:48.911 [11167] dbg: metadata: X-Spam-Relays-External: [. ip=192.0.2.1 rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0 ]

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Re: X-Originating-IP fires too much [ In reply to ]

uhlar at fantomas

Dec 1, 2021, 4:01 AM

Post #2 of 6 (671 views)

On 01.12.21 11:25, Matus UHLAR - fantomas wrote:
>hoping that adding sending IP Address to X-Originating-IP: header will help
>me fight against spam posted via webmail it seems I caused more problems
>than it was supposed to solve.
>
>mail sent from external IP 192.0.2.1 via webmail on 192.168.0.10, then pushed
>to SMTP server 192.168.0.10 (authenticated).

this line is configured in (debian system):

/etc/roundcube/plugins/additional_message_headers/config.inc.php

$config['additional_message_headers']['X-Originating-IP'] = '[' . $_SERVER['REMOTE_ADDR'] .']';

I see that adding mailserver local IP (192.168.0.10) to msa_networks will
hide the remote IP if the local IP is trusted/internal.

>results
>- ALL_TRUSTED doesn't fire because 192.0.2.1 in X-Originating-IP
>
>- HELO_NO_DOMAIN fires
>- RDNS_NONE fires
> - both because X-Originating-IP contains no helo/DNS data.
>
>any idea what could I do here, besides disabling X-Originating-IP
>generation?
>
>Received: from mail.example.com ([127.0.0.1])
> by localhost (mail.example.com [127.0.0.1]) (amavisd-new, port 10024)
> with LMTP id kEVGzIXBomJ9; Wed, 1 Dec 2021 09:47:49 +0100 (CET)
>Received: from mail.example.com (mail.example.com [192.168.0.10])
> by mail.example.com (Postfix) with ESMTPSA id 591781C008E
> for <redacted@gmail.com>; Wed, 1 Dec 2021 09:47:49 +0100 (CET)
>User-Agent: Roundcube Webmail/1.3.17
>X-Originating-IP: [192.0.2.1]
>
>
>Dec 1 11:04:48.911 [11167] dbg: metadata: X-Spam-Relays-Trusted: [. ip=127.0.0.1 rdns=localhost helo=localhost by=mail.example.com ident= envfrom= intl=1 id=D0BF51C1B71 auth= msa=0 ] [. ip=127.0.0.1 rdns= helo=mail.example.com by=localhost ident= envfrom= intl=1 id=kEVGzIXBomJ9 auth= msa=0 ] [. ip=192.168.0.10 rdns=mail.example.com helo=mail.example.com by=mail.example.com ident= envfrom= intl=1 id=591781C008E auth=ESMTPSA msa=0 ]
>Dec 1 11:04:48.911 [11167] dbg: metadata: X-Spam-Relays-Untrusted: [. ip=192.0.2.1 rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0 ]
>Dec 1 11:04:48.911 [11167] dbg: metadata: X-Spam-Relays-Internal: [. ip=127.0.0.1 rdns=localhost helo=localhost by=mail.example.com ident= envfrom= intl=1 id=D0BF51C1B71 auth= msa=0 ] [. ip=127.0.0.1 rdns= helo=mail.example.com by=localhost ident= envfrom= intl=1 id=kEVGzIXBomJ9 auth= msa=0 ] [. ip=192.168.0.10 rdns=mail.example.com helo=mail.example.com by=mail.example.com ident= envfrom= intl=1 id=591781C008E auth=ESMTPSA msa=0 ]
>Dec 1 11:04:48.911 [11167] dbg: metadata: X-Spam-Relays-External: [. ip=192.0.2.1 rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0 ]

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

Re: X-Originating-IP fires too much [ In reply to ]

uhlar at fantomas

Dec 1, 2021, 4:52 AM

Post #3 of 6 (670 views)

>On 01.12.21 11:25, Matus UHLAR - fantomas wrote:
>>hoping that adding sending IP Address to X-Originating-IP: header will help
>>me fight against spam posted via webmail it seems I caused more problems
>>than it was supposed to solve.
>>
>>mail sent from external IP 192.0.2.1 via webmail on 192.168.0.10, then pushed
>>to SMTP server 192.168.0.10 (authenticated).
>
>this line is configured in (debian system):
>
>/etc/roundcube/plugins/additional_message_headers/config.inc.php
>
>$config['additional_message_headers']['X-Originating-IP'] = '[' . $_SERVER['REMOTE_ADDR'] .']';
>
>I see that adding mailserver local IP (192.168.0.10) to msa_networks will
>hide the remote IP if the local IP is trusted/internal.
>
>
>>results
>>- ALL_TRUSTED doesn't fire because 192.0.2.1 in X-Originating-IP
>>
>>- HELO_NO_DOMAIN fires
>>- RDNS_NONE fires
>>- both because X-Originating-IP contains no helo/DNS data.
>>
>>any idea what could I do here, besides disabling X-Originating-IP
>>generation?

so fat I have idea of putting dummy host/helo name into received header
either in X-Originating-IP or in spamassassin, so the:

X-Originating-IP: [192.0.2.1]

Dec 1 13:24:15.044 [10589] dbg: received-header: parsed as [. ip=192.0.2.1 rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0 ]

would change to something like

X-Originating-IP: example.com(example.com[192.0.2.1])

Dec 1 13:24:15.044 [10589] dbg: received-header: parsed as [. ip=192.0.2.1 rdns=example.com helo=example.com by= ident= envfrom= intl=0 id= auth= msa=0 ]

can I to this in the PHP script above?

I tried to read the SA sources but I'm not that deeply into perl/SA to
understand if that is possible.

my blind attempts failed so far.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759

Re: X-Originating-IP fires too much [ In reply to ]

mnalis-sa-list at voyager

Dec 3, 2021, 7:34 AM

Post #4 of 6 (668 views)

On Wed, Dec 01, 2021 at 01:52:16PM +0100, Matus UHLAR - fantomas wrote:
> >
> > > results
> > > - ALL_TRUSTED doesn't fire because 192.0.2.1 in X-Originating-IP
> > >
> > > - HELO_NO_DOMAIN fires
> > > - RDNS_NONE fires
> > > - both because X-Originating-IP contains no helo/DNS data.
> > >
> > > any idea what could I do here, besides disabling X-Originating-IP
> > > generation?

One workaround might be to use
"clear_originating_ip_headers" and then re-add all other headers
except that one with "originating_ip_headers", eg.:

clear_originating_ip_headers
originating_ip_headers X-Yahoo-Post-IP X-Apparently-From
originating_ip_headers X-SenderIP X-AOL-IP
originating_ip_headers X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp

This is not perfect beceuase it would ignore X-Originating-IP from
everyone.

Another perhaps cleaner solution is if your roundcube box is trusted
not to send spam, to bypass spamassassin completely for outgoing
mails from there.

Or simply make a negative score meta rule for all mails identifying
themselves as coming from your roundube (originating IP, X-mailer,
SPF/DKIM passed etc.) that will undo the spam score it gets from
other rules.

--
Opinions above are GNU-copylefted.

Re: X-Originating-IP fires too much [ In reply to ]

sausers-20150205 at billmail

Dec 3, 2021, 12:25 PM

Post #5 of 6 (668 views)

On 2021-12-01 at 07:01:40 UTC-0500 (Wed, 1 Dec 2021 13:01:40 +0100)
Matus UHLAR - fantomas <uhlar@fantomas.sk>
is rumored to have said:

> On 01.12.21 11:25, Matus UHLAR - fantomas wrote:
>> hoping that adding sending IP Address to X-Originating-IP: header will help
>> me fight against spam posted via webmail it seems I caused more problems
>> than it was supposed to solve.
>>
>> mail sent from external IP 192.0.2.1 via webmail on 192.168.0.10, then pushed
>> to SMTP server 192.168.0.10 (authenticated).
>
> this line is configured in (debian system):
>
> /etc/roundcube/plugins/additional_message_headers/config.inc.php
>
> $config['additional_message_headers']['X-Originating-IP'] = '[' . $_SERVER['REMOTE_ADDR'] .']';
>
> I see that adding mailserver local IP (192.168.0.10) to msa_networks will
> hide the remote IP if the local IP is trusted/internal.

That's why the *_networks config parameters exist: so that it is possible for SA to figure out which which recorded transit hop to both trust as accurately recorded and to interpret as a transfer from a potentially hostile sender.

Is there some reason you would not want 192.168.0.10 in msa_networks?

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: X-Originating-IP fires too much [ In reply to ]

uhlar at fantomas

Dec 5, 2021, 9:31 AM

Post #6 of 6 (668 views)

>> On 01.12.21 11:25, Matus UHLAR - fantomas wrote:
>>> hoping that adding sending IP Address to X-Originating-IP: header will help
>>> me fight against spam posted via webmail it seems I caused more problems
>>> than it was supposed to solve.
>>>
>>> mail sent from external IP 192.0.2.1 via webmail on 192.168.0.10, then pushed
>>> to SMTP server 192.168.0.10 (authenticated).

>On 2021-12-01 at 07:01:40 UTC-0500 (Wed, 1 Dec 2021 13:01:40 +0100) Matus
>UHLAR - fantomas <uhlar@fantomas.sk> is rumored to have said:

yes, I said that ;-)

>> this line is configured in (debian system):
>>
>> /etc/roundcube/plugins/additional_message_headers/config.inc.php
>>
>> $config['additional_message_headers']['X-Originating-IP'] = '[' . $_SERVER['REMOTE_ADDR'] .']';
>>
>> I see that adding mailserver local IP (192.168.0.10) to msa_networks will
>> hide the remote IP if the local IP is trusted/internal.

On 03.12.21 15:25, Bill Cole wrote:
>That's why the *_networks config parameters exist: so that it is possible
> for SA to figure out which which recorded transit hop to both trust as
> accurately recorded and to interpret as a transfer from a potentially
> hostile sender.
>
>Is there some reason you would not want 192.168.0.10 in msa_networks?

I was hoping that the client IP gets looked up in blacklists, but I haven't
expected HELO and RDNS rules to fire.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer