spamassassin-users June 2010 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: SA checking of authenticated users' messages

SA checking of authenticated users' messages

From: Louis Guillaume <louis_at_nospam>
Date: Wed Jun 09 2010 - 05:51:20 GMT
To: users@spamassassin.apache.org

Hi,

Recently I've had a lot of reports of returned mail from authenticated
users. The messages are being bounced on the way out.

I understand that SA checks outbound messages, but I have discovered two
things, one of them rather disturbing:

1. I cannot find a way to simply trust authenticated users'
    messages. I would like to whitelist all messages that are
    sent by authenticated users. Yes I understand that a
    compromised user account can be a problem for me, but I
    need this as a starting point. Is there a way?

2. When outgoing messages are checked, spamd tries to find a
    user to run as using the recipient's address. The way this
    is done is to use the user-portion of the recipient
    address, which is absolutely insane!

    For example: evil-hacker tries to brute force the system
    by trying every name in the world against example.com.
    Let's say I have a user "bob" with an email address of
    "bob@someotherdomain.com". SA now happily calls on bob's
    account to run spamd for this message, which has
    absolutely nothing to do with bob, his domain or his
    email account (!) This is bad.

    Example no. 2: Local user jane is sending a message to
    "bob@some-where-completely-unrelated.com". Well once
    again spamd decides, "oh - this user name is `bob'. Why
    don't I run as bob for this one?" Again completely
    inappropriate! This message has absolutely nothing to do
    with bob or his account.

    Is there a misconfiguration here? What should I check?

My system information:

   OS: NetBSD-5
   sendmail-8.14.4
   spamassassin-3.3.1
   spamass-milter-0.3.1

Any help would be great!

Louis