On Wed, Aug 27, 2008 at 02:57:42PM +0200, ropers wrote:
> 2008/8/27 Raimo Niskanen <[EMAIL PROTECTED]>:
> > On Tue, Aug 26, 2008 at 06:04:22PM -0300, Jose Fragoso wrote:
> >> Hi,
> >>
> >> I am running spamd on a OpenBSD 4.1 box with the greyscanner.41 running
> >> every
> >> 10 minutes.
> >>
> >> Recently I noticed the following log entry:
> >>
> >> Aug 26 15:47:58 gwint greytrapper[11467]: Trapped 91.82.157.211:
> >> Senders/Tuples ration is 9/8 senders/tuples (> 0.85)
> >>
> >> Now my question is how is it possible for the number of senders to be
> >> greater than the number of tuples? Or should the script display
> >>
> >> 8/9 senders/tuples (> 0.85)
> >
> > The script appears to do it right:
> >
> > my @senders = split("\t", $FROM{$grey});
> > :
> > my $count = @senders;
> > :
> > my %S = undef;
> > :
> > foreach $s(@senders) {
> > $S{"$s"}++;
> > :
> > }
> > :
> > my $scount = keys %S;
> > :
> > } elsif ($scount/$count > $MAX_SENDERS_RATIO) {
> > $reason = "Senders/Tuples ration is $scount/$count"
> > . " senders/tuples (> $MAX_SENDERS_RATIO)";
> >
> > $count is number of tuples for a host and $scount is
> > number of unique From: addresses among these tuples.
> >
> > Senders/Tuples of 9/8 should not be possible.
> > It is a strange bug...
>
> This is just a totally uninformed wild guess, but would it be possible
> that someone sent the OP an email that somehow has a broken header
> with two From: address lines?
Maybe uninformed and wild, but you may be on the right track...
Since greyscanner.41 analyzes the spamdb database dump containing
data from the SMTP conversation before mail content transfer
- it only contains the SMTP envelope "MAIL From:" and "RCPT To:",
there can be no duplicate From: lines; they are in the mail content.
However...
greyscanner.41 uses the \t (TAB) character to separate the stored
"MAIL From:" addresses in the string $FROM{$grey} per (MTA) host,
and if a broken MTA would use a \t character in the "MAIL From:"
envelope line that might fool greyscanner.41 to see more
senders than there are. Depending on if spamd stores and spamdb
reports such characters...
Bug is possible, remains to be proven...
On a side note I use a rewritten greyscanner.41 since I wanted
to enable warnings (when I did there were lots of them) in Perl
and also found this ugly \t usage and replaced it with \000,
which hopefully spamdb should not be able to output.
>
> --ropers
--
/ Raimo Niskanen, Erlang/OTP, Ericsson AB
