spamassassin-users January 2011 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: How to prevent DOS_OUTLOOK_TO_MX false p

Re: How to prevent DOS_OUTLOOK_TO_MX false positive?

From: Karsten Bräckelmann <guenther_at_nospam>
Date: Wed Jan 05 2011 - 16:32:39 GMT
To: users@spamassassin.apache.org

On Wed, 2011-01-05 at 10:03 -0500, Michael Scheidell wrote:
> On 1/5/11 9:33 AM, George Spelvin wrote:
> > I'm having trouble with intracompany e-mail. When a Windows/Outlook user
> > sends mail to a local user, there is exactly one MX in the path.
> > Which is the office mail server.

> > Should I just manually stomp on that score, or is there are more
> > subtle way to prevent this false positive? (I could, for example,
> > add a compensating negative score for sender IP addresses in our range.)
>
> put all of your local ip addresses in internal_networks.
> you will avoid unnecessary rbl lookups, spf failures and it should set a
> ALL_TRUSTED flag also.

That should help indeed. :) Another fix that would prevent any such
hits on internal mail and instead also results in ALL_TRUSTED, is having
your users authenticate against your SMTP.

This Received header from the original, attached to the spam report,
shows the (munged) IP address that is (a) considered to not be in your
internal network, unless you add the net, and (b) sent by the MUA
without authentication, so SA cannot extend the trustpath magically
either.

  Received: from unknown (HELO $MACHINE) (aaa.bbb.ccc.ddd)
    by science.horizon.com with SMTP; 4 Jan 2011 16:13:46 -0500

Using SMTP without authentication often leads to such problems, if a
single machine does both MSA and MX.

Need. More. Coffee.

-- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}