http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5006
Summary: URI IP RBL check does not properly handle raw-numeric
addresses (not D.Q.)
Product: Spamassassin
Version: 3.1.3
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: Rules
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
John D. Hardin wrote:
> This wasn't detected as a redirector attack by 3.1.3, running
> sa-update weekly:
>
> {snippage}
>
> <a target="_parent"
>
href="http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php";>Click
> here to cancel your new email
> address</a>
Being a simple visible redirector, SA actually does detect it:
[7375] dbg: uri: cleaned html uri,
http://1092229727:9999/https-www.paypal.com/webscrr/index.php
[7375] dbg: uri: html domain, google.com
The problem is that SA doesn't then go on to do checks on the IP
1092229727 (CPE-65-26-26-95.kc.res.rr.com [65.26.26.95]) like it would
if it was in dotted-quad notation. Thus the hit on Sorbs' DUHL is avoided.
This is definitely a bug. Please open a bug report and attach a
complete sample to the bug.
http://issues.apache.org/SpamAssassin/
Daryl
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
