https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6908
Bug ID: 6908
Summary: Forged headers are poisoning AWL database
Product: Spamassassin
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: Plugins
Assignee: [email protected]
Reporter: [email protected]
Classification: Unclassified
There seems to be a bug in which wrong Received From header entry is used for
AWL validation and this is poisoning the AWL Database for Linkedin entries
(most probably other domains too).
Spamassassin debug output for a sample mail:
Feb 15 20:56:28.321 [12654] dbg: auto-whitelist: tie-ing to DB file of type
DB_File R/W in /var/spool/MailScanner/spamassassin/auto-whitelist
Feb 15 20:56:28.321 [12654] dbg: auto-whitelist: IP masking 199.101.160.34 ->
199.101
Feb 15 20:56:28.322 [12654] dbg: auto-whitelist: db-based
[email protected]|ip=199.101 scores 5/356.94
Feb 15 20:56:28.322 [12654] dbg: auto-whitelist: AWL active, pre-score: 61.453,
autolearn score: 61.453, mean: 71.388, IP: 199.101.160.34, address:
[email protected] (not signed)
Feb 15 20:56:28.322 [12654] dbg: auto-whitelist: add_score: new count: 6, new
totscore: 418.393
Feb 15 20:56:28.322 [12654] dbg: auto-whitelist: DB addr list: untie-ing and
unlocking
Feb 15 20:56:28.323 [12654] dbg: auto-whitelist: DB addr list: file locked,
breaking lock
Original Header:
Received: from cust241-38.148.197.netcabo.co.ao (unknown [197.148.38.241])
by mail01.ubisoft.com (Postfix) with ESMTP id 53E2A6662F
for <[email protected]>; Fri, 15 Feb 2013 14:11:22 +0000 (GMT)
Received: from maila-cb.linkedin.com ([199.101.160.34]) by
mailstore1.secureserver.net;
Fri, 15 Feb 2013 05:11:22 +0100
Sender: [email protected]
Date: Fri, 15 Feb 2013 05:11:22 +0100
From: LinkedIn Email Confirmation <[email protected]>
To: mzemir <[email protected]>
Message-ID: <[email protected]>
Subject: [SPAM] Re: Scan from a HP ScanJet #50553759
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_0120519_7213332464.6743027885770"
X-LinkedIn-Template: email_confirm
X-LinkedIn-Class: ACCT-ADMIN
X-LinkedIn-fbl: s-XAXOQT9M053YRH5XV3YRVB56M4AIKNSWIXM14J-75MNC1CJ74O8J4R
X-OriginalArrivalTime: Fri, 15 Feb 2013 05:11:22 +0100
FILETIME=[6CE9726C:41380A5D]
X-Spam-Prev-Subject: Re: Scan from a HP ScanJet #50553759
I was hunting a bug in which I deleted linkedin AWL entries for 199.101 IPs and
they kept reappearing within minutes with high scores level when all the
original linkedin mails score low averages... I've managed to hunt down to
these kind of messages that reseted my linkedin AWL entries to high scores ,
high average. AWL is setting wrong scores on the wrong emails.
--
You are receiving this mail because:
You are the assignee for the bug.
