https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6524
Summary: AWL blocks Amazon.com inappropriately
Product: Spamassassin
Version: 3.2.5
Platform: PC
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: Plugins
AssignedTo: [email protected]
ReportedBy: [email protected]
Short version:
amazon.com is a popular forged domain for spam/phishing, and AWL storing the
first two octets isn't enough to avoid poisoning real amazon.com mail. I have
a theory that Amazon may be partially to blame due to EC2, but can't prove it.
I suggest "whitelist_auth *[email protected]" be a standard rule when DKIM is
available.
Long version (from http://jered.livejournal.com/80020.html):
I've had a really weird spam filtering problem the last few weeks -- Amazon
order confirmations are getting discarded with really high scores from
spamassassin (SA). It turned out that they were all getting eaten by the Auto
Whitelist (AWL), which is really an "address history" mechanism, not a
whitelist. Important addresses like "[email protected]" have history
that indicates 10 or more points of likely spamminess.
Spammers and scammers will routinely forge messages from addresses like
[email protected] because they're more likely to make it through filters
and be opened. SA avoids this by making the key in the AWL database be the
tuple of (from address, first two IP octets). But valid amazon.com address
ranges were getting very high scores! Why?
(Interlude: I solved the underlying problem with a "whitelist_auth
*[email protected]" since Amazon does DKIM sign mail.)
I have a theory.
Amazon makes no secret that its Elastic Compute Cloud (EC2) service is a
spin-out of technology originally built to scale the Amazon online shopping
machinery. Demand varies seasonally, and Amazon needs the ability to scale
different parts of the software infrastructure on demand. Most of the time they
have tons of spare compute capacity, so they make this available via the EC2
service.
It's now the busy holiday season, which means that Amazon's infrastructure is
scaled out significantly, making use of servers and IP addresses not recently
used for amazon.com shopping. However, these IP addresses have been in the EC2
pool, and thus occasionally used by spammers, and thus occasionally used by
spammers faking addresses from amazon.com (which will conveniently pass SPF
checks too). Thus, by leasing out parts of their infrastructure for EC2, Amazon
has inadvertently blacklisted themselves in anyone using SA AWL.
--
Configure bugmail:
https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
