'Re: X-Spam-Relays-External envfrom= not reliable'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       spamassassin-devel
Subject:    Re: X-Spam-Relays-External envfrom= not reliable
From:       John Hardin <jhardin () impsec ! org>
Date:       2021-01-07 16:20:58
Message-ID: alpine.LNX.2.21.2101070808380.26617 () athena ! impsec ! org
[Download RAW message or body]


On Thu, 7 Jan 2021, RW wrote:

> On Wed, 6 Jan 2021 19:50:08 -0800 (PST)
> John Hardin wrote:
>
>> The rule was looking at X-Spam-Relays-External envfrom= to determine
>> the envelope sender domain. When running the message in my testbed, I
>> found that the envfrom= was not populated at all, and this is why the
>> rule missed.
>>
>> The envelope sender was available in a Return-Path header.
>>
>> Not all MTAs put the envelope sender address into the Received header
>> they generate.
>>
>> Would it be justified to populate the envfrom= in
>> X-Spam-Relays-External from Return-Path (and/or potentially
>> X-Envelope-From) if it's not available in any Received header?
>>
>> If not, then rules looking at X-Spam-Relays-External envfrom= will
>> not work reliably in all environments and should be replaced with
>> checks of Return-Path.
>
> See the documentation for the pseudoheader "EnvelopeFrom".

Rats. Thanks for pointing that out.

> Most cases could use that - especially the __FSL_ENVFROM_ rules, which 
> are last-external.

Agreed. I will probably fix those after evaluating the impact of the 
change.

> The only published rule using  "envfrom=" is __ENVFROM_GOOG_TRIX. This
> does slightly benefit from going deep. Maybe it could check both

I did that yesterday (checking return-path rather then envelopefrom) when 
I noticed this.

> or be rewritten to allow for SRS in EnvelopeFrom.

I will probably do that now that I know about that header.

> Relays-External contains per relay information. I think it should
> require a strong reason to depart from that.

Agreed, hence bringing it up for discussion.

> An alternative would be an additional AllEnvelopeFrom pseudoheader, but 
> it looks like a very minor problem at the moment.

I don't see a need for that at the moment.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org                         pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Je ne suis pas Charlie. Je suis armé.
-----------------------------------------------------------------------
  Today: the 6th anniversary of the Charlie Hebdo massacre

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic