[dspam-dev] DSPAM blocklist can be fooled

Thu, 16 Aug 2007 10:43:44 -0700 

Hallo list

I think there is a error/bug in the blocklist in DSPAM.

Lets assume we have the following email:
-----
mail ~ # cat /tmp/test.txt
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from localhost (localhost [127.0.0.1])
        by mail.server.tld (Postfix) with SMTP id 6F7F815142C9
        for <[EMAIL PROTECTED]>; Thu, 16 Aug 2007 09:09:02 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
        by mail.server.tld (Postfix) with ESMTP id 1126F15142CF
        for <[EMAIL PROTECTED]>; Thu, 16 Aug 2007 09:09:00 +0200 (CEST)
Received: from mail.domain.tld (mail.domain.tld [xxx.xxx.xx.xx])
        by mail.server.tld (Postfix) with SMTP id 29C6915142C9
        for <[EMAIL PROTECTED]>; Thu, 16 Aug 2007 09:08:42 +0200 (CEST)
Received: (qmail 12364 invoked by uid 0); 16 Aug 2007 07:08:39 -0000
Received: from xxx.xxx.xx.xx by www120.domain.tld with HTTP;
 Thu, 16 Aug 2007 09:08:39 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 16 Aug 2007 09:08:39 +0200
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]> (sfid-20070816_090903_522088_794E7101)
MIME-Version: 1.0
Subject: Some text
To: [EMAIL PROTECTED]

Just some dummy text
mail ~ #
------


Lets assume we have the following domain blocklist:
------
mail ~ # cat /var/spool/dspam/data/u/s/[EMAIL PROTECTED]/[EMAIL PROTECTED]
domain.tld
mail ~ #
------


Now if I check the mail with DSPAM then I get a innocent status:
------
mail ~ # dspam --user [EMAIL PROTECTED] --classify --stdout < /tmp/test.txt
X-DSPAM-Result: [EMAIL PROTECTED]; result="Innocent"; class="Innocent"; 
probability=0.0000; confidence=0.98; signature=N/A
mail ~ #
------


But this is wrong. The mail comes from a domain I have in the blocklist.
I think the problem is that in src/dspam.c the domain part of the from header 
gets parsed with strchr. I think it would be better to use strrchr instead of 
strchr. This would be the patch I would suggest:
--- src/dspam.c 2006-12-12 16:33:45.000000000 +0100
+++ src/dspam.c.new     2007-08-16 19:14:06.155370137 +0200
@@ -3774,7 +3774,7 @@
     char buf[256];
     if (heading) {
       char *dup = strdup(heading);
-      char *domain = strchr(dup, '@');
+      char *domain = strrchr(dup, '@');
       if (domain) {
         int i;
         for(i=0;domain[i] && domain[i]!='\r' && domain[i]!='\n'



// Steve


-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kanns mit allen: http://www.gmx.net/de/go/multimessenger

Reply via email to