Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Bug in Kerio Spam Filter -> Custom Rules (The bug originates from compliance with RFC 2821:3.8.4)
  •  
PositiveMojo

Messages: 8
Karma: 0
Send a private message to this user
You've got a major bug in the Kerio "Spam Filter - Custom Rules". It originates from your complying with RFC 2821 Section 3.8.4, which states:

"The translation algorithm used to convert mail from the Internet protocols to another environment's protocol SHOULD ensure that error messages from the foreign mail environment are delivered to the return path from the SMTP envelope, not to the sender listed in the "From:" field (or other fields) of the RFC 822 message."

In other words, the RETURN-PATH must trump the FROM. When this is included in an email, the Kerio server ignores the FROM and inserts the RETURN-PATH into the SMTP From. The Spam Filter never looks at the FROM when this happens.

This is easily seen in the mail log. I've given an real life example below.

FROM THE KERIO MAIL LOG:
[14/Sep/2011 06:57:09] Recv: Queue-ID: 4e709695-00040e17, Service: SMTP, From: <sentto-75100991-15-1316001350-pam=ftiglobal.com<_at_>returns.groups.yahoo.com >, To: <pam<_at_>ftiglobal.com>, Size: 24270, Sender-Host: 98.139.164.102

Notice that the FROM is <sentto-75100991-15-1316001350-pam=ftiglobal.com<_at_>returns.groups.yahoo.com >. Which happens to actually be the RETURN-PATH, which is in accordance with the RFC.

MAIL HEADER:
Return-Path: <sentto-75100991-15-1316001350-pam=ftiglobal.com<_at_>returns.groups.yahoo.com >
X-Spam-Status: No, hits=2.5 required=5.0
tests=BAYES_50: 1.567,HTML_FONT_FACE_BAD: 0.884,HTML_FONT_LOW_CONTRAST: 0.124,
HTML_MESSAGE: 0.001,RDNS_NONE: 0,TOTAL_SCORE: 2.576,autolearn=no
X-Spam-Level: **
Received: from ng7.bullet.mail.bf1.yahoo.com ([98.139.164.102])
by mail.ftiglobal.com (Kerio Connect 7.0.1)
for pam<_at_>ftiglobal.com;
Wed, 14 Sep 2011 06:57:09 -0500
From: "benjaguar52" <benjaguar52<_at_>yahoo.com.tw>


Notice that the FROM is actually from yahoo.com.tw, which is a real email server owned by Yahoo and hacked by our friends in Taiwan.

The Spam Filter -> Custom Rules for this Kerio email server includes filtering for both the SUBSTRING and DOMAIN in the FROM address that includes yahoo.com.tw. It even includes a filter for the entire from address of "benjaguar52<_at_>yahoo.com.tw". This email happily passed by all of those filters and I am assuming it is because Kerio already has recognized the RETURN-PATH as the FROM (which is in accordance with the RFC) prior to running the email through the Spam Filter. That is the only condition I can imagine that would allow this to happen.

The good news is that you can probably fix this by running the spam filter on both the FROM and RETURN-PATH or giving the option of including the RETURN-PATH in the filter (which might be better and more in compliance with the RFC).

In the meantime, I'm going to attempt a work around by putting
"pam=ftiglobal.com" in the FROM and hope that blocks any spam until you get this fixed. The bottom line is that this is a pretty big hole in the Kerio Spam Filter.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
PositiveMojo wrote on Wed, 14 September 2011 18:16
You've got a major bug in the Kerio "Spam Filter - Custom Rules". It originates from your complying with RFC 2821 Section 3.8.4, which states:

"The translation algorithm used to convert mail from the Internet protocols to another environment's protocol SHOULD ensure that error messages from the foreign mail environment are delivered to the return path from the SMTP envelope, not to the sender listed in the "From:" field (or other fields) of the RFC 822 message."

This is nonsense. Return-path email header is generated by receiving SMTP server and always contains sender address from SMTP envelope. There is no bu or security hole.
Quote:

In other words, the RETURN-PATH must trump the FROM. When this is included in an email, the Kerio server ignores the FROM and inserts the RETURN-PATH into the SMTP From. The Spam Filter never looks at the FROM when this happens.

This is not true at all! SPam filter checks both MAIL FROM and From: sender addresses.
If the filter does not work as you expect then there is something wrong with your setup. Feel free to contact our technical support. They will help you to check server configuration.

Quote:

The bottom line is that this is a pretty big hole in the Kerio Spam Filter.

Once again, there is no hole.
  •  
PositiveMojo

Messages: 8
Karma: 0
Send a private message to this user
Kerio_pdobry. With all due respect, you've done nothing to explain why this is happening. I've given every bit of evidenced that shows exactly what is going on. This is being exploited by spammers on the Kerio server and would be very bad press for Kerio - a company I happen to like.

Treating people who report real problems as stupid just doesn't cut it. Please explain why the FROM Custom Rules are not working. I've shown you evidence that can be duplicated again and again. This is not made-up stuff. It is the real deal.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I did a test with Kerio Connect, provided email sample and the rule. It is working properly and blocks the email.
I cannot explain why it is not working for you because I don't have enough information. I don't know your setup, your configuration. That's why I recommend to contact our technical support.
  •  
PositiveMojo

Messages: 8
Karma: 0
Send a private message to this user
Thanks for checking it out. I can't ask more than that of anyone and sincerely appreciate it. Now the bigger question is whether there is a configuration issue. I'll contact tech support and see what is happening and get back to the forum to let you know what happens.

I can replicate the problem so we should be able to discover the cause.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
BTW: Just to be sure, enable Spam Filter messages in the debug log ( http://manuals.kerio.com/connect/adminguide/en/sect-debuglog .html). My guess is that there is some allowing rule above this one. Debug log should definitely help.
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
Quote:
giving the option of including the RETURN-PATH in the filter (which might be better and more in compliance with the RFC).


You can include the return-path in the filter, by just typing it into the "Header" field (and not using the drop-down list). In other words, the drop-down is just holding suggestions of the most used headers, but you can filter for anything you like.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
PositiveMojo

Messages: 8
Karma: 0
Send a private message to this user
Thanks for the tip about the custom entry on the drop down list. I tried it and it works and has solved the problem.
Previous Topic: Allowing Postini through SPF check
Next Topic: Corrupt store in Outlook 2010 after update to 7.2.2
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 07:22:17 CET 2017

Total time taken to generate the page: 0.00416 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.